quic: Add spicy-events.zeek

2025-10-02 14:48:21 +00:00 · 2023-10-18 11:54:25 +02:00 · 2023-10-18 11:54:25 +02:00 · 2389f6f6c5
commit 2389f6f6c5
parent fc62bb477c
3 changed files with 84 additions and 0 deletions
--- a/scripts/base/protocols/quic/load.zeek
+++ b/scripts/base/protocols/quic/load.zeek
@ -1,4 +1,5 @@
@ifdef ( Analyzer::ANALYZER_QUIC )
+@load ./spicy-events
@load ./consts
@load ./main
@endif
--- a/scripts/base/protocols/quic/spicy-events.zeek
+++ b/scripts/base/protocols/quic/spicy-events.zeek
@ -0,0 +1,82 @@
+##! Events generated by the QUIC analyzer.
+##!
+##! See See `RFC9000 <https://tools.ietf.org/html/rfc9000>`__.
+
+## Generated for a QUIC Initial packet.
+##
+## c: The connection.
+##
+## is_orig: True if the packet is from the the connection's originator.
+##
+## version: The Version field.
+##
+## dcid: The Destination Connection ID field.
+##
+## scid: The Source Connection ID field.
+##
+global QUIC::initial_packet: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string);
+
+
+## Generated for a QUIC Retry packet.
+##
+## c: The connection.
+##
+## is_orig: True if the packet is from the the connection's originator.
+##
+## version: The Version field.
+##
+## dcid: The Destination Connection ID field.
+##
+## scid: The Source Connection ID field.
+##
+## retry_token: The Retry Token field.
+##
+## integrity_tag: The Retry Integrity Tag field.
+global QUIC::retry_packet: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string, retry_token: string, retry_integrity_tag: string);
+
+
+## Generated for a QUIC Handshake packet.
+##
+## c: The connection.
+##
+## is_orig: True if the packet is from the the connection's originator.
+##
+## version: The Version field.
+##
+## dcid: The Destination Connection ID field.
+##
+## scid: The Source Connection ID field.
+global QUIC::handshake_packet: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string);
+
+## Generated for a QUIC 0-RTT packet.
+##
+## c: The connection.
+##
+## is_orig: True if the packet is from the the connection's originator.
+##
+## version: The Version field.
+##
+## dcid: The Destination Connection ID field.
+##
+## scid: The Source Connection ID field.
+global QUIC::zero_rtt_packet: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string);
+
+
+## Generated for a QUIC CONNECTION_CLOSE frame.
+##
+## c: The connection.
+##
+## is_orig: True if the packet is from the the connection's originator.
+##
+## version: The Version field.
+##
+## dcid: The Destination Connection ID field.
+##
+## scid: The Source Connection ID field.
+##
+## error_code: Count indicating the reason for closing this connection.
+##
+## reason_phrase: Additional diagnostic information for the closure.
+##
+## .. note:: Packets with CONNECTION_CLOSE frames are usually encrypted after connection establishment and not visible to Zeek.
+global QUIC::connection_close_frame: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string, error_code: count, reason_phrase: string);