From 2389f6f6c5209a26bf7d2bb19c7530a760d23f27 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Wed, 18 Oct 2023 11:54:25 +0200
Subject: [PATCH 1/3] quic: Add spicy-events.zeek

---
 scripts/base/protocols/quic/__load__.zeek     |  1 +
 scripts/base/protocols/quic/spicy-events.zeek | 82 +++++++++++++++++++
 .../canonified_loaded_scripts.log             |  1 +
 3 files changed, 84 insertions(+)
 create mode 100644 scripts/base/protocols/quic/spicy-events.zeek

diff --git a/scripts/base/protocols/quic/__load__.zeek b/scripts/base/protocols/quic/__load__.zeek
index 6a5d24e0c3..729d9aeb1a 100644
--- a/scripts/base/protocols/quic/__load__.zeek
+++ b/scripts/base/protocols/quic/__load__.zeek
@@ -1,4 +1,5 @@
 @ifdef ( Analyzer::ANALYZER_QUIC )
+@load ./spicy-events
 @load ./consts
 @load ./main
 @endif
diff --git a/scripts/base/protocols/quic/spicy-events.zeek b/scripts/base/protocols/quic/spicy-events.zeek
new file mode 100644
index 0000000000..5856ae5aa8
--- /dev/null
+++ b/scripts/base/protocols/quic/spicy-events.zeek
@@ -0,0 +1,82 @@
+##! Events generated by the QUIC analyzer.
+##!
+##! See See `RFC9000 <https://tools.ietf.org/html/rfc9000>`__.
+
+## Generated for a QUIC Initial packet.
+##
+## c: The connection.
+##
+## is_orig: True if the packet is from the the connection's originator.
+##
+## version: The Version field.
+##
+## dcid: The Destination Connection ID field.
+##
+## scid: The Source Connection ID field.
+##
+global QUIC::initial_packet: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string);
+
+
+## Generated for a QUIC Retry packet.
+##
+## c: The connection.
+##
+## is_orig: True if the packet is from the the connection's originator.
+##
+## version: The Version field.
+##
+## dcid: The Destination Connection ID field.
+##
+## scid: The Source Connection ID field.
+##
+## retry_token: The Retry Token field.
+##
+## integrity_tag: The Retry Integrity Tag field.
+global QUIC::retry_packet: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string, retry_token: string, retry_integrity_tag: string);
+
+
+## Generated for a QUIC Handshake packet.
+##
+## c: The connection.
+##
+## is_orig: True if the packet is from the the connection's originator.
+##
+## version: The Version field.
+##
+## dcid: The Destination Connection ID field.
+##
+## scid: The Source Connection ID field.
+global QUIC::handshake_packet: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string);
+
+## Generated for a QUIC 0-RTT packet.
+##
+## c: The connection.
+##
+## is_orig: True if the packet is from the the connection's originator.
+##
+## version: The Version field.
+##
+## dcid: The Destination Connection ID field.
+##
+## scid: The Source Connection ID field.
+global QUIC::zero_rtt_packet: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string);
+
+
+## Generated for a QUIC CONNECTION_CLOSE frame.
+##
+## c: The connection.
+##
+## is_orig: True if the packet is from the the connection's originator.
+##
+## version: The Version field.
+##
+## dcid: The Destination Connection ID field.
+##
+## scid: The Source Connection ID field.
+##
+## error_code: Count indicating the reason for closing this connection.
+##
+## reason_phrase: Additional diagnostic information for the closure.
+##
+## .. note:: Packets with CONNECTION_CLOSE frames are usually encrypted after connection establishment and not visible to Zeek.
+global QUIC::connection_close_frame: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string, error_code: count, reason_phrase: string);
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index d11129770b..cb332a0e4d 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -425,6 +425,7 @@ scripts/base/init-default.zeek
     scripts/base/protocols/ntp/consts.zeek
   scripts/base/protocols/pop3/__load__.zeek
   scripts/base/protocols/quic/__load__.zeek
+    scripts/base/protocols/quic/spicy-events.zeek
     scripts/base/protocols/quic/consts.zeek
     scripts/base/protocols/quic/main.zeek
   scripts/base/protocols/radius/__load__.zeek

From fb31ad0c6e3d8515d884f0d3d22067f3be4990b3 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Wed, 18 Oct 2023 12:40:02 +0200
Subject: [PATCH 2/3] ldap: Add spicy-events.zeek

---
 scripts/base/protocols/ldap/__load__.zeek     |   1 +
 scripts/base/protocols/ldap/main.zeek         |  10 --
 scripts/base/protocols/ldap/spicy-events.zeek | 100 ++++++++++++++++++
 .../canonified_loaded_scripts.log             |   1 +
 4 files changed, 102 insertions(+), 10 deletions(-)
 create mode 100644 scripts/base/protocols/ldap/spicy-events.zeek

diff --git a/scripts/base/protocols/ldap/__load__.zeek b/scripts/base/protocols/ldap/__load__.zeek
index 7f84910034..f69cc94b0a 100644
--- a/scripts/base/protocols/ldap/__load__.zeek
+++ b/scripts/base/protocols/ldap/__load__.zeek
@@ -1,4 +1,5 @@
 @if ( have_spicy_analyzers() )
+@load ./spicy-events.zeek
 @load-sigs ./dpd.sig
 @load ./consts
 @load ./main.zeek
diff --git a/scripts/base/protocols/ldap/main.zeek b/scripts/base/protocols/ldap/main.zeek
index 2c05020ddf..800ffd04bd 100644
--- a/scripts/base/protocols/ldap/main.zeek
+++ b/scripts/base/protocols/ldap/main.zeek
@@ -113,16 +113,6 @@ export {
   # to the logging framework.
   global log_ldap: event(rec: LDAP::MessageInfo);
   global log_ldap_search: event(rec: LDAP::SearchInfo);
-
-  # Event called for each LDAP message (either direction)
-  global LDAP::message: event(c: connection,
-                              message_id: int,
-                              opcode: LDAP::ProtocolOpcode,
-                              result: LDAP::ResultCode,
-                              matched_dn: string,
-                              diagnostic_message: string,
-                              object: string,
-                              argument: string);
 }
 
 redef record connection += {
diff --git a/scripts/base/protocols/ldap/spicy-events.zeek b/scripts/base/protocols/ldap/spicy-events.zeek
new file mode 100644
index 0000000000..b0b1bd8cc2
--- /dev/null
+++ b/scripts/base/protocols/ldap/spicy-events.zeek
@@ -0,0 +1,100 @@
+##! Events generated by the LDAP analyzer.
+##!
+##! See See `RFC4511 <https://tools.ietf.org/html/rfc4511>`__.
+
+## Event generated for each LDAPMessage (either direction).
+##
+## c: The connection.
+##
+## message_id: The messageID element.
+##
+## opcode: The protocolOp field in the message.
+##
+## result: The result code if the message contains a result.
+##
+## matched_dn: The DN if the message contains a result.
+##
+## diagnostic_message: Diagnostic message if the LDAP message contains a result.
+##
+## object: The object name this message refers to.
+##
+## argument: Additional arguments this message includes.
+global LDAP::message: event(
+  c: connection,
+  message_id: int,
+  opcode: LDAP::ProtocolOpcode,
+  result: LDAP::ResultCode,
+  matched_dn: string,
+  diagnostic_message: string,
+  object: string,
+  argument: string
+);
+
+## Event generated for each LDAPMessage containing a BindRequest.
+##
+## c: The connection.
+##
+## message_id: The messageID element.
+##
+## version: The version field in the BindRequest.
+##
+## name: The name field in the BindRequest.
+##
+## auth_type: The auth type field in the BindRequest.
+##
+## auth_info: Additional information related to the used auth type.
+global LDAP::bindreq: event(
+  c: connection,
+  message_id: int,
+  version: int,
+  name: string,
+  auth_type: LDAP::BindAuthType,
+  auth_info: string
+);
+
+## Event generated for each LDAPMessage containing a SearchRequest.
+##
+## c: The connection.
+##
+## message_id: The messageID element.
+##
+## base_object: The baseObject field in the SearchRequest.
+##
+## scope: The scope field in the SearchRequest.
+##
+## deref_alias: The derefAlias field in the SearchRequest
+##
+## size_limit: The sizeLimit field in the SearchRequest.
+##
+## time_limit: The timeLimit field in the SearchRequest.
+##
+## types_only: The typesOnly field in the SearchRequest.
+##
+## filter: The string representation of the filter field in the SearchRequest.
+##
+## attributes: Additional attributes of the SearchRequest.
+global LDAP::searchreq: event (
+  c: connection,
+  message_id: int,
+  base_object: string,
+  scope: LDAP::SearchScope,
+  deref: LDAP::SearchDerefAlias,
+  size_limit: int,
+  time_limit: int,
+  types_only: bool,
+  filter: string,
+  attributes: vector of string
+);
+
+## Event generated for each SearchResultEntry in LDAP messages.
+##
+## c: The connection.
+##
+## message_id: The messageID element.
+##
+## object_name: The object name in the SearchResultEntry.
+global LDAP::searchres: event (
+  c: connection,
+  message_id: int,
+  object_name: string
+);
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index cb332a0e4d..6fe637462b 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -407,6 +407,7 @@ scripts/base/init-default.zeek
       scripts/base/protocols/krb/consts.zeek
     scripts/base/protocols/krb/files.zeek
   scripts/base/protocols/ldap/__load__.zeek
+    scripts/base/protocols/ldap/spicy-events.zeek
     scripts/base/protocols/ldap/consts.zeek
     scripts/base/protocols/ldap/main.zeek
   scripts/base/protocols/modbus/__load__.zeek

From e1864ec131d72eb4273e6fad69b0dc551e27a6db Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Thu, 19 Oct 2023 10:47:00 +0200
Subject: [PATCH 3/3] ldap: Use longer event names

It's unusual to compress and shorten event names of protocol analyzers,
switch to a slightly longer name instead.
---
 scripts/base/protocols/ldap/main.zeek         |  6 +--
 scripts/base/protocols/ldap/spicy-events.zeek |  6 +--
 src/analyzer/protocol/ldap/ldap.evt           | 38 +++++++++----------
 3 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/scripts/base/protocols/ldap/main.zeek b/scripts/base/protocols/ldap/main.zeek
index 800ffd04bd..69b1e0809a 100644
--- a/scripts/base/protocols/ldap/main.zeek
+++ b/scripts/base/protocols/ldap/main.zeek
@@ -258,7 +258,7 @@ event LDAP::message(c: connection,
 }
 
 #############################################################################
-event LDAP::searchreq(c: connection,
+event LDAP::search_request(c: connection,
                       message_id: int,
                       base_object: string,
                       scope: LDAP::SearchScope,
@@ -296,7 +296,7 @@ event LDAP::searchreq(c: connection,
 }
 
 #############################################################################
-event LDAP::searchres(c: connection,
+event LDAP::search_result(c: connection,
                       message_id: int,
                       object_name: string) {
 
@@ -306,7 +306,7 @@ event LDAP::searchres(c: connection,
 }
 
 #############################################################################
-event LDAP::bindreq(c: connection,
+event LDAP::bind_request(c: connection,
                     message_id: int,
                     version: int,
                     name: string,
diff --git a/scripts/base/protocols/ldap/spicy-events.zeek b/scripts/base/protocols/ldap/spicy-events.zeek
index b0b1bd8cc2..3a8c2217ee 100644
--- a/scripts/base/protocols/ldap/spicy-events.zeek
+++ b/scripts/base/protocols/ldap/spicy-events.zeek
@@ -43,7 +43,7 @@ global LDAP::message: event(
 ## auth_type: The auth type field in the BindRequest.
 ##
 ## auth_info: Additional information related to the used auth type.
-global LDAP::bindreq: event(
+global LDAP::bind_request: event(
   c: connection,
   message_id: int,
   version: int,
@@ -73,7 +73,7 @@ global LDAP::bindreq: event(
 ## filter: The string representation of the filter field in the SearchRequest.
 ##
 ## attributes: Additional attributes of the SearchRequest.
-global LDAP::searchreq: event (
+global LDAP::search_request: event (
   c: connection,
   message_id: int,
   base_object: string,
@@ -93,7 +93,7 @@ global LDAP::searchreq: event (
 ## message_id: The messageID element.
 ##
 ## object_name: The object name in the SearchResultEntry.
-global LDAP::searchres: event (
+global LDAP::search_result: event (
   c: connection,
   message_id: int,
   object_name: string
diff --git a/src/analyzer/protocol/ldap/ldap.evt b/src/analyzer/protocol/ldap/ldap.evt
index 35c0ac1032..108504c50c 100644
--- a/src/analyzer/protocol/ldap/ldap.evt
+++ b/src/analyzer/protocol/ldap/ldap.evt
@@ -20,24 +20,24 @@ on LDAP::Message -> event LDAP::message($conn,
                                         self.obj,
                                         self.arg);
 
-on LDAP::BindRequest -> event LDAP::bindreq($conn,
-                                            message.messageID,
-                                            self.version,
-                                            self.name,
-                                            self.authType,
-                                            message.arg);
+on LDAP::BindRequest -> event LDAP::bind_request($conn,
+                                                 message.messageID,
+                                                 self.version,
+                                                 self.name,
+                                                 self.authType,
+                                                 message.arg);
 
-on LDAP::SearchRequest -> event LDAP::searchreq($conn,
-                                                message.messageID,
-                                                self.baseObject,
-                                                self.scope,
-                                                self.deref,
-                                                self.sizeLimit,
-                                                self.timeLimit,
-                                                self.typesOnly,
-                                                self.filter,
-                                                self.attributes);
+on LDAP::SearchRequest -> event LDAP::search_request($conn,
+                                                     message.messageID,
+                                                     self.baseObject,
+                                                     self.scope,
+                                                     self.deref,
+                                                     self.sizeLimit,
+                                                     self.timeLimit,
+                                                     self.typesOnly,
+                                                     self.filter,
+                                                     self.attributes);
 
-on LDAP::SearchResultEntry -> event LDAP::searchres($conn,
-                                                    message.messageID,
-                                                    self.objectName);
+on LDAP::SearchResultEntry -> event LDAP::search_result($conn,
+                                                        message.messageID,
+                                                        self.objectName);