Copy docs into Zeek repo directly

This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.

doc/scripts/base/protocols/quic/__load__.zeek.rst

@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/quic/__load__.zeek
+=================================
+
+
+:Imports: :doc:`base/protocols/quic/consts.zeek </scripts/base/protocols/quic/consts.zeek>`, :doc:`base/protocols/quic/main.zeek </scripts/base/protocols/quic/main.zeek>`, :doc:`base/protocols/quic/spicy-events.zeek </scripts/base/protocols/quic/spicy-events.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+

doc/scripts/base/protocols/quic/consts.zeek.rst

@@ -0,0 +1,61 @@
+:tocdepth: 3
+
+base/protocols/quic/consts.zeek
+===============================
+.. zeek:namespace:: QUIC
+
+
+:Namespace: QUIC
+
+Summary
+~~~~~~~
+Constants
+#########
+================================================================================================== ==============================================================
+:zeek:id:`QUIC::version_strings`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` A mapping from QUIC's raw version numbers to readable strings.
+================================================================================================== ==============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: QUIC::version_strings
+   :source-code: base/protocols/quic/consts.zeek 7 7
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [4207849486] = "mvfst (faceb00e)",
+            [4278190112] = "draft-32",
+            [4278190110] = "draft-30",
+            [4278190111] = "draft-30",
+            [4278190114] = "draft-34",
+            [4207849474] = "mvfst (faceb002)",
+            [4278190108] = "draft-28",
+            [4278190113] = "draft-33",
+            [4278190104] = "draft-24",
+            [4278190105] = "draft-25",
+            [1] = "1",
+            [1798521807] = "quicv2",
+            [4207849491] = "mvfst (faceb013)",
+            [4207849489] = "mvfst (faceb011)",
+            [4278190106] = "draft-26",
+            [4207849490] = "mvfst (faceb012)",
+            [4278190107] = "draft-27",
+            [4278190103] = "draft-23",
+            [4278190102] = "draft-22",
+            [4278190109] = "draft-29",
+            [4207849473] = "mvfst (faceb001)"
+         }
+
+
+   A mapping from QUIC's raw version numbers to readable strings.
+   Unexpected versions become "unknown-<hex>", with a hexadecimal
+   rendering of the version number.
+
+

doc/scripts/base/protocols/quic/index.rst

@@ -0,0 +1,22 @@
+:orphan:
+
+Package: base/protocols/quic
+============================
+
+
+:doc:`/scripts/base/protocols/quic/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/quic/spicy-events.zeek`
+
+   Events generated by the QUIC analyzer.
+   
+   See See `RFC9000 <https://tools.ietf.org/html/rfc9000>`__.
+
+:doc:`/scripts/base/protocols/quic/consts.zeek`
+
+
+:doc:`/scripts/base/protocols/quic/main.zeek`
+
+   Implements base functionality for QUIC analysis. Generates quic.log.
+

doc/scripts/base/protocols/quic/main.zeek.rst

@@ -0,0 +1,176 @@
+:tocdepth: 3
+
+base/protocols/quic/main.zeek
+=============================
+.. zeek:namespace:: QUIC
+
+Implements base functionality for QUIC analysis. Generates quic.log.
+
+:Namespace: QUIC
+:Imports: :doc:`base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/quic/consts.zeek </scripts/base/protocols/quic/consts.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=========================================================================== ========================================
+:zeek:id:`QUIC::max_history_length`: :zeek:type:`count` :zeek:attr:`&redef` The maximum length of the history field.
+=========================================================================== ========================================
+
+Types
+#####
+============================================ =
+:zeek:type:`QUIC::Info`: :zeek:type:`record` 
+============================================ =
+
+Redefinitions
+#############
+============================================ ======================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`      
+                                             
+                                             * :zeek:enum:`QUIC::LOG`
+:zeek:type:`connection`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`connection`
+                                             
+                                               quic: :zeek:type:`QUIC::Info` :zeek:attr:`&optional`
+============================================ ======================================================
+
+Events
+######
+============================================= =
+:zeek:id:`QUIC::log_quic`: :zeek:type:`event` 
+============================================= =
+
+Hooks
+#####
+============================================================== =
+:zeek:id:`QUIC::finalize_quic`: :zeek:type:`Conn::RemovalHook` 
+:zeek:id:`QUIC::log_policy`: :zeek:type:`Log::PolicyHook`      
+============================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: QUIC::max_history_length
+   :source-code: base/protocols/quic/main.zeek 79 79
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100``
+
+   The maximum length of the history field.
+
+Types
+#####
+.. zeek:type:: QUIC::Info
+   :source-code: base/protocols/quic/main.zeek 13 70
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp of first QUIC packet for this entry.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: version :zeek:type:`string` :zeek:attr:`&log`
+
+      QUIC version as found in the first INITIAL packet from
+      the client. This will often be "1" or "quicv2", but see
+      the :zeek:see:`QUIC::version_strings` table for details.
+
+
+   .. zeek:field:: client_initial_dcid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      First Destination Connection ID used by client. This is
+      random and unpredictable, but used for packet protection
+      by client and server.
+
+
+   .. zeek:field:: client_scid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Client's Source Connection ID from the first INITIAL packet.
+
+
+   .. zeek:field:: server_scid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Server chosen Connection ID usually from server's first
+      INITIAL packet. This is to be used by the client in
+      subsequent packets.
+
+
+   .. zeek:field:: server_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Server name extracted from SNI extension in ClientHello
+      packet if available.
+
+
+   .. zeek:field:: client_protocol :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      First protocol extracted from ALPN extension in ClientHello
+      packet if available.
+
+
+   .. zeek:field:: history :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      QUIC history.
+      
+      Letters have the following meaning with client-sent
+      letters being capitalized:
+      
+      ======  ====================================================
+      Letter  Meaning
+      ======  ====================================================
+      I       INIT packet
+      H       HANDSHAKE packet
+      Z       0RTT packet
+      R       RETRY packet
+      C       CONNECTION_CLOSE packet
+      S       SSL Client/Server Hello
+      U       Unfamiliar QUIC version
+      ======  ====================================================
+
+
+   .. zeek:field:: history_state :zeek:type:`vector` of :zeek:type:`string`
+
+
+   .. zeek:field:: logged :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+
+
+Events
+######
+.. zeek:id:: QUIC::log_quic
+   :source-code: base/protocols/quic/main.zeek 72 72
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`QUIC::Info`)
+
+
+Hooks
+#####
+.. zeek:id:: QUIC::finalize_quic
+   :source-code: base/protocols/quic/main.zeek 229 235
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+
+.. zeek:id:: QUIC::log_policy
+   :source-code: base/protocols/quic/main.zeek 74 74
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+

doc/scripts/base/protocols/quic/spicy-events.zeek.rst

@@ -0,0 +1,176 @@
+:tocdepth: 3
+
+base/protocols/quic/spicy-events.zeek
+=====================================
+
+Events generated by the QUIC analyzer.
+
+See See `RFC9000 <https://tools.ietf.org/html/rfc9000>`__.
+
+
+Summary
+~~~~~~~
+Events
+######
+=========================================================== ============================================
+:zeek:id:`QUIC::connection_close_frame`: :zeek:type:`event` Generated for a QUIC CONNECTION_CLOSE frame.
+:zeek:id:`QUIC::handshake_packet`: :zeek:type:`event`       Generated for a QUIC Handshake packet.
+:zeek:id:`QUIC::initial_packet`: :zeek:type:`event`         Generated for a QUIC Initial packet.
+:zeek:id:`QUIC::retry_packet`: :zeek:type:`event`           Generated for a QUIC Retry packet.
+:zeek:id:`QUIC::unhandled_version`: :zeek:type:`event`      Generated for an unrecognized QUIC version.
+:zeek:id:`QUIC::zero_rtt_packet`: :zeek:type:`event`        Generated for a QUIC 0-RTT packet.
+=========================================================== ============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: QUIC::connection_close_frame
+   :source-code: base/protocols/quic/main.zeek 182 192
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`, error_code: :zeek:type:`count`, reason_phrase: :zeek:type:`string`)
+
+   Generated for a QUIC CONNECTION_CLOSE frame.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+   
+
+   :param error_code: Count indicating the reason for closing this connection.
+   
+
+   :param reason_phrase: Additional diagnostic information for the closure.
+   
+   .. note:: Packets with CONNECTION_CLOSE frames are usually encrypted after connection establishment and not visible to Zeek.
+
+.. zeek:id:: QUIC::handshake_packet
+   :source-code: base/protocols/quic/main.zeek 142 146
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`)
+
+   Generated for a QUIC Handshake packet.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+
+.. zeek:id:: QUIC::initial_packet
+   :source-code: base/protocols/quic/main.zeek 136 140
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`)
+
+   Generated for a QUIC Initial packet.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+   
+
+.. zeek:id:: QUIC::retry_packet
+   :source-code: base/protocols/quic/main.zeek 155 165
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`, retry_token: :zeek:type:`string`, retry_integrity_tag: :zeek:type:`string`)
+
+   Generated for a QUIC Retry packet.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+   
+
+   :param retry_token: The Retry Token field.
+   
+
+   :param integrity_tag: The Retry Integrity Tag field.
+
+.. zeek:id:: QUIC::unhandled_version
+   :source-code: base/protocols/quic/main.zeek 168 178
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`)
+
+   Generated for an unrecognized QUIC version.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+
+.. zeek:id:: QUIC::zero_rtt_packet
+   :source-code: base/protocols/quic/main.zeek 148 152
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`)
+
+   Generated for a QUIC 0-RTT packet.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+
+