From fb31ad0c6e3d8515d884f0d3d22067f3be4990b3 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Wed, 18 Oct 2023 12:40:02 +0200
Subject: [PATCH] ldap: Add spicy-events.zeek

---
 scripts/base/protocols/ldap/__load__.zeek     |   1 +
 scripts/base/protocols/ldap/main.zeek         |  10 --
 scripts/base/protocols/ldap/spicy-events.zeek | 100 ++++++++++++++++++
 .../canonified_loaded_scripts.log             |   1 +
 4 files changed, 102 insertions(+), 10 deletions(-)
 create mode 100644 scripts/base/protocols/ldap/spicy-events.zeek

diff --git a/scripts/base/protocols/ldap/__load__.zeek b/scripts/base/protocols/ldap/__load__.zeek
index 7f84910034..f69cc94b0a 100644
--- a/scripts/base/protocols/ldap/__load__.zeek
+++ b/scripts/base/protocols/ldap/__load__.zeek
@@ -1,4 +1,5 @@
 @if ( have_spicy_analyzers() )
+@load ./spicy-events.zeek
 @load-sigs ./dpd.sig
 @load ./consts
 @load ./main.zeek
diff --git a/scripts/base/protocols/ldap/main.zeek b/scripts/base/protocols/ldap/main.zeek
index 2c05020ddf..800ffd04bd 100644
--- a/scripts/base/protocols/ldap/main.zeek
+++ b/scripts/base/protocols/ldap/main.zeek
@@ -113,16 +113,6 @@ export {
   # to the logging framework.
   global log_ldap: event(rec: LDAP::MessageInfo);
   global log_ldap_search: event(rec: LDAP::SearchInfo);
-
-  # Event called for each LDAP message (either direction)
-  global LDAP::message: event(c: connection,
-                              message_id: int,
-                              opcode: LDAP::ProtocolOpcode,
-                              result: LDAP::ResultCode,
-                              matched_dn: string,
-                              diagnostic_message: string,
-                              object: string,
-                              argument: string);
 }
 
 redef record connection += {
diff --git a/scripts/base/protocols/ldap/spicy-events.zeek b/scripts/base/protocols/ldap/spicy-events.zeek
new file mode 100644
index 0000000000..b0b1bd8cc2
--- /dev/null
+++ b/scripts/base/protocols/ldap/spicy-events.zeek
@@ -0,0 +1,100 @@
+##! Events generated by the LDAP analyzer.
+##!
+##! See See `RFC4511 <https://tools.ietf.org/html/rfc4511>`__.
+
+## Event generated for each LDAPMessage (either direction).
+##
+## c: The connection.
+##
+## message_id: The messageID element.
+##
+## opcode: The protocolOp field in the message.
+##
+## result: The result code if the message contains a result.
+##
+## matched_dn: The DN if the message contains a result.
+##
+## diagnostic_message: Diagnostic message if the LDAP message contains a result.
+##
+## object: The object name this message refers to.
+##
+## argument: Additional arguments this message includes.
+global LDAP::message: event(
+  c: connection,
+  message_id: int,
+  opcode: LDAP::ProtocolOpcode,
+  result: LDAP::ResultCode,
+  matched_dn: string,
+  diagnostic_message: string,
+  object: string,
+  argument: string
+);
+
+## Event generated for each LDAPMessage containing a BindRequest.
+##
+## c: The connection.
+##
+## message_id: The messageID element.
+##
+## version: The version field in the BindRequest.
+##
+## name: The name field in the BindRequest.
+##
+## auth_type: The auth type field in the BindRequest.
+##
+## auth_info: Additional information related to the used auth type.
+global LDAP::bindreq: event(
+  c: connection,
+  message_id: int,
+  version: int,
+  name: string,
+  auth_type: LDAP::BindAuthType,
+  auth_info: string
+);
+
+## Event generated for each LDAPMessage containing a SearchRequest.
+##
+## c: The connection.
+##
+## message_id: The messageID element.
+##
+## base_object: The baseObject field in the SearchRequest.
+##
+## scope: The scope field in the SearchRequest.
+##
+## deref_alias: The derefAlias field in the SearchRequest
+##
+## size_limit: The sizeLimit field in the SearchRequest.
+##
+## time_limit: The timeLimit field in the SearchRequest.
+##
+## types_only: The typesOnly field in the SearchRequest.
+##
+## filter: The string representation of the filter field in the SearchRequest.
+##
+## attributes: Additional attributes of the SearchRequest.
+global LDAP::searchreq: event (
+  c: connection,
+  message_id: int,
+  base_object: string,
+  scope: LDAP::SearchScope,
+  deref: LDAP::SearchDerefAlias,
+  size_limit: int,
+  time_limit: int,
+  types_only: bool,
+  filter: string,
+  attributes: vector of string
+);
+
+## Event generated for each SearchResultEntry in LDAP messages.
+##
+## c: The connection.
+##
+## message_id: The messageID element.
+##
+## object_name: The object name in the SearchResultEntry.
+global LDAP::searchres: event (
+  c: connection,
+  message_id: int,
+  object_name: string
+);
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index cb332a0e4d..6fe637462b 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -407,6 +407,7 @@ scripts/base/init-default.zeek
       scripts/base/protocols/krb/consts.zeek
     scripts/base/protocols/krb/files.zeek
   scripts/base/protocols/ldap/__load__.zeek
+    scripts/base/protocols/ldap/spicy-events.zeek
     scripts/base/protocols/ldap/consts.zeek
     scripts/base/protocols/ldap/main.zeek
   scripts/base/protocols/modbus/__load__.zeek