ldap: Add spicy-events.zeek

scripts/base/protocols/ldap/__load__.zeek

@@ -1,4 +1,5 @@
 @if ( have_spicy_analyzers() )
+@load ./spicy-events.zeek
 @load-sigs ./dpd.sig
 @load ./consts
 @load ./main.zeek

scripts/base/protocols/ldap/main.zeek

@@ -113,16 +113,6 @@ export {
   # to the logging framework.
   global log_ldap: event(rec: LDAP::MessageInfo);
   global log_ldap_search: event(rec: LDAP::SearchInfo);
-
-  # Event called for each LDAP message (either direction)
-  global LDAP::message: event(c: connection,
-                              message_id: int,
-                              opcode: LDAP::ProtocolOpcode,
-                              result: LDAP::ResultCode,
-                              matched_dn: string,
-                              diagnostic_message: string,
-                              object: string,
-                              argument: string);
 }
 
 redef record connection += {

scripts/base/protocols/ldap/spicy-events.zeek

@@ -0,0 +1,100 @@
+##! Events generated by the LDAP analyzer.
+##!
+##! See See `RFC4511 <https://tools.ietf.org/html/rfc4511>`__.
+
+## Event generated for each LDAPMessage (either direction).
+##
+## c: The connection.
+##
+## message_id: The messageID element.
+##
+## opcode: The protocolOp field in the message.
+##
+## result: The result code if the message contains a result.
+##
+## matched_dn: The DN if the message contains a result.
+##
+## diagnostic_message: Diagnostic message if the LDAP message contains a result.
+##
+## object: The object name this message refers to.
+##
+## argument: Additional arguments this message includes.
+global LDAP::message: event(
+  c: connection,
+  message_id: int,
+  opcode: LDAP::ProtocolOpcode,
+  result: LDAP::ResultCode,
+  matched_dn: string,
+  diagnostic_message: string,
+  object: string,
+  argument: string
+);
+
+## Event generated for each LDAPMessage containing a BindRequest.
+##
+## c: The connection.
+##
+## message_id: The messageID element.
+##
+## version: The version field in the BindRequest.
+##
+## name: The name field in the BindRequest.
+##
+## auth_type: The auth type field in the BindRequest.
+##
+## auth_info: Additional information related to the used auth type.
+global LDAP::bindreq: event(
+  c: connection,
+  message_id: int,
+  version: int,
+  name: string,
+  auth_type: LDAP::BindAuthType,
+  auth_info: string
+);
+
+## Event generated for each LDAPMessage containing a SearchRequest.
+##
+## c: The connection.
+##
+## message_id: The messageID element.
+##
+## base_object: The baseObject field in the SearchRequest.
+##
+## scope: The scope field in the SearchRequest.
+##
+## deref_alias: The derefAlias field in the SearchRequest
+##
+## size_limit: The sizeLimit field in the SearchRequest.
+##
+## time_limit: The timeLimit field in the SearchRequest.
+##
+## types_only: The typesOnly field in the SearchRequest.
+##
+## filter: The string representation of the filter field in the SearchRequest.
+##
+## attributes: Additional attributes of the SearchRequest.
+global LDAP::searchreq: event (
+  c: connection,
+  message_id: int,
+  base_object: string,
+  scope: LDAP::SearchScope,
+  deref: LDAP::SearchDerefAlias,
+  size_limit: int,
+  time_limit: int,
+  types_only: bool,
+  filter: string,
+  attributes: vector of string
+);
+
+## Event generated for each SearchResultEntry in LDAP messages.
+##
+## c: The connection.
+##
+## message_id: The messageID element.
+##
+## object_name: The object name in the SearchResultEntry.
+global LDAP::searchres: event (
+  c: connection,
+  message_id: int,
+  object_name: string
+);

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -407,6 +407,7 @@ scripts/base/init-default.zeek
       scripts/base/protocols/krb/consts.zeek
     scripts/base/protocols/krb/files.zeek
   scripts/base/protocols/ldap/__load__.zeek
+    scripts/base/protocols/ldap/spicy-events.zeek
     scripts/base/protocols/ldap/consts.zeek
     scripts/base/protocols/ldap/main.zeek
   scripts/base/protocols/modbus/__load__.zeek