Pull request #4908: quic advanced logging

Merge in SNORT/snort3 from ~BMORRIS2/snort3:quic_events to master

Squashed commit of the following:

commit 92a10ddfbb99ddeff8e13c96c8ffab6bf9c995ea
Author: Brian Morris <bmorris2@cisco.com>
Date:   Tue Sep 30 11:12:06 2025 -0500

    pub_sub: add quic logging events

diff --git a/src/pub_sub/CMakeLists.txt b/src/pub_sub/CMakeLists.txt
index 4bed9857e85e6a8355c15a98577b768ea29a42b6..d5bcf597f31d14127d6dd5e177dc030fd4eb7601 100644 (file)
--- a/src/pub_sub/CMakeLists.txt
+++ b/src/pub_sub/CMakeLists.txt
@@ -4,51 +4,53 @@ set (PUB_SUB_INCLUDES
     appid_events.h
     assistant_gadget_event.h
     cip_events.h
-    data_decrypt_event.h
     daq_message_event.h
+    data_decrypt_event.h
     dcerpc_events.h
     detection_events.h
     dhcp_events.h
+    dns_events.h
     domain_fronting.h
     eof_event.h
     eve_process_event.h
     expect_events.h
     external_event_ids.h
-    file_events.h
     file_events_ids.h
+    file_events.h
     finalize_packet_event.h
     ftp_events.h
+    http_body_event.h
     http_event_ids.h
     http_events.h
-    http_request_body_event.h
-    http_body_event.h
     http_publish_length_event.h
+    http_request_body_event.h
     http_transaction_end_event.h
     intrinsic_event_ids.h
     netflow_event.h
     opportunistic_tls_event.h
     packet_events.h
+    quic_events.h
     reputation_events.h
     rna_events.h
-    sip_events.h
-    stream_event_ids.h
     shadowtraffic_aggregator.h
+    sip_events.h
     smb_events.h
     ssh_events.h
     ssl_events.h
-    dns_events.h
+    stream_event_ids.h
 )
 
 add_library( pub_sub OBJECT
     ${PUB_SUB_INCLUDES}
     cip_events.cc
-    http_events.cc
     detection_events.cc
     dns_events.cc
     eof_event.cc
-    http_request_body_event.cc
     http_body_event.cc
+    http_events.cc
+    http_request_body_event.cc
     http_transaction_end_event.cc
+    quic_events.cc
     sip_events.cc
 )
 

diff --git a/src/pub_sub/quic_events.cc b/src/pub_sub/quic_events.cc
new file mode 100644 (file)
index 0000000..26ea9fc
--- /dev/null
+++ b/src/pub_sub/quic_events.cc
@@ -0,0 +1,28 @@
+//--------------------------------------------------------------------------
+// Copyright (C) 2025-2025 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation.  You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+//--------------------------------------------------------------------------
+// quic_events.cc author Brian Morris <bmorris2@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "quic_events.h"
+
+using namespace snort;
+
+const PubKey quic_logging_pub_key { "quic", QuicLoggingEventIds::QUIC_MAX_EVENT };

diff --git a/src/pub_sub/quic_events.h b/src/pub_sub/quic_events.h
new file mode 100644 (file)
index 0000000..2b1b39e
--- /dev/null
+++ b/src/pub_sub/quic_events.h
@@ -0,0 +1,59 @@
+//--------------------------------------------------------------------------
+// Copyright (C) 2025-2025 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation.  You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+//--------------------------------------------------------------------------
+// quic_events.h author Brian Morris <bmorris2@cisco.com>
+
+#ifndef QUIC_EVENTS_H
+#define QUIC_EVENTS_H
+
+#include <string>
+#include "framework/data_bus.h"
+
+namespace snort
+{
+
+enum QuicLoggingEventIds : unsigned
+{
+    QUIC_CLIENT_HELLO_EVENT = 0,
+    QUIC_HANDSHAKE_COMPLETE_EVENT,
+    QUIC_MAX_EVENT
+};
+const PubKey quic_logging_pub_key { "quic_logging", QuicLoggingEventIds::QUIC_MAX_EVENT };
+
+class QuicClientHelloEvent : public snort::DataEvent
+{
+public:
+    ~QuicClientHelloEvent() override = default;
+
+    virtual const std::string& get_version() const = 0;
+    virtual const std::string& get_client_initial_dcid() const = 0;
+    virtual const std::string& get_client_scid() const = 0;
+    virtual const std::string& get_server_name() const = 0;
+    virtual const std::string& get_client_protocol() const = 0;
+};
+
+class QuicHandshakeCompleteEvent : public snort::DataEvent
+{
+public:
+    ~QuicHandshakeCompleteEvent() override = default;
+
+    virtual const std::string& get_server_scid() const = 0;
+    virtual const std::string& get_history() const = 0;
+};
+
+}
+#endif