From: Brian Morris (bmorris2) Date: Fri, 3 Oct 2025 15:58:05 +0000 (+0000) Subject: Pull request #4908: quic advanced logging X-Git-Tag: 3.9.6.0~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4bf8312aacd4336b33edd2548d04328f772889ee;p=thirdparty%2Fsnort3.git Pull request #4908: quic advanced logging Merge in SNORT/snort3 from ~BMORRIS2/snort3:quic_events to master Squashed commit of the following: commit 92a10ddfbb99ddeff8e13c96c8ffab6bf9c995ea Author: Brian Morris Date: Tue Sep 30 11:12:06 2025 -0500 pub_sub: add quic logging events --- diff --git a/src/pub_sub/CMakeLists.txt b/src/pub_sub/CMakeLists.txt index 4bed9857e..d5bcf597f 100644 --- a/src/pub_sub/CMakeLists.txt +++ b/src/pub_sub/CMakeLists.txt @@ -4,51 +4,53 @@ set (PUB_SUB_INCLUDES appid_events.h assistant_gadget_event.h cip_events.h - data_decrypt_event.h daq_message_event.h + data_decrypt_event.h dcerpc_events.h detection_events.h dhcp_events.h + dns_events.h domain_fronting.h eof_event.h eve_process_event.h expect_events.h external_event_ids.h - file_events.h file_events_ids.h + file_events.h finalize_packet_event.h ftp_events.h + http_body_event.h http_event_ids.h http_events.h - http_request_body_event.h - http_body_event.h http_publish_length_event.h + http_request_body_event.h http_transaction_end_event.h intrinsic_event_ids.h netflow_event.h opportunistic_tls_event.h packet_events.h + quic_events.h reputation_events.h rna_events.h - sip_events.h - stream_event_ids.h shadowtraffic_aggregator.h + sip_events.h smb_events.h ssh_events.h ssl_events.h - dns_events.h + stream_event_ids.h ) add_library( pub_sub OBJECT ${PUB_SUB_INCLUDES} cip_events.cc - http_events.cc detection_events.cc dns_events.cc eof_event.cc - http_request_body_event.cc http_body_event.cc + http_events.cc + http_request_body_event.cc http_transaction_end_event.cc + quic_events.cc sip_events.cc ) diff --git a/src/pub_sub/quic_events.cc b/src/pub_sub/quic_events.cc new file mode 100644 index 000000000..26ea9fcb8 --- /dev/null +++ b/src/pub_sub/quic_events.cc @@ -0,0 +1,28 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2025-2025 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// quic_events.cc author Brian Morris + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "quic_events.h" + +using namespace snort; + +const PubKey quic_logging_pub_key { "quic", QuicLoggingEventIds::QUIC_MAX_EVENT }; diff --git a/src/pub_sub/quic_events.h b/src/pub_sub/quic_events.h new file mode 100644 index 000000000..2b1b39eb1 --- /dev/null +++ b/src/pub_sub/quic_events.h @@ -0,0 +1,59 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2025-2025 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// quic_events.h author Brian Morris + +#ifndef QUIC_EVENTS_H +#define QUIC_EVENTS_H + +#include +#include "framework/data_bus.h" + +namespace snort +{ + +enum QuicLoggingEventIds : unsigned +{ + QUIC_CLIENT_HELLO_EVENT = 0, + QUIC_HANDSHAKE_COMPLETE_EVENT, + QUIC_MAX_EVENT +}; +const PubKey quic_logging_pub_key { "quic_logging", QuicLoggingEventIds::QUIC_MAX_EVENT }; + +class QuicClientHelloEvent : public snort::DataEvent +{ +public: + ~QuicClientHelloEvent() override = default; + + virtual const std::string& get_version() const = 0; + virtual const std::string& get_client_initial_dcid() const = 0; + virtual const std::string& get_client_scid() const = 0; + virtual const std::string& get_server_name() const = 0; + virtual const std::string& get_client_protocol() const = 0; +}; + +class QuicHandshakeCompleteEvent : public snort::DataEvent +{ +public: + ~QuicHandshakeCompleteEvent() override = default; + + virtual const std::string& get_server_scid() const = 0; + virtual const std::string& get_history() const = 0; +}; + +} +#endif