diff --git a/analyzer/protobuf.spicy b/analyzer/protobuf.spicy index bcaef43..925da84 100644 --- a/analyzer/protobuf.spicy +++ b/analyzer/protobuf.spicy @@ -2,25 +2,75 @@ module protobuf; import zeek; -# TODO: Our example here models a simple example packet format of static size: -# 19 payload bytes, followed by the protocol number for the next layer, for -# which the data then follows subsequently. (This is just what our test trace -# happens to contain). Adapt as suitable. public type Packet = unit { - payload: bytes &size=19; - protocol: uint16; # next-layer protocol, values need to be mapped to analyzers in Zeek scriptland + payload: Message; on %done { # Feed into Zeek's next-layer packet analysis. - zeek::forward_packet(self.protocol); + zeek::forward_packet(self.payload); } }; -type WireType = enum { - VARINT = 0x00, - I64 = 0x01, - LEN = 0x02, - SGROUP = 0x03, # deprecated - EGROUP = 0x04, # deprecated - I32 = 0x05 +# TODO: +# message := (tag value)* +type Message = unit { +}; + +# TODO: +# tag := (field << 3) bit-or wire_type; +# encoded as uint32 varint +type Tag = unit { +}; + +# TODO: +# value := varint for wire_type == VARINT, +# i32 for wire_type == I32, +# i64 for wire_type == I64, +# len-prefix for wire_type == LEN, +# for wire_type == SGROUP or EGROUP +type Value = unit { +}; + +# TODO: +# varint := int32 | int64 | uint32 | uint64 | bool | enum | sint32 | sint64; +# encoded as varints (sintN are ZigZag-encoded first) +type VarInt = unit { +}; + +# TODO: +# i32 := sfixed32 | fixed32 | float; +# encoded as 4-byte little-endian; +# memcpy of the equivalent C types (u?int32_t, float) +type I32 = unit { +}; + +# TODO: +# i64 := sfixed64 | fixed64 | double; +# encoded as 8-byte little-endian; +# memcpy of the equivalent C types (u?int64_t, double) +type I64 = unit { +}; + +# TODO: +# len-prefix := size (message | string | bytes | packed); +# size encoded as int32 varint +type LenPrefix = unit { +}; + +# TODO: +# string := valid UTF-8 string (e.g. ASCII); +# max 2GB of bytes +type String = unit { +}; + +# TODO: +# bytes := any sequence of 8-bit bytes; +# max 2GB of bytes +type Bytes = unit { +}; + +# TODO: +# packed := varint* | i32* | i64*, +# consecutive values of the type specified in `.proto` +type Packed = unit { };