From 4a37b57c27e11dec76348f56621a81429283a6a2 Mon Sep 17 00:00:00 2001
From: Kent Kvarfordt <kent.kvarfordt@gmail.com>
Date: Sat, 11 May 2024 17:54:41 -0600
Subject: [PATCH 1/4] Removed references to zeek as integration with zeek can
 come later.  Cleaned up KBK comments.

---
 analyzer/protobuf.spicy | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/analyzer/protobuf.spicy b/analyzer/protobuf.spicy
index 013610a..876ad56 100644
--- a/analyzer/protobuf.spicy
+++ b/analyzer/protobuf.spicy
@@ -1,29 +1,20 @@
 module protobuf;
 
-import zeek;
-
 public type Packet = unit {
     payload: Message;
 
     on %done {
-        # Feed into Zeek's next-layer packet analysis.
-
-        # KBK HERE - Comment out so we can build
-        #zeek::forward_packet(self.payload);
+        print self;
     }
 };
 
 # message := (tag value)*
 #     A message is encoded as a sequence of zero or more pairs of tags and values.
-
-#
-#  KBK - This should parse a sequence of zero or more TagAndValue pairs until end-of-data.
-#
 type Message = unit {
-    message: TagAndValue[] &eod; # <==== KBK HERE
+    message: TagAndValue[] &eod;
 };
 
-type TagAndValue = unit {        # <==== KBK HERE
+type TagAndValue = unit {
     tag:   Tag;
     value: Value;
 };

From ca5952622a69813807a62d5efe490c5e6513b7da Mon Sep 17 00:00:00 2001
From: Kent Kvarfordt <kent.kvarfordt@gmail.com>
Date: Sat, 11 May 2024 18:02:34 -0600
Subject: [PATCH 2/4] Added protobuf addressbook packet captures for testing
 purposes.  Addressbook packet captures came from the Wireshark protobuf Wiki
 page located at https://wiki.wireshark.org/Protobuf

---
 testing/Traces/protobuf_tcp_addressbook.pcapng | Bin 0 -> 2572 bytes
 testing/Traces/protobuf_udp_addressbook.pcapng | Bin 0 -> 592 bytes
 2 files changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 testing/Traces/protobuf_tcp_addressbook.pcapng
 create mode 100644 testing/Traces/protobuf_udp_addressbook.pcapng

diff --git a/testing/Traces/protobuf_tcp_addressbook.pcapng b/testing/Traces/protobuf_tcp_addressbook.pcapng
new file mode 100644
index 0000000000000000000000000000000000000000..d65ca9d4f59d2d1875558534665e5e0a5625c1bc
GIT binary patch
literal 2572
zcmd6pUuaWT7{E``v`sV1Qc;j@gM%PVYI?c3`FA&jmGzHK(l$#h^+B-tbF~-KCZ>N}
zWn+2Y7_zYq_U2Zr>$*Ctwt^2S_|ON1`XKlqJ`|LqJ{b`#2=V)FPRu>&Q4nAJ;NzZ<
zbAIRdedperIGURsD}<1~eS2Fia4oU0k|6ndY(h)BqHfxi$!V@beQv6UI@CZw9;987
zLE1^Zk}B^%aGJVK=@TO~7VGg#ikpx+vWEoy9SMDc4(Vg5%&Bqem8r|C%AdPEG%=~C
zQ`8#@1%0rejVPphax|NaXQ^vQ&uQZ$@!SbF^+`Sn)=U}K4!Pra(ib}B)%+<<PRg(c
z#tI}lry$E=BUZA59O>4k^rUvAKhk?NoXKPp@#KjnnArf6w!MQJGLenz4&w)ipD)#u
z*e~lv6~>rW$R0xcg}*vU9wz<(N|>u_y=!iF<2m@6<gKMr=zExJE8Vr!)!8i;n-zJr
z+-VW_Z=Tz`wz~HFm%{_Vp3QGBl{)W>xnbNG0)3Oet`|Kp#$>*(!VJ%4zO%rNM4WA#
zv3rCd105rf7|3e*ZM`VN7?ZI)g>!FV?E=;St|ocpAkXaf3GlYK&GI}}a|CLhGu-Z0
z-EJWn0^KBF&BGXzxm_rn=UJ@IIipT+>s}(n@s*?gV0=6?=6uxH+G314wQu92*|a7l
zGo!n=IqYgE5cDcOztgh2+3}Ir7f>OB5bX{2vp@dvvflB9!xq-l)6U0@txg=&5`u~f
zi$Vb)d<+CtRUnY!v|<gleF=*Ca)Ga<+82Af(U+lWU(9FL11t&lz+`=CFZ{!^%6+l7
zSNam`gUJx0GYgB{=6IgT&11L?irt219&B~{muE3IPsJ^I6U6djx9@=Gfv+)N-|O={
z&*UZ<Zn3Hxo&^TpPiKHN4`a;N_tSqoi@8Y^w{GRbyr2FQ^<{yt#nhJt=*x@fooZjq
z_tSY`$<Px_))!CVBF|!dS*Y|Sx*sMJ@jKw6$nAfgXL4IK+-_IhelpPIGrJC~G<?Qn
zZX<<DJd3$4R@@Z&{%3{`wa@SkQC*9?i>a=nQP&x9T~8J_w$^o-XR*49mAX<p33=al
zlc=u#%Ntvtu`9ewwXP<`s4G&fD-6BDz-R2?6#?ri&nnl|q!@Lzv~5QF#Vq-%fVIT4
zOkO_23x1o>r}pfYmjtZkx3F5^d3l4EeObV|#<N(BKB(~<@Y;;R`xm|HA=8i;*st8l
zgU>AFQ__{0gnwtbahlC#ru3ASqKRpmD*utP61y??>~qW0IyT02HW+_aMgiB(M&%3c
F@e2E5IYj^f

literal 0
HcmV?d00001

diff --git a/testing/Traces/protobuf_udp_addressbook.pcapng b/testing/Traces/protobuf_udp_addressbook.pcapng
new file mode 100644
index 0000000000000000000000000000000000000000..f7af0a89b4f600b33c35bb9a51510f98c042f72d
GIT binary patch
literal 592
zcmb7BO-mb56ulV}O{a#A&{fd(A_z0J8RjGNVd+8|ztJL9aU;lN=BW=Snd#)i+D*GG
z6uRxEi~1A%1?GPg-0Q9taU<CKlB~Mxfx|ry?m73slS?JJ2LKzdXUjR74?{@c!fLb4
zV)dPdwIpNe_J)SstN4y%>|kwk2j|h$ePem$BdRC7eS}+Ei&fpy07hU2+-jxH+qlb{
zQF78k(?HeqjXCWl);m0o(DXdlrh9p?V4>4U!yrX<muIYX6lBL5+PbZir`w+uqjDJ9
z-hs)g5i>%AZV2><qH{zXAP*8eg}nvV<ssX9yScQ#o+N2K2#+7p<|r+V|3^2GDYAvH
zM-=#WUVvwv%RfI!3rfUAfFBq1_&fpdi7E-+9X!8)FTW<`H*#SuXeCYMYOFlbSM%&c
z&`4vZhe>04TrT>a<C>OTRdUlM`LSs`KEWlt7%iTC{eEANU&;A(9-k`LV`W8%e-m8G
zCzIz;!V^mHeTyJc6sbr33dEQwAo^$T*KTq!3ALm{Kb*BN&5|yUScLUcj0T?}L9xGk
YcANV>GStGCCp|TYqTJ$84TiY!7v2$w>Hq)$

literal 0
HcmV?d00001


From 72bdc7f99ed5636715bafdd4af678e0c83608bba Mon Sep 17 00:00:00 2001
From: Kent Kvarfordt <kent.kvarfordt@gmail.com>
Date: Sat, 11 May 2024 18:06:06 -0600
Subject: [PATCH 3/4] Added test-data that contains only the protobuf data from
 the protobuf_udp_addressbook.pcapng in raw byte format.  This data can be
 used to test just the spicy parser (protobuf.spicy) without having to be
 integrated with zeek.

---
 test-data/protobuf_udp_addressbook.raw | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 test-data/protobuf_udp_addressbook.raw

diff --git a/test-data/protobuf_udp_addressbook.raw b/test-data/protobuf_udp_addressbook.raw
new file mode 100644
index 0000000..c1d4c5f
--- /dev/null
+++ b/test-data/protobuf_udp_addressbook.raw
@@ -0,0 +1,9 @@
+
+B
+JasonéJason@example.com"
+87561234
"
+13588886666*¡‹—ü
+:
+LilyêLily@example.com"
+62858875
"
+18822228888
\ No newline at end of file

From 9f15a35005158caa2dad910d273c2ccee9cc9c7a Mon Sep 17 00:00:00 2001
From: Kent Kvarfordt <kent.kvarfordt@gmail.com>
Date: Sat, 11 May 2024 18:08:34 -0600
Subject: [PATCH 4/4] Modified type Message so the message field is a byte
 field to the end of data.

---
 analyzer/protobuf.spicy | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/analyzer/protobuf.spicy b/analyzer/protobuf.spicy
index 876ad56..daa326d 100644
--- a/analyzer/protobuf.spicy
+++ b/analyzer/protobuf.spicy
@@ -11,7 +11,8 @@ public type Packet = unit {
 # message := (tag value)*
 #     A message is encoded as a sequence of zero or more pairs of tags and values.
 type Message = unit {
-    message: TagAndValue[] &eod;
+    message: bytes &eod;
+    #message: TagAndValue[] &eod;
 };
 
 type TagAndValue = unit {