More flexible signature "event" interface

[ckreibich]

Discussed in #3372

^{Originally posted by vpax October 12, 2023}
Currently, Zeek's signature framework supports the generation of a single event:

event signature_match(state: signature_state, msg: string, data: string)

and when writing signatures, all that's specified is the msg that goes with that event:

signature my-first-sig {
    ip-proto == tcp
    dst-port == 80
    payload /.*root/
    event "Found root!"
}

We've been developing Zeek scripts that need to dispatch on the particular signature matched. Currently this requires a bunch of comparisons of msg (and these can happen in different instances of signature_match event handlers, depending on the modularity associated with the content). An extension to deal with this would be to allow the event specifier in a signature to optionally be the name of an event to generate, rather than a string to associate with it:

signature my-first-sig {
    ip-proto == tcp
    dst-port == 80
    payload /.*root/
    event my_first_sig_event
}

(the event value could instead be a string like now, in which case signature_match is generated), or perhaps:

signature my-first-sig {
    ip-proto == tcp
    dst-port == 80
    payload /.*root/
    event "Found root!"
    zeek_event my_first_sig_event
}

where the given event would have to have a common type signature (which for the second example could be the same as the signature_match event).

This seems handy and pretty straightforward to implement. Thoughts?