Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 21:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

DHCP:

Browse source 
- Added the known-devices log, and the script to log DHCP hostname per MAC address,
 - Added DPD sig,
 - Removed some scripts following a discussion with Seth.
This commit is contained in:
Vlad Grigorescu 2013-07-31 16:32:20 -04:00
parent 7ddacba1a3
commit 0f1b0e75b7
6 changed files with 71 additions and 265 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/protocols/dhcp/__load__.bro
View file

@ -1,2 +1,4 @@
@load ./consts
@load ./main
@load ./main
@load-sigs ./dpd.sig

5
scripts/base/protocols/dhcp/dpd.sig Normal file
View file

@ -0,0 +1,5 @@
signature dhcp_cookie {
ip-proto == udp
payload /^.*\x63\x82\x53\x63/
enable "dhcp"
}

12
scripts/base/protocols/dhcp/main.bro
View file

@ -2,8 +2,8 @@
##! This script ignores large swaths of the protocol, since it is rather
##! noisy on most networks, and focuses on the end-result: assigned leases.
##!
##! To enable further analysis and log output for DHCP, see the optional
##! scripts in the policy/protocols/dhcp directory.
##! If you'd like to track known DHCP devices and to log the hostname
##! supplied by the client, see policy/protocols/dhcp/known-devices.bro
@load ./utils.bro
@ -45,13 +45,13 @@ redef record connection += {
const ports = { 67/udp, 68/udp };
redef likely_server_ports += { 67/udp };
event bro_init() &priority=5
event bro_init()
{
Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp]);
Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
}
event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) &priority=5
event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string)
{
local info: Info;
info$ts = network_time();
@ -65,10 +65,6 @@ event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_lis
info$mac = msg$h_addr;
c$dhcp = info;
}
# We let policy scripts add stuff too, so we run this at a lower priority
event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) &priority=1
{
Log::write(DHCP::LOG, c$dhcp);
}