Extend DHCP protocol analyzer with new options.

Add the folowing option types: - 55 Parameters Request List; - 58 Renewal time; - 59 Rebinding time; - 61 Client Identifier; - 82 Relay Agent Information. Extend the following events with new parameters, specifically: - dhcp_discover exports client identifier and parameters request list; - dhcp_request exports client_identifier and parameters request list; - dhcp_ack exports rebinding time, renewal time and list of suboptions value of dhcp relay agent information option; - dhcp_inform exports parameters request list. Add option type specific variables within the scope of DHCP module (see src/analyzer/protocol/dhcp/types.bif). Move protocol specific variables "dhcp_msg" and "dhcp_router_list" from scope Global to DHCP:: and adapt inet_net_var in src/NetVar.cc consequently. Extend src/analyzer/protocols/dhcp/main.bro to handle the new events and to log dhcp_ack, dhcp_request and dhcp_discover. Modify scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro to include new events' variables.
2025-10-14 04:28:20 +00:00 · 2017-12-31 17:36:30 +01:00 · 2017-12-31 17:36:30 +01:00 · 18499fd7d9
commit 18499fd7d9
parent 1c25df6f26
11 changed files with 291 additions and 112 deletions
--- a/scripts/base/protocols/dhcp/main.bro
+++ b/scripts/base/protocols/dhcp/main.bro
@ -17,20 +17,32 @@ export {
 	type Info: record {
 		## The earliest time at which a DHCP message over the
 		## associated connection is observed.
-		ts:		time		&log;
+		ts:			time			&log;
 		## A unique identifier of the connection over which DHCP is
 		## occurring.
-		uid:		string		&log;
+		uid:			string			&log;
 		## The connection's 4-tuple of endpoint addresses/ports.
-		id:		conn_id		&log;
+		id:		 	conn_id			&log;
 		## Client's hardware address.
-		mac:		string		&log &optional;
+		mac:		 	string			&log &optional;
 		## Client's actual assigned IP address.
-		assigned_ip:	addr		&log &optional;
+		assigned_ip:	 	addr			&log &optional;
 		## IP address lease interval.
-		lease_time:	interval	&log &optional;
+		lease_time:	 	interval		&log &optional;
 		## A random number chosen by the client for this transaction.
-		trans_id:	count		&log;
+		trans_id:	 	count			&log;
+		## the message type
+		msg_type:	 	string			&log &optional;
+		## client ID
+		client_id:		string			&log &optional;
+		## the server ID
+		server_id: 	 	addr			&log &optional;
+		## the host name
+		host_name:	 	string			&log &optional;
+		## the subscriber id (if present)
+		subscriber_id:	 	string			&log &optional;
+		## the agent remote id (if present)
+		agent_remote_id:	string			&log &optional;
 	};

 	## Event that can be handled to access the DHCP
@ -47,20 +59,26 @@ redef record connection += {
 const ports = { 67/udp, 68/udp };
 redef likely_server_ports += { 67/udp };

+global info: Info;
+
 event bro_init() &priority=5
 	{
 	Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path="dhcp"]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
 	}

-event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) &priority=5
+event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string, reb_time: count, ren_time: count, sub_opt: dhcp_sub_opt_list) &priority=5
 	{
-	local info: Info;
+	#local info: Info;
 	info$ts          = network_time();
 	info$id          = c$id;
 	info$uid         = c$uid;
 	info$lease_time  = lease;
 	info$trans_id    = msg$xid;
+	info$msg_type	 = message_types[msg$m_type];
+
+	info$server_id	 = serv_addr;
+	info$host_name   = host_name;

 	if ( msg$h_addr != "" )
 		info$mac = msg$h_addr;
@ -70,10 +88,62 @@ event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_lis
 	else
 		info$assigned_ip = c$id$orig_h;

+	for (param in sub_opt)
+	{
+		#if ( sub_opt[param]$code == 1 ) 
+                #{
+                #print fmt("Relay Agent Information:");
+                #print fmt( "sub option: code=%d circuit id=%s",sub_opt[param]$code,sub_opt[param]$value );
+                #}
+                if ( sub_opt[param]$code == 2 )
+                        info$agent_remote_id = bytestring_to_hexstr(sub_opt[param]$value);
+
+                if ( sub_opt[param]$code == 6 )
+                        info$subscriber_id = (sub_opt[param]$value);
+	}
+
 	c$dhcp = info;
 	}

-event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) &priority=-5
+event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string, reb_time: count, ren_time: count, sub_opt: dhcp_sub_opt_list) &priority=-5
 	{
 	Log::write(DHCP::LOG, c$dhcp);
 	}
+
+event dhcp_request(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string, c_id: dhcp_client_id, req_params: table[count] of count) &priority=5
+	{
+	info$ts          = network_time();
+	info$id          = c$id;
+	info$uid         = c$uid;
+	info$trans_id    = msg$xid;
+	info$msg_type	 = message_types[msg$m_type];
+	info$server_id	 = serv_addr;
+	info$host_name   = host_name;
+	info$client_id 	 = c_id$hwaddr;
+
+	c$dhcp = info;
+	}
+
+event dhcp_request(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string, c_id: dhcp_client_id, req_params: table[count] of count) &priority=-5
+	{
+	Log::write(DHCP::LOG, c$dhcp);
+	}
+
+event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr, host_name: string, c_id: dhcp_client_id, req_params: table[count] of count) &priority=5
+	{
+	info$ts		= network_time();
+	info$id		= c$id;
+	info$uid	= c$uid;
+	info$trans_id	= msg$xid;
+	info$msg_type	= message_types[msg$m_type];
+	info$host_name	= host_name;
+	info$client_id	= c_id$hwaddr;
+
+	c$dhcp = info;
+	}
+
+event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr, host_name: string, c_id: dhcp_client_id, req_params: table[count] of count) &priority=-5
+	{
+	Log::write(DHCP::LOG, c$dhcp);
+	}
+