mirror of
https://github.com/zeek/zeek.git
synced 2025-10-17 14:08:20 +00:00
Merge remote-tracking branch 'origin/topic/vladg/dhcp'
* origin/topic/vladg/dhcp: DHCP: Adding unit tests. DHCP: Rework the DHCP analyzer to make it compatible again.
This commit is contained in:
Robin Sommer
commit
308db797c3
23 changed files with 510 additions and 274 deletions
41
scripts/policy/misc/known-devices.bro
Normal file
41
scripts/policy/misc/known-devices.bro
Normal file
|
|
@ -0,0 +1,41 @@
|
|||
##! This script provides infrastructure for logging devices for which Bro has been
|
||||
##! able to determine the MAC address, and it logs them once per day (by default).
|
||||
##! The log that is output provides an easy way to determine a count of the devices
|
||||
##! in use on a network per day.
|
||||
##!
|
||||
##! ..note::
|
||||
##!
|
||||
##! This script will not generate any logs on its own, it needs to be
|
||||
##! supplied with information from elsewhere, such as
|
||||
##! :doc:`policy/protocols/dhcp/known-devices-and-hostnames/scripts/.
|
||||
|
||||
module Known;
|
||||
|
||||
export {
|
||||
## The known-hosts logging stream identifier.
|
||||
redef enum Log::ID += { DEVICES_LOG };
|
||||
|
||||
## The record type which contains the column fields of the known-devices log.
|
||||
type DevicesInfo: record {
|
||||
## The timestamp at which the host was detected.
|
||||
ts: time &log;
|
||||
## The MAC address that was detected.
|
||||
mac: string &log;
|
||||
};
|
||||
|
||||
## The set of all known MAC addresses. It can accessed from other
|
||||
## to add, and check for, addresses seen in use.
|
||||
##
|
||||
## We maintain each entry for 24 hours by default so that the existence of
|
||||
## individual addressed is logged each day.
|
||||
global known_devices: set[string] &create_expire=1day &synchronized &redef;
|
||||
|
||||
## An event that can be handled to access the :bro:type:`Known::DevicesInfo`
|
||||
## record as it is sent on to the logging framework.
|
||||
global log_known_devices: event(rec: DevicesInfo);
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(Known::DEVICES_LOG, [$columns=DevicesInfo, $ev=log_known_devices]);
|
||||
}
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
##! Tracks MAC address with hostnames seen in DHCP traffic. They are logged into
|
||||
##! ``devices.log``.
|
||||
|
||||
@load policy/misc/known-devices
|
||||
|
||||
module Known;
|
||||
|
||||
export {
|
||||
redef record DevicesInfo += {
|
||||
## The value of the DHCP host name option, if seen
|
||||
dhcp_host_name: string &log &optional;
|
||||
};
|
||||
}
|
||||
|
||||
event dhcp_request(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string)
|
||||
{
|
||||
if ( msg$h_addr == "" )
|
||||
return;
|
||||
|
||||
if ( msg$h_addr !in known_devices )
|
||||
{
|
||||
add known_devices[msg$h_addr];
|
||||
Log::write(Known::DEVICES_LOG, [$ts=network_time(), $mac=msg$h_addr, $dhcp_host_name=host_name]);
|
||||
}
|
||||
}
|
||||
|
||||
event dhcp_inform(c: connection, msg: dhcp_msg, host_name: string)
|
||||
{
|
||||
if ( msg$h_addr == "" )
|
||||
return;
|
||||
|
||||
if ( msg$h_addr !in known_devices )
|
||||
{
|
||||
add known_devices[msg$h_addr];
|
||||
Log::write(Known::DEVICES_LOG, [$ts=network_time(), $mac=msg$h_addr, $dhcp_host_name=host_name]);
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue