diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index d0120d930b..a732212335 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -47,6 +47,7 @@ @load base/protocols/irc @load base/protocols/modbus @load base/protocols/pop3 +@load base/protocols/radius @load base/protocols/smtp @load base/protocols/socks @load base/protocols/ssh diff --git a/scripts/base/protocols/radius/__load__.bro b/scripts/base/protocols/radius/__load__.bro new file mode 100644 index 0000000000..96bf67a57f --- /dev/null +++ b/scripts/base/protocols/radius/__load__.bro @@ -0,0 +1,3 @@ +# Generated by binpac_quickstart +@load ./main +#@load-sigs ./dpd.sig \ No newline at end of file diff --git a/scripts/base/protocols/radius/consts.bro b/scripts/base/protocols/radius/consts.bro new file mode 100644 index 0000000000..6231a25631 --- /dev/null +++ b/scripts/base/protocols/radius/consts.bro @@ -0,0 +1,537 @@ +module RADIUS; + +const msg_types: table[count] of string = { + [1] = "Access-Request", + [2] = "Access-Accept", + [3] = "Access-Reject", + [4] = "Accounting-Request", + [5] = "Accounting-Response", + [11] = "Access-Challenge", + [12] = "Status-Server", + [13] = "Status-Client", +} &default=function(i: count): string { return fmt("unknown-%d", i); }; + +const attr_types: table[count] of string = { + [1] = "User-Name", + [2] = "User-Password", + [3] = "CHAP-Password", + [4] = "NAS-IP-Address", + [5] = "NAS-Port", + [6] = "Service-Type", + [7] = "Framed-Protocol", + [8] = "Framed-IP-Address", + [9] = "Framed-IP-Netmask", + [10] = "Framed-Routing", + [11] = "Filter-Id", + [12] = "Framed-MTU", + [13] = "Framed-Compression", + [14] = "Login-IP-Host", + [15] = "Login-Service", + [16] = "Login-TCP-Port", + [18] = "Reply-Message", + [19] = "Callback-Number", + [20] = "Callback-Id", + [22] = "Framed-Route", + [23] = "Framed-IPX-Network", + [24] = "State", + [25] = "Class", + [26] = "Vendor-Specific", + [27] = "Session-Timeout", + [28] = "Idle-Timeout", + [29] = "Termination-Action", + [30] = "Called-Station-Id", + [31] = "Calling-Station-Id", + [32] = "NAS-Identifier", + [33] = "Proxy-State", + [34] = "Login-LAT-Service", + [35] = "Login-LAT-Node", + [36] = "Login-LAT-Group", + [37] = "Framed-AppleTalk-Link", + [38] = "Framed-AppleTalk-Network", + [39] = "Framed-AppleTalk-Zone", + [40] = "Acct-Status-Type", + [41] = "Acct-Delay-Time", + [42] = "Acct-Input-Octets", + [43] = "Acct-Output-Octets", + [44] = "Acct-Session-Id", + [45] = "Acct-Authentic", + [46] = "Acct-Session-Time", + [47] = "Acct-Input-Packets", + [48] = "Acct-Output-Packets", + [49] = "Acct-Terminate-Cause", + [50] = "Acct-Multi-Session-Id", + [51] = "Acct-Link-Count", + [52] = "Acct-Input-Gigawords", + [53] = "Acct-Output-Gigawords", + [55] = "Event-Timestamp", + [56] = "Egress-VLANID", + [57] = "Ingress-Filters", + [58] = "Egress-VLAN-Name", + [59] = "User-Priority-Table", + [60] = "CHAP-Challenge", + [61] = "NAS-Port-Type", + [62] = "Port-Limit", + [63] = "Login-LAT-Port", + [64] = "Tunnel-Type", + [65] = "Tunnel-Medium-Type", + [66] = "Tunnel-Client-EndPoint", + [67] = "Tunnel-Server-EndPoint", + [68] = "Acct-Tunnel-Connection", + [69] = "Tunnel-Password", + [70] = "ARAP-Password", + [71] = "ARAP-Features", + [72] = "ARAP-Zone-Access", + [73] = "ARAP-Security", + [74] = "ARAP-Security-Data", + [75] = "Password-Retry", + [76] = "Prompt", + [77] = "Connect-Info", + [78] = "Configuration-Token", + [79] = "EAP-Message", + [80] = "Message Authenticator", + [81] = "Tunnel-Private-Group-ID", + [82] = "Tunnel-Assignment-ID", + [83] = "Tunnel-Preference", + [84] = "ARAP-Challenge-Response", + [85] = "Acct-Interim-Interval", + [86] = "Acct-Tunnel-Packets-Lost", + [87] = "NAS-Port-Id", + [88] = "Framed-Pool", + [89] = "CUI", + [90] = "Tunnel-Client-Auth-ID", + [91] = "Tunnel-Server-Auth-ID", + [92] = "NAS-Filter-Rule", + [94] = "Originating-Line-Info", + [95] = "NAS-IPv6-Address", + [96] = "Framed-Interface-Id", + [97] = "Framed-IPv6-Prefix", + [98] = "Login-IPv6-Host", + [99] = "Framed-IPv6-Route", + [100] = "Framed-IPv6-Pool", + [101] = "Error-Cause", + [102] = "EAP-Key-Name", + [103] = "Digest-Response", + [104] = "Digest-Realm", + [105] = "Digest-Nonce", + [106] = "Digest-Response-Auth", + [107] = "Digest-Nextnonce", + [108] = "Digest-Method", + [109] = "Digest-URI", + [110] = "Digest-Qop", + [111] = "Digest-Algorithm", + [112] = "Digest-Entity-Body-Hash", + [113] = "Digest-CNonce", + [114] = "Digest-Nonce-Count", + [115] = "Digest-Username", + [116] = "Digest-Opaque", + [117] = "Digest-Auth-Param", + [118] = "Digest-AKA-Auts", + [119] = "Digest-Domain", + [120] = "Digest-Stale", + [121] = "Digest-HA1", + [122] = "SIP-AOR", + [123] = "Delegated-IPv6-Prefix", + [124] = "MIP6-Feature-Vector", + [125] = "MIP6-Home-Link-Prefix", + [126] = "Operator-Name", + [127] = "Location-Information", + [128] = "Location-Data", + [129] = "Basic-Location-Policy-Rules", + [130] = "Extended-Location-Policy-Rules", + [131] = "Location-Capable", + [132] = "Requested-Location-Info", + [133] = "Framed-Management-Protocol", + [134] = "Management-Transport-Protection", + [135] = "Management-Policy-Id", + [136] = "Management-Privilege-Level", + [137] = "PKM-SS-Cert", + [138] = "PKM-CA-Cert", + [139] = "PKM-Config-Settings", + [140] = "PKM-Cryptosuite-List", + [141] = "PKM-SAID", + [142] = "PKM-SA-Descriptor", + [143] = "PKM-Auth-Key", + [144] = "DS-Lite-Tunnel-Name", + [145] = "Mobile-Node-Identifier", + [146] = "Service-Selection", + [147] = "PMIP6-Home-LMA-IPv6-Address", + [148] = "PMIP6-Visited-LMA-IPv6-Address", + [149] = "PMIP6-Home-LMA-IPv4-Address", + [150] = "PMIP6-Visited-LMA-IPv4-Address", + [151] = "PMIP6-Home-HN-Prefix", + [152] = "PMIP6-Visited-HN-Prefix", + [153] = "PMIP6-Home-Interface-ID", + [154] = "PMIP6-Visited-Interface-ID", + [155] = "PMIP6-Home-IPv4-HoA", + [156] = "PMIP6-Visited-IPv4-HoA", + [157] = "PMIP6-Home-DHCP4-Server-Address", + [158] = "PMIP6-Visited-DHCP4-Server-Address", + [159] = "PMIP6-Home-DHCP6-Server-Address", + [160] = "PMIP6-Visited-DHCP6-Server-Address", + [161] = "PMIP6-Home-IPv4-Gateway", + [162] = "PMIP6-Visited-IPv4-Gateway", + [163] = "EAP-Lower-Layer", + [164] = "GSS-Acceptor-Service-Name", + [165] = "GSS-Acceptor-Host-Name", + [166] = "GSS-Acceptor-Service-Specifics", + [167] = "GSS-Acceptor-Realm-Name", + [168] = "Framed-IPv6-Address", + [169] = "DNS-Server-IPv6-Address", + [170] = "Route-IPv6-Information", + [171] = "Delegated-IPv6-Prefix-Pool", + [172] = "Stateful-IPv6-Address-Pool", + [173] = "IPv6-6rd-Configuration" +} &default=function(i: count): string { return fmt("unknown-%d", i); }; + +const nas_port_types: table[count] of string = { + [0] = "Async", + [1] = "Sync", + [2] = "ISDN Sync", + [3] = "ISDN Async V.120", + [4] = "ISDN Async V.110", + [5] = "Virtual", + [6] = "PIAFS", + [7] = "HDLC Clear Channel", + [8] = "X.25", + [9] = "X.75", + [10] = "G.3 Fax", + [11] = "SDSL - Symmetric DSL", + [12] = "ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase Modulation", + [13] = "ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone", + [14] = "IDSL - ISDN Digital Subscriber Line", + [15] = "Ethernet", + [16] = "xDSL - Digital Subscriber Line of unknown type", + [17] = "Cable", + [18] = "Wireless - Other", + [19] = "Wireless - IEEE 802.11" +} &default=function(i: count): string { return fmt("unknown-%d", i); }; + +const service_types: table[count] of string = { + [1] = "Login", + [2] = "Framed", + [3] = "Callback Login", + [4] = "Callback Framed", + [5] = "Outbound", + [6] = "Administrative", + [7] = "NAS Prompt", + [8] = "Authenticate Only", + [9] = "Callback NAS Prompt", + [10] = "Call Check", + [11] = "Callback Administrative", +} &default=function(i: count): string { return fmt("unknown-%d", i); }; + +const framed_protocol_types: table[count] of string = { + [1] = "PPP", + [2] = "SLIP", + [3] = "AppleTalk Remote Access Protocol (ARAP)", + [4] = "Gandalf proprietary SingleLink/MultiLink protocol", + [5] = "Xylogics proprietary IPX/SLIP", + [6] = "X.75 Synchronous" +} &default=function(i: count): string { return fmt("unknown-%d", i); }; + +const vendor_9_types: table[count] of string = { + [1] = "Cisco-AVPair", + [2] = "Cisco-NAS-Port", + [3] = "Cisco-Fax-Account-Id-Origin", + [4] = "Cisco-Fax-Msg-Id", + [5] = "Cisco-Fax-Pages", + [6] = "Cisco-Fax-Coverpage-Flag", + [7] = "Cisco-Fax-Modem-Time", + [8] = "Cisco-Fax-Connect-Speed", + [9] = "Cisco-Fax-Recipient-Count", + [10] = "Cisco-Fax-Process-Abort-Flag", + [11] = "Cisco-Fax-Dsn-Address", + [12] = "Cisco-Fax-Dsn-Flag", + [13] = "Cisco-Fax-Mdn-Address", + [14] = "Cisco-Fax-Mdn-Flag", + [15] = "Cisco-Fax-Auth-Status", + [16] = "Cisco-Email-Server-Address", + [17] = "Cisco-Email-Server-Ack-Flag", + [18] = "Cisco-Gateway-Id", + [19] = "Cisco-Call-Type", + [20] = "Cisco-Port-Used", + [21] = "Cisco-Abort-Cause", + [23] = "Cisco-h323-remote-address", + [24] = "Cisco-h323-conf-id", + [25] = "Cisco-h323-setup-time", + [26] = "Cisco-h323-call-origin", + [27] = "Cisco-h323-call-type", + [28] = "Cisco-h323-connect-time", + [29] = "Cisco-h323-disconnect-time", + [30] = "Cisco-h323-disconnect-cause", + [31] = "Cisco-h323-voice-quality", + [33] = "Cisco-h323-gw-id", + [35] = "Cisco-h323-incoming-conn-id", + [37] = "Cisco-Policy-Up", + [38] = "Cisco-Policy-Down", + [100] = "Cisco-sip-conf-id", + [101] = "Cisco-h323-credit-amount", + [102] = "Cisco-h323-credit-time", + [103] = "Cisco-h323-return-code", + [104] = "Cisco-h323-prompt-id", + [105] = "Cisco-h323-day-and-time", + [106] = "Cisco-h323-redirect-number", + [107] = "Cisco-h323-preferred-lang", + [108] = "Cisco-h323-redirect-ip-addr", + [109] = "Cisco-h323-billing-model", + [110] = "Cisco-h323-currency", + [111] = "Cisco-subscriber", + [112] = "Cisco-gw-rxd-cdn", + [113] = "Cisco-gw-final-xlated-cdn", + [114] = "Cisco-remote-media-address", + [115] = "Cisco-release-source", + [116] = "Cisco-gw-rxd-cgn", + [117] = "Cisco-gw-final-xlated-cgn", + [141] = "Cisco-call-id", + [142] = "Cisco-session-protocol", + [143] = "Cisco-method", + [144] = "Cisco-prev-hop-via", + [145] = "Cisco-prev-hop-ip", + [146] = "Cisco-incoming-req-uri", + [147] = "Cisco-outgoing-req-uri", + [148] = "Cisco-next-hop-ip", + [149] = "Cisco-next-hop-dn", + [150] = "Cisco-sip-hdr", + [187] = "Cisco-Multilink-ID", + [188] = "Cisco-Num-In-Multilink", + [190] = "Cisco-Pre-Input-Octets", + [191] = "Cisco-Pre-Output-Octets", + [192] = "Cisco-Pre-Input-Packets", + [193] = "Cisco-Pre-Output-Packets", + [194] = "Cisco-Maximum-Time", + [195] = "Cisco-Disconnect-Cause", + [197] = "Cisco-Data-Rate", + [198] = "Cisco-PreSession-Time", + [208] = "Cisco-PW-Lifetime", + [209] = "Cisco-IP-Direct", + [210] = "Cisco-PPP-VJ-Slot-Comp", + [212] = "Cisco-PPP-Async-Map", + [217] = "Cisco-IP-Pool-Definition", + [218] = "Cisco-Assign-IP-Pool", + [228] = "Cisco-Route-IP", + [233] = "Cisco-Link-Compression", + [234] = "Cisco-Target-Util", + [235] = "Cisco-Maximum-Channels", + [242] = "Cisco-Data-Filter", + [243] = "Cisco-Call-Filter", + [244] = "Cisco-Idle-Limit", + [249] = "Cisco-Subscriber-Password", + [250] = "Cisco-Account-Info", + [251] = "Cisco-Service-Info", + [252] = "Cisco-Command-Code", + [253] = "Cisco-Xmit-Rate" +} &default=function(i: count): string { return fmt("Cisco-unknown-%d", i); }; + +const vendor_255_types: table[count] of string = { + [1] = "CVPN5000-Tunnel-Throughput", + [2] = "CVPN5000-Client-Assigned-IP", + [3] = "CVPN5000-Client-Real-IP", + [4] = "CVPN5000-VPN-GroupInfo", + [5] = "CVPN5000-VPN-Password", + [6] = "CVPN5000-Echo", + [7] = "CVPN5000-Client-Assigned-IPX" +} &default=function(i: count): string { return fmt("CVPN5000-unknown-%d", i); }; + +const vendor_311_types: table[count] of string = { + [1] = "MS-CHAP-Response", + [2] = "MS-CHAP-Error", + [3] = "MS-CHAP-CPW-1", + [4] = "MS-CHAP-CPW-2", + [5] = "MS-CHAP-LM-Enc-PW", + [6] = "MS-CHAP-NT-Enc-PW", + [7] = "MS-MPPE-Encryption-Policy", + [8] = "MS-MPPE-Encryption-Types", + [9] = "MS-RAS-Vendor", + [10] = "MS-CHAP-Domain", + [11] = "MS-CHAP-Challenge", + [12] = "MS-CHAP-MPPE-Keys", + [13] = "MS-BAP-Usage", + [14] = "MS-Link-Utilization-Threshold", + [15] = "MS-Link-Drop-Time-Limit", + [16] = "MS-MPPE-Send-Key", + [17] = "MS-MPPE-Recv-Key", + [18] = "MS-RAS-Version", + [19] = "MS-Old-ARAP-Password", + [20] = "MS-New-ARAP-Password", + [21] = "MS-ARAP-PW-Change-Reason", + [22] = "MS-Filter", + [23] = "MS-Acct-Auth-Type", + [24] = "MS-Acct-EAP-Type", + [25] = "MS-CHAP2-Response", + [26] = "MS-CHAP2-Success", + [27] = "MS-CHAP2-CPW", + [28] = "MS-Primary-DNS-Server", + [29] = "MS-Secondary-DNS-Server", + [30] = "MS-Primary-NBNS-Server", + [31] = "MS-Secondary-NBNS-Server", + [34] = "MS-RAS-Client-Name", + [35] = "MS-RAS-Client-Version", + [36] = "MS-Quarantine-IPFilter", + [37] = "MS-Quarantine-Session-Timeout", + [40] = "MS-User-Security-Identity", + [41] = "MS-Identity-Type", + [42] = "MS-Service-Class", + [44] = "MS-Quarantine-User-Class", + [45] = "MS-Quarantine-State", + [46] = "MS-Quarantine-Grace-Time", + [47] = "MS-Network-Access-Server-Type", + [48] = "MS-AFW-Zone", + [49] = "MS-AFW-Protection-Level", + [50] = "MS-Machine-Name", + [51] = "MS-IPv6-Filter", + [52] = "MS-IPv4-Remediation-Servers", + [53] = "MS-IPv6-Remediation-Servers", + [54] = "MS-RNAP-Not-Quarantine-Capable", + [55] = "MS-Quarantine-SOH", + [56] = "MS-RAS-Correlation", + [57] = "MS-Extended-Quarantine-State", + [58] = "MS-HCAP-User-Groups", + [59] = "MS-HCAP-Location-Group-Name", + [60] = "MS-HCAP-User-Name", + [61] = "MS-User-IPv4-Address", + [62] = "MS-User-IPv6-Address", + [63] = "MS-TSG-Device-Redirection" +} &default=function(i: count): string { return fmt("MS-unknown-%d", i); }; + +const vendor_3076_types: table[count] of string = { + [1] = "CVPN3000-Access-Hours", + [2] = "CVPN3000-Simultaneous-Logins", + [3] = "CVPN3000-Min-Password-Length", + [4] = "CVPN3000-Allow-Alpha-Only-Passwords", + [5] = "CVPN3000-Primary-DNS", + [6] = "CVPN3000-Secondary-DNS", + [7] = "CVPN3000-Primary-WINS", + [8] = "CVPN3000-Secondary-WINS", + [9] = "CVPN3000-SEP-Card-Assignment", + [10] = "CVPN3000-Priority-On-SEP", + [11] = "CVPN3000-Tunneling-Protocols", + [12] = "CVPN3000-IPSec-Sec-Association", + [13] = "CVPN3000-IPSec-Authentication", + [15] = "CVPN3000-IPSec-Banner1", + [16] = "CVPN3000-IPSec-Allow-Passwd-Store", + [17] = "CVPN3000-Use-Client-Address", + [18] = "CVPN3000-PPTP-Min-Auth-Protocol", + [19] = "CVPN3000-L2TP-Min-Auth-Protocol", + [20] = "CVPN3000-PPTP-Encryption", + [21] = "CVPN3000-L2TP-Encryption", + [22] = "CVPN3000-Auth-Server-Type", + [23] = "CVPN3000-Auth-Server-Password", + [24] = "CVPN3000-Request-Auth-Vector", + [25] = "CVPN3000-IPSec-LTL-Keepalives", + [26] = "CVPN3000-IPSec-Group-Name", + [27] = "CVPN3000-IPSec-Split-Tunnel-List", + [28] = "CVPN3000-IPSec-Default-Domain", + [29] = "CVPN3000-IPSec-Split-DNS-Names", + [30] = "CVPN3000-IPSec-Tunnel-Type", + [31] = "CVPN3000-IPSec-Mode-Config", + [32] = "CVPN3000-Auth-Server-Priority", + [33] = "CVPN3000-IPSec-User-Group-Lock", + [34] = "CVPN3000-IPSec-Over-UDP", + [35] = "CVPN3000-IPSec-Over-UDP-Port", + [36] = "CVPN3000-IPSec-Banner2", + [37] = "CVPN3000-PPTP-MPPC-Compression", + [38] = "CVPN3000-L2TP-MPPC-Compression", + [39] = "CVPN3000-IPSec-IP-Compression", + [40] = "CVPN3000-IPSec-IKE-Peer-ID-Check", + [41] = "CVPN3000-IKE-Keep-Alives", + [42] = "CVPN3000-IPSec-Auth-On-Rekey", + [45] = "CVPN3000-Reqrd-Client-Fw-Vendor-Code", + [46] = "CVPN3000-Reqrd-Client-Fw-Product-Code", + [47] = "CVPN3000-Reqrd-Client-Fw-Description", + [48] = "CVPN3000-Require-HW-Client-Auth", + [49] = "CVPN3000-Require-Individual-User-Auth", + [50] = "CVPN3000-Authd-User-Idle-Timeout", + [51] = "CVPN3000-Cisco-IP-Phone-Bypass", + [52] = "CVPN3000-User-Auth-Server-Name", + [53] = "CVPN3000-User-Auth-Server-Port", + [54] = "CVPN3000-User-Auth-Server-Secret", + [55] = "CVPN3000-IPSec-Split-Tunneling-Policy", + [56] = "CVPN3000-IPSec-Reqrd-Client-Fw-Cap", + [57] = "CVPN3000-IPSec-Client-Fw-Filter-Name", + [58] = "CVPN3000-IPSec-Client-Fw-Filter-Opt", + [59] = "CVPN3000-IPSec-Backup-Servers", + [60] = "CVPN3000-IPSec-Backup-Server-List", + [61] = "CVPN3000-DHCP-Network-Scope", + [62] = "CVPN3000-MS-Client-Icpt-DHCP-Conf-Msg", + [63] = "CVPN3000-MS-Client-Subnet-Mask", + [64] = "CVPN3000-Allow-Network-Extension-Mode", + [65] = "CVPN3000-IPSec-Authorization-Type", + [66] = "CVPN3000-IPSec-Authorization-Required", + [67] = "CVPN3000-IPSec-DN-Field", + [68] = "CVPN3000-IPSec-Confidence-Level", + [69] = "CVPN3000-WebVPN-Content-Filter", + [70] = "CVPN3000-WebVPN-Enable-functions", + [74] = "CVPN3000-WebVPN-Exchange-Addr", + [75] = "CVPN3000-LEAP-Bypass", + [78] = "CVPN3000-WebVPN-Exchange-NETBIOS-name", + [79] = "CVPN3000-Port-Forwarding-Name", + [80] = "CVPN3000-IE-Proxy-Server", + [81] = "CVPN3000-IE-Proxy-Server-Policy", + [82] = "CVPN3000-IE-Proxy-Exception-List", + [83] = "CVPN3000-IE-Proxy-Bypass-Local", + [84] = "CVPN3000-IKE-Keepalive-Retry-Interval", + [88] = "CVPN3000-Perfect-Forward-Secrecy-Enable", + [89] = "CVPN3000-NAC-Enable", + [90] = "CVPN3000-NAC-Status-Query-Timer", + [91] = "CVPN3000-NAC-Revalidation-Timer", + [92] = "CVPN3000-NAC-Default-ACL", + [93] = "CVPN3000-WebVPN-URL-Entry-Enable", + [94] = "CVPN3000-WebVPN-File-Access-Enable", + [95] = "CVPN3000-WebVPN-File-Svr-Entry-Enable", + [96] = "CVPN3000-WebVPN-File-Svr-Brwsing-Enable", + [97] = "CVPN3000-WebVPN-Port-Forwarding-Enable", + [98] = "CVPN3000-WebVPN-Outlook-Exch-Proxy-Enb", + [99] = "CVPN3000-WebVPN-Port-Fwding-HTTP-Proxy", + [100] = "CVPN3000-WebVPN-Auto-Applet-Downld-Enb", + [101] = "CVPN3000-WebVPN-Citrix-Metaframe-Enable", + [102] = "CVPN3000-WebVPN-Apply-ACL", + [103] = "CVPN3000-WebVPN-SSL-VPN-Client-Enable", + [104] = "CVPN3000-WebVPN-SSL-VPN-Client-Required", + [105] = "CVPN3000-WebVPN-SSL-VPN-Client-Keep-Ins", + [128] = "CVPN3000-Partition-Primary-DHCP", + [129] = "CVPN3000-Partition-Secondary-DHCP", + [131] = "CVPN3000-Partition-Premise-Router", + [132] = "CVPN3000-Partition-Max-Sessions", + [133] = "CVPN3000-Partition-Mobile-IP-Key", + [134] = "CVPN3000-Partition-Mobile-IP-Address", + [135] = "CVPN3000-Partition-Mobile-IP-SPI", + [136] = "CVPN3000-Strip-Realm", + [137] = "CVPN3000-Group-Name" +} &default=function(i: count): string { return fmt("CPNV3000-unknown-%d", i); }; + +const vendor_14823_types: table[count] of string = { + [1] = "Aruba-User-Role", + [2] = "Aruba-User-Vlan", + [3] = "Aruba-Priv-Admin-User", + [4] = "Aruba-Admin-Role", + [5] = "Aruba-Essid-Name", + [6] = "Aruba-Location-Id", + [7] = "Aruba-Port-Identifier", + [8] = "Aruba-MMS-User-Template", + [9] = "Aruba-Named-User-Vlan", + [10] = "Aruba-AP-Group", + [11] = "Aruba-Framed-IPv6-Address", + [12] = "Aruba-Device-Type", + [13] = "Aruba-AP-Name", + [14] = "Aruba-No-DHCP-Fingerprint", + [15] = "Aruba-Mdps-Device-Udid", + [16] = "Aruba-Mdps-Device-Imei", + [17] = "Aruba-Mdps-Device-Iccid", + [18] = "Aruba-Mdps-Max-Devices", + [19] = "Aruba-Mdps-Device-Name", + [20] = "Aruba-Mdps-Device-Product", + [21] = "Aruba-Mdps-Device-Version", + [22] = "Aruba-Mdps-Device-Serial", + [23] = "Aruba-CPPM-Role", + [24] = "Aruba-AirGroup-User-Name", + [25] = "Aruba-AirGroup-Shared-User", + [26] = "Aruba-AirGroup-Shared-Role", + [27] = "Aruba-AirGroup-Device-Type", + [28] = "Aruba-Auth-Survivability", + [29] = "Aruba-AS-User-Name", + [30] = "Aruba-AS-Credential-Hash", + [31] = "Aruba-WorkSpace-App-Name", + [32] = "Aruba-Mdps-Provisioning-Settings", + [33] = "Aruba-Mdps-Device-Profile" +} &default=function(i: count): string { return fmt("Aruba-unknown-%d", i); }; + diff --git a/scripts/base/protocols/radius/dpd.sig b/scripts/base/protocols/radius/dpd.sig new file mode 100644 index 0000000000..d32ba49771 --- /dev/null +++ b/scripts/base/protocols/radius/dpd.sig @@ -0,0 +1,7 @@ +# Generated by binpac_quickstart + +signature dpd_radius { + ip-proto == udp + # TODO: payload /^RADIUS/ + enable "radius" +} \ No newline at end of file diff --git a/scripts/base/protocols/radius/main.bro b/scripts/base/protocols/radius/main.bro new file mode 100644 index 0000000000..0d239dcb64 --- /dev/null +++ b/scripts/base/protocols/radius/main.bro @@ -0,0 +1,142 @@ +##! Implements base functionality for RADIUS analysis. Generates the radius.log file. + +# Generated by binpac_quickstart + +module RADIUS; + +@load ./consts.bro + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + ## Timestamp for when the event happened. + ts: time &log; + ## Unique ID for the connection. + uid: string &log; + ## The connection's 4-tuple of endpoint addresses/ports. + id: conn_id &log; + msg_type: string &log; + }; + + ## Event that can be handled to access the RADIUS record as it is sent on + ## to the loggin framework. + global log_radius: event(rec: Info); +} + +const ports = { 1812/udp }; + +event bro_init() &priority=5 + { + Log::create_stream(RADIUS::LOG, [$columns=Info, $ev=log_radius]); + Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports); + } + +event radius_message(c: connection, msg_type: count, trans_id: count) + { + local info: Info; + info$ts = network_time(); + info$uid = c$uid; + info$id = c$id; + info$msg_type = msg_types[msg_type]; + + Log::write(RADIUS::LOG, info); + } + +event radius_attribute(c: connection, attr_type: count, trans_id: count, value: string) + { + switch ( attr_types[attr_type] ) { +# case "Calling-Station-Id": +# tmp = normalize_mac(value); +# if ( tmp != "" ) +# print cat(attr_types[attr_type], " ", tmp); +# else +# print cat(attr_types[attr_type], " ", value); +# break; +# case "Called-Station-Id": +# fallthrough; + + ## Strings: + case "Reply-Message": + fallthrough; + case "User-Name": + print cat(attr_types[attr_type], ": ", value); + break; + + ## IPs: + + case "Framed-IP-Address": + fallthrough; + case "Framed-IP-Netmask": + fallthrough; + case "NAS-IP-Address": + print cat(attr_types[attr_type], ": ", count_to_v4_addr(bytestring_to_count(value))); + break; + + ## Counts: + + case "Framed-MTU": + fallthrough; + case "NAS-Port": + fallthrough; + case "Session-Timeout": + print cat(attr_types[attr_type], ": ", bytestring_to_count(value)); + break; + + ## Other: + + case "NAS-Port-Type": + print cat(attr_types[attr_type], ": ", nas_port_types[bytestring_to_count(value)]); + break; + case "Service-Type": + print cat(attr_types[attr_type], ": ", service_types[bytestring_to_count(value)]); + break; + case "Framed-Protocol": + print cat(attr_types[attr_type], ": ", framed_protocol_types[bytestring_to_count(value)]); + break; + case "Vendor-Specific": + switch(bytestring_to_count(sub_bytes(value, 0, 4))) { + case 9: + # Cisco IOS/PIX 6.0 + print cat(vendor_9_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128)); + break; + case 255: + # Cisco VPN 5000 + print cat(vendor_255_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128)); + break; + case 311: + # Microsoft + print cat(vendor_311_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128)); + break; + case 3076: + # Cisco VPN 3000 + print cat(vendor_3076_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128)); + break; + case 14823: + # Aruba + print cat(vendor_14823_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128)); + break; + default: + print cat("Unknown vendor: ", bytestring_to_count(sub_bytes(value, 0, 4))); + break; + } + break; + default: + print cat(attr_types[attr_type], ": ", value); + break; + } + } + +# Called-Station-Id: +# Calling-Station-Id: +# Class: +# NAS-Identifier: +# State: +# Vendor-Specific: +# unknown-185: +# unknown-66: +# unknown-77: +# unknown-79: +# unknown-80: +# unknown-87: +# unknown-95: \ No newline at end of file diff --git a/scripts/base/utils/addrs.bro b/scripts/base/utils/addrs.bro index e2031e3efa..54ef62695a 100644 --- a/scripts/base/utils/addrs.bro +++ b/scripts/base/utils/addrs.bro @@ -1,4 +1,4 @@ -##! Functions for parsing and manipulating IP addresses. +##! Functions for parsing and manipulating IP and MAC addresses. # Regular expressions for matching IP addresses in strings. const ipv4_addr_regex = /[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/; @@ -119,3 +119,27 @@ function addr_to_uri(a: addr): string else return fmt("[%s]", a); } + +## Given a string, extracts the hex digits and returns a MAC address in the +## format: 00:a0:32:d7:81:8f. If the string doesn't contain 12 or 16 hex digits, +## an empty string is returned. +## +## a: the string to normalize +## +## Returns: a normalized MAC address, or an empty string in the case of an error. +function normalize_mac(a: string): string + { + local result = to_lower(gsub(a, /[^A-Fa-f0-9]/, "")); + local octets: string_vec; + if ( |result| == 12 ) + { + octets = str_split(result, vector(2, 4, 6, 8, 10)); + return fmt("%s:%s:%s:%s:%s:%s", octets[1], octets[2], octets[3], octets[4], octets[5], octets[6]); + } + if ( |result| == 16 ) + { + octets = str_split(result, vector(2, 4, 6, 8, 10, 12, 14)); + return fmt("%s:%s:%s:%s:%s:%s:%s:%s", octets[1], octets[2], octets[3], octets[4], octets[5], octets[6], octets[7], octets[8]); + } + return ""; + } \ No newline at end of file diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index fc63aa4b66..a7bb43a470 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -19,14 +19,15 @@ add_subdirectory(ident) add_subdirectory(interconn) add_subdirectory(irc) add_subdirectory(login) -add_subdirectory(modbus) add_subdirectory(mime) +add_subdirectory(modbus) add_subdirectory(ncp) -add_subdirectory(netflow) add_subdirectory(netbios) +add_subdirectory(netflow) add_subdirectory(ntp) add_subdirectory(pia) add_subdirectory(pop3) +add_subdirectory(radius) add_subdirectory(rpc) add_subdirectory(smb) add_subdirectory(smtp) diff --git a/src/analyzer/protocol/radius/CMakeLists.txt b/src/analyzer/protocol/radius/CMakeLists.txt new file mode 100644 index 0000000000..2d1cd0e024 --- /dev/null +++ b/src/analyzer/protocol/radius/CMakeLists.txt @@ -0,0 +1,11 @@ +# Generated by binpac_quickstart + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Bro RADIUS) + bro_plugin_cc(RADIUS.cc Plugin.cc) + bro_plugin_bif(events.bif) + bro_plugin_pac(radius.pac radius-analyzer.pac radius-protocol.pac) +bro_plugin_end() \ No newline at end of file diff --git a/src/analyzer/protocol/radius/Plugin.cc b/src/analyzer/protocol/radius/Plugin.cc new file mode 100644 index 0000000000..22780c13c5 --- /dev/null +++ b/src/analyzer/protocol/radius/Plugin.cc @@ -0,0 +1,11 @@ +// Generated by binpac_quickstart + +#include "plugin/Plugin.h" + +#include "RADIUS.h" + +BRO_PLUGIN_BEGIN(Bro, RADIUS) + BRO_PLUGIN_DESCRIPTION("RADIUS analyzer"); + BRO_PLUGIN_ANALYZER("RADIUS", RADIUS::RADIUS_Analyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END \ No newline at end of file diff --git a/src/analyzer/protocol/radius/RADIUS.cc b/src/analyzer/protocol/radius/RADIUS.cc new file mode 100644 index 0000000000..e88bd40083 --- /dev/null +++ b/src/analyzer/protocol/radius/RADIUS.cc @@ -0,0 +1,45 @@ +// Generated by binpac_quickstart + +#include "RADIUS.h" + +#include "Reporter.h" + +#include "events.bif.h" + +using namespace analyzer::RADIUS; + +RADIUS_Analyzer::RADIUS_Analyzer(Connection* c) + +: analyzer::Analyzer("RADIUS", c) + + { + interp = new binpac::RADIUS::RADIUS_Conn(this); + + } + +RADIUS_Analyzer::~RADIUS_Analyzer() + { + delete interp; + } + +void RADIUS_Analyzer::Done() + { + + Analyzer::Done(); + + } + +void RADIUS_Analyzer::DeliverPacket(int len, const u_char* data, + bool orig, int seq, const IP_Hdr* ip, int caplen) + { + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + + try + { + interp->NewData(orig, data, data + len); + } + catch ( const binpac::Exception& e ) + { + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + } + } diff --git a/src/analyzer/protocol/radius/RADIUS.h b/src/analyzer/protocol/radius/RADIUS.h new file mode 100644 index 0000000000..85f8f197a6 --- /dev/null +++ b/src/analyzer/protocol/radius/RADIUS.h @@ -0,0 +1,45 @@ +// Generated by binpac_quickstart + +#ifndef ANALYZER_PROTOCOL_RADIUS_RADIUS_H +#define ANALYZER_PROTOCOL_RADIUS_RADIUS_H + +#include "events.bif.h" + + +#include "analyzer/protocol/udp/UDP.h" + +#include "radius_pac.h" + +namespace analyzer { namespace RADIUS { + +class RADIUS_Analyzer + +: public analyzer::Analyzer { + +public: + RADIUS_Analyzer(Connection* conn); + virtual ~RADIUS_Analyzer(); + + // Overriden from Analyzer. + virtual void Done(); + + virtual void DeliverPacket(int len, const u_char* data, bool orig, + int seq, const IP_Hdr* ip, int caplen); + + + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) + { return new RADIUS_Analyzer(conn); } + + static bool Available() + { + return ( radius_message ); + } + +protected: + binpac::RADIUS::RADIUS_Conn* interp; + +}; + +} } // namespace analyzer::* + +#endif diff --git a/src/analyzer/protocol/radius/events.bif b/src/analyzer/protocol/radius/events.bif new file mode 100644 index 0000000000..4ef93a8ca7 --- /dev/null +++ b/src/analyzer/protocol/radius/events.bif @@ -0,0 +1,23 @@ +# Generated by binpac_quickstart + +## Generated for RADIUS messages +## +## See `Wikipedia `__ for more information about RADIUS +## +## c: The connection +## msg_type: The value of the code field (1 == Access-Request, 2 == Access-Accept, etc.) +## trans_id: The RADIUS transaction identifier +## authenticator: The value of the authenticator field +## +event radius_message%(c: connection, msg_type: count, trans_id: count%); + +## Generated for each RADIUS attribute +## +## See `Wikipedia `__ for more information about RADIUS +## +## c: The connection +## attr_type: The value of the code field (1 == User-Name, 2 == User-Password, etc.) +## trans_id: The RADIUS transaction identifier +## authenticator: The value of the authenticator field +## +event radius_attribute%(c: connection, attr_type: count, trans_id: count, value: string%); \ No newline at end of file diff --git a/src/analyzer/protocol/radius/radius-analyzer.pac b/src/analyzer/protocol/radius/radius-analyzer.pac new file mode 100644 index 0000000000..9739970880 --- /dev/null +++ b/src/analyzer/protocol/radius/radius-analyzer.pac @@ -0,0 +1,23 @@ +# Generated by binpac_quickstart + +refine flow RADIUS_Flow += { + function proc_radius_message(code: uint8, trans_id: uint8): bool + %{ + BifEvent::generate_radius_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), code, trans_id); + return true; + %} + + function proc_radius_attribute(code: uint8, trans_id: uint8, value: bytestring): bool + %{ + BifEvent::generate_radius_attribute(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), code, trans_id, bytestring_to_val(value)); + return true; + %} +}; + +refine typeattr RADIUS_PDU += &let { + proc: bool = $context.flow.proc_radius_message(code, trans_id); +}; + +refine typeattr RADIUS_Attribute += &let { + proc: bool = $context.flow.proc_radius_attribute(code, trans_id, value); +}; \ No newline at end of file diff --git a/src/analyzer/protocol/radius/radius-protocol.pac b/src/analyzer/protocol/radius/radius-protocol.pac new file mode 100644 index 0000000000..27d96bb3f6 --- /dev/null +++ b/src/analyzer/protocol/radius/radius-protocol.pac @@ -0,0 +1,15 @@ +# Generated by binpac_quickstart + +type RADIUS_PDU(is_orig: bool) = record { + code: uint8; + trans_id: uint8; + length: uint16; + authenticator: bytestring &length=16; + attributes: RADIUS_Attribute(trans_id)[] &until($input.length() == 0); +} &byteorder=bigendian; + +type RADIUS_Attribute(trans_id: uint8) = record { + code: uint8; + length: uint8; + value: bytestring &length=length-2; +}; \ No newline at end of file diff --git a/src/analyzer/protocol/radius/radius.pac b/src/analyzer/protocol/radius/radius.pac new file mode 100644 index 0000000000..a4c3e7dd5c --- /dev/null +++ b/src/analyzer/protocol/radius/radius.pac @@ -0,0 +1,37 @@ +# Generated by binpac_quickstart + +# Analyzer for RADIUS +# - radius-protocol.pac: describes the RADIUS protocol messages +# - radius-analyzer.pac: describes the RADIUS analyzer code + +%include binpac.pac +%include bro.pac + +%extern{ + #include "events.bif.h" +%} + +analyzer RADIUS withcontext { + connection: RADIUS_Conn; + flow: RADIUS_Flow; +}; + +# Our connection consists of two flows, one in each direction. +connection RADIUS_Conn(bro_analyzer: BroAnalyzer) { + upflow = RADIUS_Flow(true); + downflow = RADIUS_Flow(false); +}; + +%include radius-protocol.pac + +# Now we define the flow: +flow RADIUS_Flow(is_orig: bool) { + # There are two options here: flowunit or datagram. + # flowunit = RADIUS_PDU(is_orig) withcontext(connection, this); + datagram = RADIUS_PDU(is_orig) withcontext(connection, this); + # Using flowunit will cause the anlayzer to buffer incremental input. + # This is needed for &oneline and &length. If you don't need this, you'll + # get better performance with datagram. +}; + +%include radius-analyzer.pac \ No newline at end of file