Basic RADIUS support - checkpoint

2025-10-15 13:08:20 +00:00 · 2013-11-19 20:20:36 -05:00 · 2013-11-19 20:20:36 -05:00 · 9e0b0f9187
commit 9e0b0f9187
parent 3d1fd6ca5e
15 changed files with 928 additions and 3 deletions
--- a/scripts/base/protocols/radius/main.bro
+++ b/scripts/base/protocols/radius/main.bro
@ -0,0 +1,142 @@
+##! Implements base functionality for RADIUS analysis. Generates the radius.log file.
+
+# Generated by binpac_quickstart
+
+module RADIUS;
+
+@load ./consts.bro
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		## Timestamp for when the event happened.
+		ts:     time    &log;
+		## Unique ID for the connection.
+		uid:    string  &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id:     conn_id &log;
+		msg_type: string &log;
+	};
+
+	## Event that can be handled to access the RADIUS record as it is sent on
+	## to the loggin framework.
+	global log_radius: event(rec: Info);
+}
+
+const ports = { 1812/udp };
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(RADIUS::LOG, [$columns=Info, $ev=log_radius]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports);
+	}
+
+event radius_message(c: connection, msg_type: count, trans_id: count)
+	{
+	local info: Info;
+	info$ts  = network_time();
+	info$uid = c$uid;
+	info$id  = c$id;
+	info$msg_type = msg_types[msg_type];
+
+	Log::write(RADIUS::LOG, info);
+	}
+
+event radius_attribute(c: connection, attr_type: count, trans_id: count, value: string)
+	{
+	switch ( attr_types[attr_type] ) {
+#	case "Calling-Station-Id":
+#		tmp = normalize_mac(value);
+#		if ( tmp != "" )
+#			print cat(attr_types[attr_type], " ", tmp);
+#		else
+#			print cat(attr_types[attr_type], " ", value);
+#		break;
+#	case "Called-Station-Id":
+#		fallthrough;
+
+	## Strings:
+	case "Reply-Message":
+		fallthrough;
+	case "User-Name":
+		print cat(attr_types[attr_type], ": ", value);
+		break;
+		
+	## IPs:
+
+	case "Framed-IP-Address":
+		fallthrough;
+	case "Framed-IP-Netmask":
+		fallthrough;
+	case "NAS-IP-Address":
+		print cat(attr_types[attr_type], ": ", count_to_v4_addr(bytestring_to_count(value)));
+		break;
+
+	## Counts:
+		
+	case "Framed-MTU":
+		fallthrough;
+	case "NAS-Port":
+		fallthrough;
+	case "Session-Timeout":
+		print cat(attr_types[attr_type], ": ", bytestring_to_count(value));
+		break;
+
+	## Other:
+
+	case "NAS-Port-Type":
+		print cat(attr_types[attr_type], ": ", nas_port_types[bytestring_to_count(value)]);
+		break;
+	case "Service-Type":
+		print cat(attr_types[attr_type], ": ", service_types[bytestring_to_count(value)]);
+		break;
+	case "Framed-Protocol":
+		print cat(attr_types[attr_type], ": ", framed_protocol_types[bytestring_to_count(value)]);
+		break;
+	case "Vendor-Specific":
+		switch(bytestring_to_count(sub_bytes(value, 0, 4))) {
+		case 9:
+			# Cisco IOS/PIX 6.0
+			print cat(vendor_9_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
+			break;
+		case 255:
+			# Cisco VPN 5000
+			print cat(vendor_255_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
+			break;
+		case 311:
+			# Microsoft
+			print cat(vendor_311_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
+			break;
+		case 3076:
+			# Cisco VPN 3000
+			print cat(vendor_3076_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
+			break;
+		case 14823:
+			# Aruba
+			print cat(vendor_14823_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
+			break;
+		default:
+			print cat("Unknown vendor: ", bytestring_to_count(sub_bytes(value, 0, 4)));
+			break;
+		}
+		break;
+	default:
+		print cat(attr_types[attr_type], ": ", value);
+		break;
+	}
+	}
+
+# Called-Station-Id: 
+# Calling-Station-Id: 
+# Class: 
+# NAS-Identifier: 
+# State: 
+# Vendor-Specific: 
+# unknown-185: 
+# unknown-66: 
+# unknown-77: 
+# unknown-79: 
+# unknown-80: 
+# unknown-87: 
+# unknown-95: