Basic RADIUS support - checkpoint

scripts/base/init-default.bro

@@ -47,6 +47,7 @@
 @load base/protocols/irc
 @load base/protocols/modbus
 @load base/protocols/pop3
+@load base/protocols/radius
 @load base/protocols/smtp
 @load base/protocols/socks
 @load base/protocols/ssh

scripts/base/protocols/radius/__load__.bro

@@ -0,0 +1,3 @@
+# Generated by binpac_quickstart
+@load ./main
+#@load-sigs ./dpd.sig

scripts/base/protocols/radius/consts.bro

@@ -0,0 +1,537 @@
+module RADIUS;
+
+const msg_types: table[count] of string = {
+	[1] = "Access-Request",
+	[2] = "Access-Accept",
+	[3] = "Access-Reject",
+	[4] = "Accounting-Request",
+	[5] = "Accounting-Response",
+	[11] = "Access-Challenge",
+	[12] = "Status-Server",
+	[13] = "Status-Client",
+} &default=function(i: count): string { return fmt("unknown-%d", i); };
+
+const attr_types: table[count] of string = {
+	[1] = "User-Name",
+	[2] = "User-Password",
+	[3] = "CHAP-Password",
+	[4] = "NAS-IP-Address",
+	[5] = "NAS-Port",
+	[6] = "Service-Type",
+	[7] = "Framed-Protocol",
+	[8] = "Framed-IP-Address",
+	[9] = "Framed-IP-Netmask",
+	[10] = "Framed-Routing",
+	[11] = "Filter-Id",
+	[12] = "Framed-MTU",
+	[13] = "Framed-Compression",
+	[14] = "Login-IP-Host",
+	[15] = "Login-Service",
+	[16] = "Login-TCP-Port",
+	[18] = "Reply-Message",
+	[19] = "Callback-Number",
+	[20] = "Callback-Id",
+	[22] = "Framed-Route",
+	[23] = "Framed-IPX-Network",
+	[24] = "State",
+	[25] = "Class",
+	[26] = "Vendor-Specific",
+	[27] = "Session-Timeout",
+	[28] = "Idle-Timeout",
+	[29] = "Termination-Action",
+	[30] = "Called-Station-Id",
+	[31] = "Calling-Station-Id",
+	[32] = "NAS-Identifier",
+	[33] = "Proxy-State",
+	[34] = "Login-LAT-Service",
+	[35] = "Login-LAT-Node",
+	[36] = "Login-LAT-Group",
+	[37] = "Framed-AppleTalk-Link",
+	[38] = "Framed-AppleTalk-Network",
+	[39] = "Framed-AppleTalk-Zone",
+	[40] = "Acct-Status-Type",
+	[41] = "Acct-Delay-Time",
+	[42] = "Acct-Input-Octets",
+	[43] = "Acct-Output-Octets",
+	[44] = "Acct-Session-Id",
+	[45] = "Acct-Authentic",
+	[46] = "Acct-Session-Time",
+	[47] = "Acct-Input-Packets",
+	[48] = "Acct-Output-Packets",
+	[49] = "Acct-Terminate-Cause",
+	[50] = "Acct-Multi-Session-Id",
+	[51] = "Acct-Link-Count",
+	[52] = "Acct-Input-Gigawords",
+	[53] = "Acct-Output-Gigawords",
+	[55] = "Event-Timestamp",
+	[56] = "Egress-VLANID",
+	[57] = "Ingress-Filters",
+	[58] = "Egress-VLAN-Name",
+	[59] = "User-Priority-Table",
+	[60] = "CHAP-Challenge",
+	[61] = "NAS-Port-Type",
+	[62] = "Port-Limit",
+	[63] = "Login-LAT-Port",
+	[64] = "Tunnel-Type",
+	[65] = "Tunnel-Medium-Type",
+	[66] = "Tunnel-Client-EndPoint",
+	[67] = "Tunnel-Server-EndPoint",
+	[68] = "Acct-Tunnel-Connection",
+	[69] = "Tunnel-Password",
+	[70] = "ARAP-Password",
+	[71] = "ARAP-Features",
+	[72] = "ARAP-Zone-Access",
+	[73] = "ARAP-Security",
+	[74] = "ARAP-Security-Data",
+	[75] = "Password-Retry",
+	[76] = "Prompt",
+	[77] = "Connect-Info",
+	[78] = "Configuration-Token",
+	[79] = "EAP-Message",
+	[80] = "Message Authenticator",
+	[81] = "Tunnel-Private-Group-ID",
+	[82] = "Tunnel-Assignment-ID",
+	[83] = "Tunnel-Preference",
+	[84] = "ARAP-Challenge-Response",
+	[85] = "Acct-Interim-Interval",
+	[86] = "Acct-Tunnel-Packets-Lost",
+	[87] = "NAS-Port-Id",
+	[88] = "Framed-Pool",
+	[89] = "CUI",
+	[90] = "Tunnel-Client-Auth-ID",
+	[91] = "Tunnel-Server-Auth-ID",
+	[92] = "NAS-Filter-Rule",
+	[94] = "Originating-Line-Info",
+	[95] = "NAS-IPv6-Address",
+	[96] = "Framed-Interface-Id",
+	[97] = "Framed-IPv6-Prefix",
+	[98] = "Login-IPv6-Host",
+	[99] = "Framed-IPv6-Route",
+	[100] = "Framed-IPv6-Pool",
+	[101] = "Error-Cause",
+	[102] = "EAP-Key-Name",
+	[103] = "Digest-Response",
+	[104] = "Digest-Realm",
+	[105] = "Digest-Nonce",
+	[106] = "Digest-Response-Auth",
+	[107] = "Digest-Nextnonce",
+	[108] = "Digest-Method",
+	[109] = "Digest-URI",
+	[110] = "Digest-Qop",
+	[111] = "Digest-Algorithm",
+	[112] = "Digest-Entity-Body-Hash",
+	[113] = "Digest-CNonce",
+	[114] = "Digest-Nonce-Count",
+	[115] = "Digest-Username",
+	[116] = "Digest-Opaque",
+	[117] = "Digest-Auth-Param",
+	[118] = "Digest-AKA-Auts",
+	[119] = "Digest-Domain",
+	[120] = "Digest-Stale",
+	[121] = "Digest-HA1",
+	[122] = "SIP-AOR",
+	[123] = "Delegated-IPv6-Prefix",
+	[124] = "MIP6-Feature-Vector",
+	[125] = "MIP6-Home-Link-Prefix",
+	[126] = "Operator-Name",
+	[127] = "Location-Information",
+	[128] = "Location-Data",
+	[129] = "Basic-Location-Policy-Rules",
+	[130] = "Extended-Location-Policy-Rules",
+	[131] = "Location-Capable",
+	[132] = "Requested-Location-Info",
+	[133] = "Framed-Management-Protocol",
+	[134] = "Management-Transport-Protection",
+	[135] = "Management-Policy-Id",
+	[136] = "Management-Privilege-Level",
+	[137] = "PKM-SS-Cert",
+	[138] = "PKM-CA-Cert",
+	[139] = "PKM-Config-Settings",
+	[140] = "PKM-Cryptosuite-List",
+	[141] = "PKM-SAID",
+	[142] = "PKM-SA-Descriptor",
+	[143] = "PKM-Auth-Key",
+	[144] = "DS-Lite-Tunnel-Name",
+	[145] = "Mobile-Node-Identifier",
+	[146] = "Service-Selection",
+	[147] = "PMIP6-Home-LMA-IPv6-Address",
+	[148] = "PMIP6-Visited-LMA-IPv6-Address",
+	[149] = "PMIP6-Home-LMA-IPv4-Address",
+	[150] = "PMIP6-Visited-LMA-IPv4-Address",
+	[151] = "PMIP6-Home-HN-Prefix",
+	[152] = "PMIP6-Visited-HN-Prefix",
+	[153] = "PMIP6-Home-Interface-ID",
+	[154] = "PMIP6-Visited-Interface-ID",
+	[155] = "PMIP6-Home-IPv4-HoA",
+	[156] = "PMIP6-Visited-IPv4-HoA",
+	[157] = "PMIP6-Home-DHCP4-Server-Address",
+	[158] = "PMIP6-Visited-DHCP4-Server-Address",
+	[159] = "PMIP6-Home-DHCP6-Server-Address",
+	[160] = "PMIP6-Visited-DHCP6-Server-Address",
+	[161] = "PMIP6-Home-IPv4-Gateway",
+	[162] = "PMIP6-Visited-IPv4-Gateway",
+	[163] = "EAP-Lower-Layer",
+	[164] = "GSS-Acceptor-Service-Name",
+	[165] = "GSS-Acceptor-Host-Name",
+	[166] = "GSS-Acceptor-Service-Specifics",
+	[167] = "GSS-Acceptor-Realm-Name",
+	[168] = "Framed-IPv6-Address",
+	[169] = "DNS-Server-IPv6-Address",
+	[170] = "Route-IPv6-Information",
+	[171] = "Delegated-IPv6-Prefix-Pool",
+	[172] = "Stateful-IPv6-Address-Pool",
+	[173] = "IPv6-6rd-Configuration"
+} &default=function(i: count): string { return fmt("unknown-%d", i); };
+
+const nas_port_types: table[count] of string = {
+	[0] = "Async",
+	[1] = "Sync",
+	[2] = "ISDN Sync",
+	[3] = "ISDN Async V.120",
+	[4] = "ISDN Async V.110",
+	[5] = "Virtual",
+	[6] = "PIAFS",
+	[7] = "HDLC Clear Channel",
+	[8] = "X.25",
+	[9] = "X.75",
+	[10] = "G.3 Fax",
+	[11] = "SDSL - Symmetric DSL",
+	[12] = "ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase Modulation",
+	[13] = "ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone",
+	[14] = "IDSL - ISDN Digital Subscriber Line",
+	[15] = "Ethernet",
+	[16] = "xDSL - Digital Subscriber Line of unknown type",
+	[17] = "Cable",
+	[18] = "Wireless - Other",
+	[19] = "Wireless - IEEE 802.11"
+} &default=function(i: count): string { return fmt("unknown-%d", i); };
+
+const service_types: table[count] of string = {
+	[1] = "Login",
+	[2] = "Framed",
+	[3] = "Callback Login",
+	[4] = "Callback Framed",
+	[5] = "Outbound",
+	[6] = "Administrative",
+	[7] = "NAS Prompt",
+	[8] = "Authenticate Only",
+	[9] = "Callback NAS Prompt",
+	[10] = "Call Check",
+	[11] = "Callback Administrative",
+} &default=function(i: count): string { return fmt("unknown-%d", i); };
+
+const framed_protocol_types: table[count] of string = {
+	[1] = "PPP",
+	[2] = "SLIP",
+	[3] = "AppleTalk Remote Access Protocol (ARAP)",
+	[4] = "Gandalf proprietary SingleLink/MultiLink protocol",
+	[5] = "Xylogics proprietary IPX/SLIP",
+	[6] = "X.75 Synchronous"
+} &default=function(i: count): string { return fmt("unknown-%d", i); };
+
+const vendor_9_types: table[count] of string = {
+	[1] = "Cisco-AVPair",
+	[2] = "Cisco-NAS-Port",
+	[3] = "Cisco-Fax-Account-Id-Origin",
+	[4] = "Cisco-Fax-Msg-Id",
+	[5] = "Cisco-Fax-Pages",
+	[6] = "Cisco-Fax-Coverpage-Flag",
+	[7] = "Cisco-Fax-Modem-Time",
+	[8] = "Cisco-Fax-Connect-Speed",
+	[9] = "Cisco-Fax-Recipient-Count",
+	[10] = "Cisco-Fax-Process-Abort-Flag",
+	[11] = "Cisco-Fax-Dsn-Address",
+	[12] = "Cisco-Fax-Dsn-Flag",
+	[13] = "Cisco-Fax-Mdn-Address",
+	[14] = "Cisco-Fax-Mdn-Flag",
+	[15] = "Cisco-Fax-Auth-Status",
+	[16] = "Cisco-Email-Server-Address",
+	[17] = "Cisco-Email-Server-Ack-Flag",
+	[18] = "Cisco-Gateway-Id",
+	[19] = "Cisco-Call-Type",
+	[20] = "Cisco-Port-Used",
+	[21] = "Cisco-Abort-Cause",
+	[23] = "Cisco-h323-remote-address",
+	[24] = "Cisco-h323-conf-id",
+	[25] = "Cisco-h323-setup-time",
+	[26] = "Cisco-h323-call-origin",
+	[27] = "Cisco-h323-call-type",
+	[28] = "Cisco-h323-connect-time",
+	[29] = "Cisco-h323-disconnect-time",
+	[30] = "Cisco-h323-disconnect-cause",
+	[31] = "Cisco-h323-voice-quality",
+	[33] = "Cisco-h323-gw-id",
+	[35] = "Cisco-h323-incoming-conn-id",
+	[37] = "Cisco-Policy-Up",
+	[38] = "Cisco-Policy-Down",
+	[100] = "Cisco-sip-conf-id",
+	[101] = "Cisco-h323-credit-amount",
+	[102] = "Cisco-h323-credit-time",
+	[103] = "Cisco-h323-return-code",
+	[104] = "Cisco-h323-prompt-id",
+	[105] = "Cisco-h323-day-and-time",
+	[106] = "Cisco-h323-redirect-number",
+	[107] = "Cisco-h323-preferred-lang",
+	[108] = "Cisco-h323-redirect-ip-addr",
+	[109] = "Cisco-h323-billing-model",
+	[110] = "Cisco-h323-currency",
+	[111] = "Cisco-subscriber",
+	[112] = "Cisco-gw-rxd-cdn",
+	[113] = "Cisco-gw-final-xlated-cdn",
+	[114] = "Cisco-remote-media-address",
+	[115] = "Cisco-release-source",
+	[116] = "Cisco-gw-rxd-cgn",
+	[117] = "Cisco-gw-final-xlated-cgn",
+	[141] = "Cisco-call-id",
+	[142] = "Cisco-session-protocol",
+	[143] = "Cisco-method",
+	[144] = "Cisco-prev-hop-via",
+	[145] = "Cisco-prev-hop-ip",
+	[146] = "Cisco-incoming-req-uri",
+	[147] = "Cisco-outgoing-req-uri",
+	[148] = "Cisco-next-hop-ip",
+	[149] = "Cisco-next-hop-dn",
+	[150] = "Cisco-sip-hdr",
+	[187] = "Cisco-Multilink-ID",
+	[188] = "Cisco-Num-In-Multilink",
+	[190] = "Cisco-Pre-Input-Octets",
+	[191] = "Cisco-Pre-Output-Octets",
+	[192] = "Cisco-Pre-Input-Packets",
+	[193] = "Cisco-Pre-Output-Packets",
+	[194] = "Cisco-Maximum-Time",
+	[195] = "Cisco-Disconnect-Cause",
+	[197] = "Cisco-Data-Rate",
+	[198] = "Cisco-PreSession-Time",
+	[208] = "Cisco-PW-Lifetime",
+	[209] = "Cisco-IP-Direct",
+	[210] = "Cisco-PPP-VJ-Slot-Comp",
+	[212] = "Cisco-PPP-Async-Map",
+	[217] = "Cisco-IP-Pool-Definition",
+	[218] = "Cisco-Assign-IP-Pool",
+	[228] = "Cisco-Route-IP",
+	[233] = "Cisco-Link-Compression",
+	[234] = "Cisco-Target-Util",
+	[235] = "Cisco-Maximum-Channels",
+	[242] = "Cisco-Data-Filter",
+	[243] = "Cisco-Call-Filter",
+	[244] = "Cisco-Idle-Limit",
+	[249] = "Cisco-Subscriber-Password",
+	[250] = "Cisco-Account-Info",
+	[251] = "Cisco-Service-Info",
+	[252] = "Cisco-Command-Code",
+	[253] = "Cisco-Xmit-Rate"
+} &default=function(i: count): string { return fmt("Cisco-unknown-%d", i); };
+
+const vendor_255_types: table[count] of string = {
+	[1] = "CVPN5000-Tunnel-Throughput",
+	[2] = "CVPN5000-Client-Assigned-IP",
+	[3] = "CVPN5000-Client-Real-IP",
+	[4] = "CVPN5000-VPN-GroupInfo",
+	[5] = "CVPN5000-VPN-Password",
+	[6] = "CVPN5000-Echo",
+	[7] = "CVPN5000-Client-Assigned-IPX"
+} &default=function(i: count): string { return fmt("CVPN5000-unknown-%d", i); };
+
+const vendor_311_types: table[count] of string = {
+	[1] = "MS-CHAP-Response",
+	[2] = "MS-CHAP-Error",
+	[3] = "MS-CHAP-CPW-1",
+	[4] = "MS-CHAP-CPW-2",
+	[5] = "MS-CHAP-LM-Enc-PW",
+	[6] = "MS-CHAP-NT-Enc-PW",
+	[7] = "MS-MPPE-Encryption-Policy",
+	[8] = "MS-MPPE-Encryption-Types",
+	[9] = "MS-RAS-Vendor",
+	[10] = "MS-CHAP-Domain",
+	[11] = "MS-CHAP-Challenge",
+	[12] = "MS-CHAP-MPPE-Keys",
+	[13] = "MS-BAP-Usage",
+	[14] = "MS-Link-Utilization-Threshold",
+	[15] = "MS-Link-Drop-Time-Limit",
+	[16] = "MS-MPPE-Send-Key",
+	[17] = "MS-MPPE-Recv-Key",
+	[18] = "MS-RAS-Version",
+	[19] = "MS-Old-ARAP-Password",
+	[20] = "MS-New-ARAP-Password",
+	[21] = "MS-ARAP-PW-Change-Reason",
+	[22] = "MS-Filter",
+	[23] = "MS-Acct-Auth-Type",
+	[24] = "MS-Acct-EAP-Type",
+	[25] = "MS-CHAP2-Response",
+	[26] = "MS-CHAP2-Success",
+	[27] = "MS-CHAP2-CPW",
+	[28] = "MS-Primary-DNS-Server",
+	[29] = "MS-Secondary-DNS-Server",
+	[30] = "MS-Primary-NBNS-Server",
+	[31] = "MS-Secondary-NBNS-Server",
+	[34] = "MS-RAS-Client-Name",
+	[35] = "MS-RAS-Client-Version",
+	[36] = "MS-Quarantine-IPFilter",
+	[37] = "MS-Quarantine-Session-Timeout",
+	[40] = "MS-User-Security-Identity",
+	[41] = "MS-Identity-Type",
+	[42] = "MS-Service-Class",
+	[44] = "MS-Quarantine-User-Class",
+	[45] = "MS-Quarantine-State",
+	[46] = "MS-Quarantine-Grace-Time",
+	[47] = "MS-Network-Access-Server-Type",
+	[48] = "MS-AFW-Zone",
+	[49] = "MS-AFW-Protection-Level",
+	[50] = "MS-Machine-Name",
+	[51] = "MS-IPv6-Filter",
+	[52] = "MS-IPv4-Remediation-Servers",
+	[53] = "MS-IPv6-Remediation-Servers",
+	[54] = "MS-RNAP-Not-Quarantine-Capable",
+	[55] = "MS-Quarantine-SOH",
+	[56] = "MS-RAS-Correlation",
+	[57] = "MS-Extended-Quarantine-State",
+	[58] = "MS-HCAP-User-Groups",
+	[59] = "MS-HCAP-Location-Group-Name",
+	[60] = "MS-HCAP-User-Name",
+	[61] = "MS-User-IPv4-Address",
+	[62] = "MS-User-IPv6-Address",
+	[63] = "MS-TSG-Device-Redirection"
+} &default=function(i: count): string { return fmt("MS-unknown-%d", i); };
+
+const vendor_3076_types: table[count] of string = {
+	[1] = "CVPN3000-Access-Hours",
+	[2] = "CVPN3000-Simultaneous-Logins",
+	[3] = "CVPN3000-Min-Password-Length",
+	[4] = "CVPN3000-Allow-Alpha-Only-Passwords",
+	[5] = "CVPN3000-Primary-DNS",
+	[6] = "CVPN3000-Secondary-DNS",
+	[7] = "CVPN3000-Primary-WINS",
+	[8] = "CVPN3000-Secondary-WINS",
+	[9] = "CVPN3000-SEP-Card-Assignment",
+	[10] = "CVPN3000-Priority-On-SEP",
+	[11] = "CVPN3000-Tunneling-Protocols",
+	[12] = "CVPN3000-IPSec-Sec-Association",
+	[13] = "CVPN3000-IPSec-Authentication",
+	[15] = "CVPN3000-IPSec-Banner1",
+	[16] = "CVPN3000-IPSec-Allow-Passwd-Store",
+	[17] = "CVPN3000-Use-Client-Address",
+	[18] = "CVPN3000-PPTP-Min-Auth-Protocol",
+	[19] = "CVPN3000-L2TP-Min-Auth-Protocol",
+	[20] = "CVPN3000-PPTP-Encryption",
+	[21] = "CVPN3000-L2TP-Encryption",
+	[22] = "CVPN3000-Auth-Server-Type",
+	[23] = "CVPN3000-Auth-Server-Password",
+	[24] = "CVPN3000-Request-Auth-Vector",
+	[25] = "CVPN3000-IPSec-LTL-Keepalives",
+	[26] = "CVPN3000-IPSec-Group-Name",
+	[27] = "CVPN3000-IPSec-Split-Tunnel-List",
+	[28] = "CVPN3000-IPSec-Default-Domain",
+	[29] = "CVPN3000-IPSec-Split-DNS-Names",
+	[30] = "CVPN3000-IPSec-Tunnel-Type",
+	[31] = "CVPN3000-IPSec-Mode-Config",
+	[32] = "CVPN3000-Auth-Server-Priority",
+	[33] = "CVPN3000-IPSec-User-Group-Lock",
+	[34] = "CVPN3000-IPSec-Over-UDP",
+	[35] = "CVPN3000-IPSec-Over-UDP-Port",
+	[36] = "CVPN3000-IPSec-Banner2",
+	[37] = "CVPN3000-PPTP-MPPC-Compression",
+	[38] = "CVPN3000-L2TP-MPPC-Compression",
+	[39] = "CVPN3000-IPSec-IP-Compression",
+	[40] = "CVPN3000-IPSec-IKE-Peer-ID-Check",
+	[41] = "CVPN3000-IKE-Keep-Alives",
+	[42] = "CVPN3000-IPSec-Auth-On-Rekey",
+	[45] = "CVPN3000-Reqrd-Client-Fw-Vendor-Code",
+	[46] = "CVPN3000-Reqrd-Client-Fw-Product-Code",
+	[47] = "CVPN3000-Reqrd-Client-Fw-Description",
+	[48] = "CVPN3000-Require-HW-Client-Auth",
+	[49] = "CVPN3000-Require-Individual-User-Auth",
+	[50] = "CVPN3000-Authd-User-Idle-Timeout",
+	[51] = "CVPN3000-Cisco-IP-Phone-Bypass",
+	[52] = "CVPN3000-User-Auth-Server-Name",
+	[53] = "CVPN3000-User-Auth-Server-Port",
+	[54] = "CVPN3000-User-Auth-Server-Secret",
+	[55] = "CVPN3000-IPSec-Split-Tunneling-Policy",
+	[56] = "CVPN3000-IPSec-Reqrd-Client-Fw-Cap",
+	[57] = "CVPN3000-IPSec-Client-Fw-Filter-Name",
+	[58] = "CVPN3000-IPSec-Client-Fw-Filter-Opt",
+	[59] = "CVPN3000-IPSec-Backup-Servers",
+	[60] = "CVPN3000-IPSec-Backup-Server-List",
+	[61] = "CVPN3000-DHCP-Network-Scope",
+	[62] = "CVPN3000-MS-Client-Icpt-DHCP-Conf-Msg",
+	[63] = "CVPN3000-MS-Client-Subnet-Mask",
+	[64] = "CVPN3000-Allow-Network-Extension-Mode",
+	[65] = "CVPN3000-IPSec-Authorization-Type",
+	[66] = "CVPN3000-IPSec-Authorization-Required",
+	[67] = "CVPN3000-IPSec-DN-Field",
+	[68] = "CVPN3000-IPSec-Confidence-Level",
+	[69] = "CVPN3000-WebVPN-Content-Filter",
+	[70] = "CVPN3000-WebVPN-Enable-functions",
+	[74] = "CVPN3000-WebVPN-Exchange-Addr",
+	[75] = "CVPN3000-LEAP-Bypass",
+	[78] = "CVPN3000-WebVPN-Exchange-NETBIOS-name",
+	[79] = "CVPN3000-Port-Forwarding-Name",
+	[80] = "CVPN3000-IE-Proxy-Server",
+	[81] = "CVPN3000-IE-Proxy-Server-Policy",
+	[82] = "CVPN3000-IE-Proxy-Exception-List",
+	[83] = "CVPN3000-IE-Proxy-Bypass-Local",
+	[84] = "CVPN3000-IKE-Keepalive-Retry-Interval",
+	[88] = "CVPN3000-Perfect-Forward-Secrecy-Enable",
+	[89] = "CVPN3000-NAC-Enable",
+	[90] = "CVPN3000-NAC-Status-Query-Timer",
+	[91] = "CVPN3000-NAC-Revalidation-Timer",
+	[92] = "CVPN3000-NAC-Default-ACL",
+	[93] = "CVPN3000-WebVPN-URL-Entry-Enable",
+	[94] = "CVPN3000-WebVPN-File-Access-Enable",
+	[95] = "CVPN3000-WebVPN-File-Svr-Entry-Enable",
+	[96] = "CVPN3000-WebVPN-File-Svr-Brwsing-Enable",
+	[97] = "CVPN3000-WebVPN-Port-Forwarding-Enable",
+	[98] = "CVPN3000-WebVPN-Outlook-Exch-Proxy-Enb",
+	[99] = "CVPN3000-WebVPN-Port-Fwding-HTTP-Proxy",
+	[100] = "CVPN3000-WebVPN-Auto-Applet-Downld-Enb",
+	[101] = "CVPN3000-WebVPN-Citrix-Metaframe-Enable",
+	[102] = "CVPN3000-WebVPN-Apply-ACL",
+	[103] = "CVPN3000-WebVPN-SSL-VPN-Client-Enable",
+	[104] = "CVPN3000-WebVPN-SSL-VPN-Client-Required",
+	[105] = "CVPN3000-WebVPN-SSL-VPN-Client-Keep-Ins",
+	[128] = "CVPN3000-Partition-Primary-DHCP",
+	[129] = "CVPN3000-Partition-Secondary-DHCP",
+	[131] = "CVPN3000-Partition-Premise-Router",
+	[132] = "CVPN3000-Partition-Max-Sessions",
+	[133] = "CVPN3000-Partition-Mobile-IP-Key",
+	[134] = "CVPN3000-Partition-Mobile-IP-Address",
+	[135] = "CVPN3000-Partition-Mobile-IP-SPI",
+	[136] = "CVPN3000-Strip-Realm",
+	[137] = "CVPN3000-Group-Name"
+} &default=function(i: count): string { return fmt("CPNV3000-unknown-%d", i); };
+
+const vendor_14823_types: table[count] of string = {
+	[1] = "Aruba-User-Role",
+	[2] = "Aruba-User-Vlan",
+	[3] = "Aruba-Priv-Admin-User",
+	[4] = "Aruba-Admin-Role",
+	[5] = "Aruba-Essid-Name",
+	[6] = "Aruba-Location-Id",
+	[7] = "Aruba-Port-Identifier",
+	[8] = "Aruba-MMS-User-Template",
+	[9] = "Aruba-Named-User-Vlan",
+	[10] = "Aruba-AP-Group",
+	[11] = "Aruba-Framed-IPv6-Address",
+	[12] = "Aruba-Device-Type",
+	[13] = "Aruba-AP-Name",
+	[14] = "Aruba-No-DHCP-Fingerprint",
+	[15] = "Aruba-Mdps-Device-Udid",
+	[16] = "Aruba-Mdps-Device-Imei",
+	[17] = "Aruba-Mdps-Device-Iccid",
+	[18] = "Aruba-Mdps-Max-Devices",
+	[19] = "Aruba-Mdps-Device-Name",
+	[20] = "Aruba-Mdps-Device-Product",
+	[21] = "Aruba-Mdps-Device-Version",
+	[22] = "Aruba-Mdps-Device-Serial",
+	[23] = "Aruba-CPPM-Role",
+	[24] = "Aruba-AirGroup-User-Name",
+	[25] = "Aruba-AirGroup-Shared-User",
+	[26] = "Aruba-AirGroup-Shared-Role",
+	[27] = "Aruba-AirGroup-Device-Type",
+	[28] = "Aruba-Auth-Survivability",
+	[29] = "Aruba-AS-User-Name",
+	[30] = "Aruba-AS-Credential-Hash",
+	[31] = "Aruba-WorkSpace-App-Name",
+	[32] = "Aruba-Mdps-Provisioning-Settings",
+	[33] = "Aruba-Mdps-Device-Profile"
+} &default=function(i: count): string { return fmt("Aruba-unknown-%d", i); };
+

scripts/base/protocols/radius/dpd.sig

@@ -0,0 +1,7 @@
+# Generated by binpac_quickstart
+
+signature dpd_radius {
+	ip-proto == udp
+	# TODO: payload /^RADIUS/
+	enable "radius"
+}

scripts/base/protocols/radius/main.bro

@@ -0,0 +1,142 @@
+##! Implements base functionality for RADIUS analysis. Generates the radius.log file.
+
+# Generated by binpac_quickstart
+
+module RADIUS;
+
+@load ./consts.bro
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		## Timestamp for when the event happened.
+		ts:     time    &log;
+		## Unique ID for the connection.
+		uid:    string  &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id:     conn_id &log;
+		msg_type: string &log;
+	};
+
+	## Event that can be handled to access the RADIUS record as it is sent on
+	## to the loggin framework.
+	global log_radius: event(rec: Info);
+}
+
+const ports = { 1812/udp };
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(RADIUS::LOG, [$columns=Info, $ev=log_radius]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports);
+	}
+
+event radius_message(c: connection, msg_type: count, trans_id: count)
+	{
+	local info: Info;
+	info$ts  = network_time();
+	info$uid = c$uid;
+	info$id  = c$id;
+	info$msg_type = msg_types[msg_type];
+
+	Log::write(RADIUS::LOG, info);
+	}
+
+event radius_attribute(c: connection, attr_type: count, trans_id: count, value: string)
+	{
+	switch ( attr_types[attr_type] ) {
+#	case "Calling-Station-Id":
+#		tmp = normalize_mac(value);
+#		if ( tmp != "" )
+#			print cat(attr_types[attr_type], " ", tmp);
+#		else
+#			print cat(attr_types[attr_type], " ", value);
+#		break;
+#	case "Called-Station-Id":
+#		fallthrough;
+
+	## Strings:
+	case "Reply-Message":
+		fallthrough;
+	case "User-Name":
+		print cat(attr_types[attr_type], ": ", value);
+		break;
+		
+	## IPs:
+
+	case "Framed-IP-Address":
+		fallthrough;
+	case "Framed-IP-Netmask":
+		fallthrough;
+	case "NAS-IP-Address":
+		print cat(attr_types[attr_type], ": ", count_to_v4_addr(bytestring_to_count(value)));
+		break;
+
+	## Counts:
+		
+	case "Framed-MTU":
+		fallthrough;
+	case "NAS-Port":
+		fallthrough;
+	case "Session-Timeout":
+		print cat(attr_types[attr_type], ": ", bytestring_to_count(value));
+		break;
+
+	## Other:
+
+	case "NAS-Port-Type":
+		print cat(attr_types[attr_type], ": ", nas_port_types[bytestring_to_count(value)]);
+		break;
+	case "Service-Type":
+		print cat(attr_types[attr_type], ": ", service_types[bytestring_to_count(value)]);
+		break;
+	case "Framed-Protocol":
+		print cat(attr_types[attr_type], ": ", framed_protocol_types[bytestring_to_count(value)]);
+		break;
+	case "Vendor-Specific":
+		switch(bytestring_to_count(sub_bytes(value, 0, 4))) {
+		case 9:
+			# Cisco IOS/PIX 6.0
+			print cat(vendor_9_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
+			break;
+		case 255:
+			# Cisco VPN 5000
+			print cat(vendor_255_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
+			break;
+		case 311:
+			# Microsoft
+			print cat(vendor_311_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
+			break;
+		case 3076:
+			# Cisco VPN 3000
+			print cat(vendor_3076_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
+			break;
+		case 14823:
+			# Aruba
+			print cat(vendor_14823_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
+			break;
+		default:
+			print cat("Unknown vendor: ", bytestring_to_count(sub_bytes(value, 0, 4)));
+			break;
+		}
+		break;
+	default:
+		print cat(attr_types[attr_type], ": ", value);
+		break;
+	}
+	}
+
+# Called-Station-Id: 
+# Calling-Station-Id: 
+# Class: 
+# NAS-Identifier: 
+# State: 
+# Vendor-Specific: 
+# unknown-185: 
+# unknown-66: 
+# unknown-77: 
+# unknown-79: 
+# unknown-80: 
+# unknown-87: 
+# unknown-95:

scripts/base/utils/addrs.bro

@@ -1,4 +1,4 @@
-##! Functions for parsing and manipulating IP addresses.
+##! Functions for parsing and manipulating IP and MAC addresses.
 
 # Regular expressions for matching IP addresses in strings.
 const ipv4_addr_regex = /[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/;
@@ -119,3 +119,27 @@ function addr_to_uri(a: addr): string
 	else
 		return fmt("[%s]", a);
 	}
+
+## Given a string, extracts the hex digits and returns a MAC address in the
+## format: 00:a0:32:d7:81:8f. If the string doesn't contain 12 or 16 hex digits,
+## an empty string is returned.
+##
+## a: the string to normalize
+##
+## Returns: a normalized MAC address, or an empty string in the case of an error.
+function normalize_mac(a: string): string
+	{
+	local result = to_lower(gsub(a, /[^A-Fa-f0-9]/, ""));
+	local octets: string_vec;
+	if ( |result| == 12 )
+		{
+		octets = str_split(result, vector(2, 4, 6, 8, 10));
+		return fmt("%s:%s:%s:%s:%s:%s", octets[1], octets[2], octets[3], octets[4], octets[5], octets[6]);
+		}
+	if ( |result| == 16 )
+		{
+		octets = str_split(result, vector(2, 4, 6, 8, 10, 12, 14));
+		return fmt("%s:%s:%s:%s:%s:%s:%s:%s", octets[1], octets[2], octets[3], octets[4], octets[5], octets[6], octets[7], octets[8]);
+		}
+	return "";
+	}

src/analyzer/protocol/CMakeLists.txt

@@ -19,14 +19,15 @@ add_subdirectory(ident)
 add_subdirectory(interconn)
 add_subdirectory(irc)
 add_subdirectory(login)
-add_subdirectory(modbus)
 add_subdirectory(mime)
+add_subdirectory(modbus)
 add_subdirectory(ncp)
-add_subdirectory(netflow)
 add_subdirectory(netbios)
+add_subdirectory(netflow)
 add_subdirectory(ntp)
 add_subdirectory(pia)
 add_subdirectory(pop3)
+add_subdirectory(radius)
 add_subdirectory(rpc)
 add_subdirectory(smb)
 add_subdirectory(smtp)

src/analyzer/protocol/radius/CMakeLists.txt

@@ -0,0 +1,11 @@
+# Generated by binpac_quickstart
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro RADIUS)
+	bro_plugin_cc(RADIUS.cc Plugin.cc)
+	bro_plugin_bif(events.bif)
+	bro_plugin_pac(radius.pac radius-analyzer.pac radius-protocol.pac)
+bro_plugin_end()

src/analyzer/protocol/radius/Plugin.cc

@@ -0,0 +1,11 @@
+// Generated by binpac_quickstart
+
+#include "plugin/Plugin.h"
+
+#include "RADIUS.h"
+
+BRO_PLUGIN_BEGIN(Bro, RADIUS)
+	BRO_PLUGIN_DESCRIPTION("RADIUS analyzer");
+	BRO_PLUGIN_ANALYZER("RADIUS", RADIUS::RADIUS_Analyzer);
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/analyzer/protocol/radius/RADIUS.cc

@@ -0,0 +1,45 @@
+// Generated by binpac_quickstart
+
+#include "RADIUS.h"
+
+#include "Reporter.h"
+
+#include "events.bif.h"
+
+using namespace analyzer::RADIUS;
+
+RADIUS_Analyzer::RADIUS_Analyzer(Connection* c)
+
+: analyzer::Analyzer("RADIUS", c)
+
+	{
+	interp = new binpac::RADIUS::RADIUS_Conn(this);
+	
+	}
+
+RADIUS_Analyzer::~RADIUS_Analyzer()
+	{
+	delete interp;
+	}
+
+void RADIUS_Analyzer::Done()
+	{
+	
+	Analyzer::Done();
+	
+	}
+
+void RADIUS_Analyzer::DeliverPacket(int len, const u_char* data,
+	 			  bool orig, int seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}

src/analyzer/protocol/radius/RADIUS.h

@@ -0,0 +1,45 @@
+// Generated by binpac_quickstart
+
+#ifndef ANALYZER_PROTOCOL_RADIUS_RADIUS_H
+#define ANALYZER_PROTOCOL_RADIUS_RADIUS_H
+
+#include "events.bif.h"
+
+
+#include "analyzer/protocol/udp/UDP.h"
+
+#include "radius_pac.h"
+
+namespace analyzer { namespace RADIUS {
+
+class RADIUS_Analyzer
+
+: public analyzer::Analyzer {
+
+public:
+	RADIUS_Analyzer(Connection* conn);
+	virtual ~RADIUS_Analyzer();
+
+	// Overriden from Analyzer.
+	virtual void Done();
+	
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+	
+
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new RADIUS_Analyzer(conn); }
+
+	static bool Available()
+		{
+		return ( radius_message );
+		}
+
+protected:
+	binpac::RADIUS::RADIUS_Conn* interp;
+	
+};
+
+} } // namespace analyzer::* 
+
+#endif

src/analyzer/protocol/radius/events.bif

@@ -0,0 +1,23 @@
+# Generated by binpac_quickstart
+
+## Generated for RADIUS messages
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/RADIUS>`__ for more information about RADIUS
+##
+## c: The connection
+## msg_type: The value of the code field (1 == Access-Request, 2 == Access-Accept, etc.)
+## trans_id: The RADIUS transaction identifier
+## authenticator: The value of the authenticator field
+##
+event radius_message%(c: connection, msg_type: count, trans_id: count%);
+
+## Generated for each RADIUS attribute
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/RADIUS>`__ for more information about RADIUS
+##
+## c: The connection
+## attr_type: The value of the code field (1 == User-Name, 2 == User-Password, etc.)
+## trans_id: The RADIUS transaction identifier
+## authenticator: The value of the authenticator field
+##
+event radius_attribute%(c: connection, attr_type: count, trans_id: count, value: string%);

src/analyzer/protocol/radius/radius-analyzer.pac

@@ -0,0 +1,23 @@
+# Generated by binpac_quickstart
+
+refine flow RADIUS_Flow += {
+	function proc_radius_message(code: uint8, trans_id: uint8): bool
+		%{
+		BifEvent::generate_radius_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), code, trans_id);
+		return true;
+		%}
+
+	function proc_radius_attribute(code: uint8, trans_id: uint8, value: bytestring): bool
+		%{
+		BifEvent::generate_radius_attribute(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), code, trans_id, bytestring_to_val(value));
+		return true;
+		%}
+};
+
+refine typeattr RADIUS_PDU += &let {
+	proc: bool = $context.flow.proc_radius_message(code, trans_id);
+};
+
+refine typeattr RADIUS_Attribute += &let {
+	proc: bool = $context.flow.proc_radius_attribute(code, trans_id, value);
+};

src/analyzer/protocol/radius/radius-protocol.pac

@@ -0,0 +1,15 @@
+# Generated by binpac_quickstart
+
+type RADIUS_PDU(is_orig: bool) = record {
+	code: uint8;
+	trans_id: uint8;
+	length: uint16;
+	authenticator: bytestring &length=16;
+	attributes: RADIUS_Attribute(trans_id)[] &until($input.length() == 0);
+} &byteorder=bigendian;
+
+type RADIUS_Attribute(trans_id: uint8) = record {
+	code: uint8;
+	length: uint8;
+	value: bytestring &length=length-2;
+};

src/analyzer/protocol/radius/radius.pac

@@ -0,0 +1,37 @@
+# Generated by binpac_quickstart
+
+# Analyzer for RADIUS
+#  - radius-protocol.pac: describes the RADIUS protocol messages
+#  - radius-analyzer.pac: describes the RADIUS analyzer code
+
+%include binpac.pac
+%include bro.pac
+
+%extern{
+	#include "events.bif.h"
+%}
+
+analyzer RADIUS withcontext {
+	connection: RADIUS_Conn;
+	flow:       RADIUS_Flow;
+};
+
+# Our connection consists of two flows, one in each direction.
+connection RADIUS_Conn(bro_analyzer: BroAnalyzer) {
+	upflow   = RADIUS_Flow(true);
+	downflow = RADIUS_Flow(false);
+};
+
+%include radius-protocol.pac
+
+# Now we define the flow:
+flow RADIUS_Flow(is_orig: bool) {
+	# There are two options here: flowunit or datagram.
+	# flowunit = RADIUS_PDU(is_orig) withcontext(connection, this);
+	datagram = RADIUS_PDU(is_orig) withcontext(connection, this);
+	# Using flowunit will cause the anlayzer to buffer incremental input.
+	# This is needed for &oneline and &length. If you don't need this, you'll
+	# get better performance with datagram.
+};
+
+%include radius-analyzer.pac