Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'feature/new_dhcp_data' of https://github.com/Mr-Click/bro into topic/seth/merge-121-dhcp-extensions

Browse source
This commit is contained in:
Seth Hall 2018-02-01 10:06:35 -05:00
commit ba49ab8201
17 changed files with 323 additions and 112 deletions
Download patch file Download diff file Expand all files Collapse all files

39
scripts/base/init-bare.bro
View file

@ -3058,24 +3058,43 @@ export {
module GLOBAL;
## A list of router addresses offered by a DHCP server.
##
## .. bro:see:: dhcp_ack dhcp_offer
type dhcp_router_list: table[count] of addr;
module DHCP;
## A DHCP message.
##
## .. bro:see:: dhcp_ack dhcp_decline dhcp_discover dhcp_inform dhcp_nak
## dhcp_offer dhcp_release dhcp_request
type dhcp_msg: record {
export {
## A list of router addresses offered by a DHCP server.
##
## .. bro:see:: dhcp_ack dhcp_offer
type DHCP::dhcp_router_list: table[count] of addr;
## A DHCP message.
## .. bro:see:: dhcp_ack dhcp_decline dhcp_discover dhcp_inform dhcp_nak
## dhcp_offer dhcp_release dhcp_request
type DHCP::dhcp_msg: record {
op: count; ##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
m_type: count; ##< The type of DHCP message.
xid: count; ##< Transaction ID of a DHCP session.
h_addr: string; ##< Hardware address of the client.
ciaddr: addr; ##< Original IP address of the client.
yiaddr: addr; ##< IP address assigned to the client.
};
};
## DHCP Paremeter Reuqest list (Option 55)
## .. bro:see:: dhcp_request dhcp_discover
type DHCP::dhcp_params_list: table[count] of count;
## DHCP Relay Agent Information Option (Option 82)
## .. bro:see:: dhcp_ack
type DHCP::dhcp_sub_opt: record {
code: count;
value: string;
};
## DHCP Client Identifier (Option 61)
## .. bro:see:: dhcp_request dhcp_discover
type DHCP::dhcp_client_id: record {
hwtype: count;
hwaddr: string;
};
type DHCP::dhcp_sub_opt_list: table[count] of DHCP::dhcp_sub_opt;
}
module GLOBAL;
## A DNS message.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl

76
scripts/base/protocols/dhcp/main.bro
View file

@ -31,6 +31,18 @@ export {
lease_time: interval &log &optional;
## A random number chosen by the client for this transaction.
trans_id: count &log;
## the message type
msg_type: string &log &optional;
## client ID
client_id: string &log &optional;
## the server ID
server_id: addr &log &optional;
## the host name
host_name: string &log &optional;
## the subscriber id (if present)
subscriber_id: string &log &optional;
## the agent remote id (if present)
agent_remote_id: string &log &optional;
};
## Event that can be handled to access the DHCP
@ -47,20 +59,26 @@ redef record connection += {
const ports = { 67/udp, 68/udp };
redef likely_server_ports += { 67/udp };
global info: Info;
event bro_init() &priority=5
{
Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path="dhcp"]);
Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
}
event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) &priority=5
event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string, reb_time: count, ren_time: count, sub_opt: dhcp_sub_opt_list) &priority=5
{
local info: Info;
#local info: Info;
info$ts = network_time();
info$id = c$id;
info$uid = c$uid;
info$lease_time = lease;
info$trans_id = msg$xid;
info$msg_type = message_types[msg$m_type];
info$server_id = serv_addr;
info$host_name = host_name;
if ( msg$h_addr != "" )
info$mac = msg$h_addr;
@ -70,10 +88,62 @@ event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_lis
else
info$assigned_ip = c$id$orig_h;
for (param in sub_opt)
{
#if ( sub_opt[param]$code == 1 )
#{
#print fmt("Relay Agent Information:");
#print fmt( "sub option: code=%d circuit id=%s",sub_opt[param]$code,sub_opt[param]$value );
#}
if ( sub_opt[param]$code == 2 )
info$agent_remote_id = bytestring_to_hexstr(sub_opt[param]$value);
if ( sub_opt[param]$code == 6 )
info$subscriber_id = (sub_opt[param]$value);
}
c$dhcp = info;
}
event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) &priority=-5
event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string, reb_time: count, ren_time: count, sub_opt: dhcp_sub_opt_list) &priority=-5
{
Log::write(DHCP::LOG, c$dhcp);
}
event dhcp_request(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string, c_id: dhcp_client_id, req_params: table[count] of count) &priority=5
{
info$ts = network_time();
info$id = c$id;
info$uid = c$uid;
info$trans_id = msg$xid;
info$msg_type = message_types[msg$m_type];
info$server_id = serv_addr;
info$host_name = host_name;
info$client_id = c_id$hwaddr;
c$dhcp = info;
}
event dhcp_request(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string, c_id: dhcp_client_id, req_params: table[count] of count) &priority=-5
{
Log::write(DHCP::LOG, c$dhcp);
}
event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr, host_name: string, c_id: dhcp_client_id, req_params: table[count] of count) &priority=5
{
info$ts = network_time();
info$id = c$id;
info$uid = c$uid;
info$trans_id = msg$xid;
info$msg_type = message_types[msg$m_type];
info$host_name = host_name;
info$client_id = c_id$hwaddr;
c$dhcp = info;
}
event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr, host_name: string, c_id: dhcp_client_id, req_params: table[count] of count) &priority=-5
{
Log::write(DHCP::LOG, c$dhcp);
}

4
scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro
View file

@ -12,7 +12,7 @@ export {
};
}
event dhcp_request(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string)
event dhcp_request(c: connection, msg: DHCP::dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string, client_id: DHCP::dhcp_client_id, req_params: DHCP::dhcp_params_list)
{
if ( msg$h_addr == "" )
return;
@ -24,7 +24,7 @@ event dhcp_request(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr
}
}
event dhcp_inform(c: connection, msg: dhcp_msg, host_name: string)
event dhcp_inform(c: connection, msg: DHCP::dhcp_msg, host_name: string, req_params: DHCP::dhcp_params_list)
{
if ( msg$h_addr == "" )
return;

4
src/NetVar.cc
View file

@ -426,8 +426,8 @@ void init_net_var()
entropy_test_result = internal_type("entropy_test_result")->AsRecordType();
dhcp_router_list = internal_type("dhcp_router_list")->AsTableType();
dhcp_msg = internal_type("dhcp_msg")->AsRecordType();
dhcp_router_list = internal_type("DHCP::dhcp_router_list")->AsTableType();
dhcp_msg = internal_type("DHCP::dhcp_msg")->AsRecordType();
dns_msg = internal_type("dns_msg")->AsRecordType();
dns_answer = internal_type("dns_answer")->AsRecordType();

1
src/analyzer/protocol/dhcp/CMakeLists.txt
View file

@ -6,5 +6,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
bro_plugin_begin(Bro DHCP)
bro_plugin_cc(DHCP.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_bif(types.bif)
bro_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac)
bro_plugin_end()

1
src/analyzer/protocol/dhcp/DHCP.cc
View file

@ -1,6 +1,7 @@
#include "DHCP.h"
#include "events.bif.h"
#include "types.bif.h"
using namespace analyzer::dhcp;

90
src/analyzer/protocol/dhcp/dhcp-analyzer.pac
View file

@ -8,15 +8,24 @@ flow DHCP_Flow(is_orig: bool) {
%member{
BroVal dhcp_msg_val_;
uint8 sum_len;
%}
%init{
dhcp_msg_val_ = 0;
sum_len = 0;
%}
%cleanup{
Unref(dhcp_msg_val_);
dhcp_msg_val_ = 0;
sum_len = 0;
%}
function get_dhcp_sumlen(len: uint8): uint8
%{
sum_len = len + sum_len;
return sum_len;
%}
function get_dhcp_msgtype(options: DHCP_Option[]): uint8
@ -54,7 +63,12 @@ flow DHCP_Flow(is_orig: bool) {
// Requested IP address to the server.
::uint32 req_addr = 0, serv_addr = 0;
StringVal* host_name = 0;
StringVal* host_name = new StringVal("");
TableVal* params_list = 0;
RecordVal* client_id = new RecordVal(BifType::Record::DHCP::dhcp_client_id);
client_id->Assign(0,0);
client_id->Assign(1,new StringVal(""));
for ( ptr = options->begin(); ptr != options->end() && ! (*ptr)->last(); ++ptr )
{
@ -69,29 +83,42 @@ flow DHCP_Flow(is_orig: bool) {
break;
case HOST_NAME_OPTION:
Unref(host_name);
host_name = new StringVal((*ptr)->info()->host_name().length(),
(const char*) (*ptr)->info()->host_name().begin());
break;
case CLIENT_ID_OPTION:
client_id->Assign(0, new Val((*ptr)->info()->client_id()->hwtype(), TYPE_COUNT));
client_id->Assign(1, new StringVal(fmt_mac((*ptr)->info()->client_id()->hwaddr().begin(), (*ptr)->info()->client_id()->hwaddr().length())));
break;
case PAR_REQ_LIST:
params_list = new TableVal(BifType::Table::DHCP::dhcp_params_list);
int num_parms = (*ptr)->info()->par_req_list()->size();
for (int i=0; i < num_parms; ++i)
{
vector<uint8>* plist = (*ptr)->info()->par_req_list();
uint8 param = (*plist)[i];
Val* index = new Val(i+1, TYPE_COUNT);
params_list->Assign(index, new Val(param, TYPE_COUNT));
Unref(index);
}
break;
}
}
if ( host_name == 0 )
host_name = new StringVal("");
switch ( type )
{
case DHCPDISCOVER:
BifEvent::generate_dhcp_discover(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
dhcp_msg_val_->Ref(), new AddrVal(req_addr), host_name);
dhcp_msg_val_->Ref(), new AddrVal(req_addr),
host_name, client_id, params_list);
break;
case DHCPREQUEST:
BifEvent::generate_dhcp_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
dhcp_msg_val_->Ref(), new AddrVal(req_addr),
new AddrVal(serv_addr), host_name);
new AddrVal(serv_addr), host_name, client_id, params_list);
break;
case DHCPDECLINE:
@ -109,7 +136,7 @@ flow DHCP_Flow(is_orig: bool) {
case DHCPINFORM:
BifEvent::generate_dhcp_inform(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
dhcp_msg_val_->Ref(), host_name);
dhcp_msg_val_->Ref(), host_name, params_list);
break;
default:
@ -123,6 +150,7 @@ flow DHCP_Flow(is_orig: bool) {
function parse_reply(options: DHCP_Option[], type: uint8): bool
%{
vector<DHCP_Option*>::const_iterator ptr;
vector<Relay_Agent_SubOption*>::const_iterator ptrsubopt;
// RFC 1533 allows a list of router addresses.
TableVal* router_list = 0;
@ -132,6 +160,13 @@ flow DHCP_Flow(is_orig: bool) {
uint32 lease = 0;
StringVal* host_name = 0;
uint32 reb_time = 0;
uint32 ren_time = 0;
StringVal* agent_cir = 0;
StringVal* agent_rem = 0;
StringVal* agent_sub_opt = 0;
TableVal* relay_agent_sub_opt = new TableVal(BifType::Table::DHCP::dhcp_sub_opt_list);
for ( ptr = options->begin();
ptr != options->end() && ! (*ptr)->last(); ++ptr )
{
@ -144,7 +179,7 @@ flow DHCP_Flow(is_orig: bool) {
case ROUTER_OPTION:
// Let's hope there aren't multiple
// such options.
Unref(router_list);
//Unref(router_list);
router_list = new TableVal(dhcp_router_list);
{
@ -175,10 +210,32 @@ flow DHCP_Flow(is_orig: bool) {
break;
case HOST_NAME_OPTION:
Unref(host_name);
host_name = new StringVal((*ptr)->info()->host_name().length(),
(const char*) (*ptr)->info()->host_name().begin());
break;
case REB_TIME_OPTION:
reb_time = (*ptr)->info()->reb_time();
break;
case REN_TIME_OPTION:
ren_time = (*ptr)->info()->ren_time();
break;
case RELAY_AGENT_INF:
RecordVal* r = new RecordVal(BifType::Record::DHCP::dhcp_sub_opt);
uint i = 0;
for( ptrsubopt = (*ptr)->info()->relay_agent_inf()->begin(); ptrsubopt != (*ptr)->info()->relay_agent_inf()->end(); ++ptrsubopt)
{
r = new RecordVal(BifType::Record::DHCP::dhcp_sub_opt);
Val* index = new Val(i + 1, TYPE_COUNT);
r->Assign(0, new Val((*ptrsubopt)->code(), TYPE_COUNT));
r->Assign(1, bytestring_to_val((*ptrsubopt)->value()));
relay_agent_sub_opt->Assign(index, r);
Unref(index);
++i;
}
break;
}
}
@ -204,19 +261,19 @@ flow DHCP_Flow(is_orig: bool) {
BifEvent::generate_dhcp_ack(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
dhcp_msg_val_->Ref(), new AddrVal(subnet_mask),
router_list, lease, new AddrVal(serv_addr), host_name);
router_list, lease, new AddrVal(serv_addr), host_name, reb_time, ren_time, relay_agent_sub_opt);
break;
case DHCPNAK:
Unref(router_list);
//Unref(router_list);
BifEvent::generate_dhcp_nak(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
dhcp_msg_val_->Ref(), host_name);
break;
default:
Unref(router_list);
Unref(host_name);
//Unref(router_list);
//Unref(host_name);
break;
}
@ -266,7 +323,10 @@ flow DHCP_Flow(is_orig: bool) {
case BOOTREPLY: // presumably from server to client
if ( ${msg.type} == DHCPOFFER ||
${msg.type} == DHCPACK ||
${msg.type} == DHCPNAK )
${msg.type} == DHCPNAK ||
${msg.type} == DHCPLEASEUNASSIGNED ||
${msg.type} == DHCPLEASEUNKNOWN ||
${msg.type} == DHCPLEASEACTIVE )
parse_reply(${msg.options}, ${msg.type});
else
connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message type option for BOOTREPLY (%d)",

82
src/analyzer/protocol/dhcp/dhcp-protocol.pac
View file

@ -3,7 +3,7 @@
# Refer to RFC 2131 for op types.
enum OP_type {
BOOTREQUEST = 1,
BOOTREPLY = 2,
BOOTREPLY = 2
};
# Refer to RFC 1533 for option types.
@ -17,10 +17,14 @@ enum OPTION_type {
LEASE_OPTION = 51,
MSG_TYPE_OPTION = 53,
SERV_ID_OPTION = 54, # Server address, actually :)
END_OPTION = 255,
PAR_REQ_LIST = 55, # Parameters Request List - NEW
REN_TIME_OPTION = 58, # Renewal time - NEW
REB_TIME_OPTION = 59, # Rebinding time - NEW
CLIENT_ID_OPTION = 61, # Client Identifier - NEW
RELAY_AGENT_INF = 82, # Relay Agent Information - NEW
END_OPTION = 255
};
# Refer to RFC 1533 for message types (with option = 53).
enum DHCP_message_type {
DHCPDISCOVER = 1,
DHCPOFFER = 2,
@ -30,6 +34,31 @@ enum DHCP_message_type {
DHCPNAK = 6,
DHCPRELEASE = 7,
DHCPINFORM = 8,
DHCPFORCERENEW = 9, # RFC 2132
DHCPLEASEQUERY = 10, # RFC 4388
DHCPLEASEUNASSIGNED = 11, # RFC 4388
DHCPLEASEUNKNOWN = 12, # RFC 4388
DHCPLEASEACTIVE = 13 # RFC 4388
};
type Relay_Agent_SubOption(tot_len: uint8) = record {
code : uint8;
length : uint8;
value : bytestring &length = length;
} &let {
sum_len: uint8 = $context.flow.get_dhcp_sumlen(length + 2);
last: bool = (sum_len == tot_len);
};
type Client_Identifier(length: uint8) = record {
hwtype : uint8;
hwaddr : bytestring &length = length -1;
};
enum DHCP_hardware_type
{
ETHERNET = 1,
EXPERIMENTAL_ETHERNET = 2
};
type Option_Info(code: uint8) = record {
@ -41,7 +70,12 @@ type Option_Info(code: uint8) = record {
LEASE_OPTION -> lease : uint32;
MSG_TYPE_OPTION -> msg_type : uint8;
SERV_ID_OPTION -> serv_addr : uint32;
HOST_NAME_OPTION-> host_name : bytestring &length = length;
HOST_NAME_OPTION -> host_name : bytestring &length = length;
PAR_REQ_LIST -> par_req_list : uint8[length];
REB_TIME_OPTION -> reb_time : uint32;
REN_TIME_OPTION -> ren_time : uint32;
CLIENT_ID_OPTION -> client_id : Client_Identifier(length);
RELAY_AGENT_INF -> relay_agent_inf : Relay_Agent_SubOption(length)[] &until($element.last);
default -> other : bytestring &length = length;
};
};
@ -53,45 +87,9 @@ type DHCP_Option = record {
default -> info : Option_Info(code);
};
} &let {
last: bool = (code == 255); # Mark the end of a list of options
last: bool = (code == END_OPTION); # Mark the end of a list of options
};
# Message format according to RFC 2131
#
# 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 3
# 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | op (1) | htype (1) | hlen (1) | hops (1) |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | xid (4) |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | secs (2) | flags (2) |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | ciaddr (4) |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | yiaddr (4) |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | siaddr (4) |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | giaddr (4) |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | |
# | chaddr (16) |
# / /
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | |
# | sname (64) |
# / /
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | |
# | file (128) |
# / /
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | |
# | options (variable) |
# / /
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
type DHCP_Message = record {
op : uint8;
htype : uint8;
@ -107,11 +105,9 @@ type DHCP_Message = record {
chaddr : bytestring &length = 16;
sname : bytestring &length = 64;
file : bytestring &length = 128;
# Cookie belongs to options in RFC 2131, but we separate
# them here for easy parsing.
cookie : uint32;
options : DHCP_Option[] &until($element.last);
} &let {
type : uint8 = $context.flow.get_dhcp_msgtype(options);

1
src/analyzer/protocol/dhcp/dhcp.pac
View file

@ -2,6 +2,7 @@
%include bro.pac
%extern{
#include "types.bif.h"
#include "events.bif.h"
%}

37
src/analyzer/protocol/dhcp/events.bif
View file

@ -9,6 +9,10 @@
##
## host_name: The value of the host name option, if specified by the client.
##
## client_id: The value of the client id (usually the MAC ADDRESS).
##
## req_params: The Parameters Request List.
##
## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_nak
## dhcp_release dhcp_inform
##
@ -16,7 +20,7 @@
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr, host_name: string%);
event dhcp_discover%(c: connection, msg: DHCP::dhcp_msg, req_addr: addr, host_name: string, client_id: DHCP::dhcp_client_id, req_params: DHCP::dhcp_params_list%);
## Generated for DHCP messages of type *DHCPOFFER* (server to client in response
## to DHCPDISCOVER with offer of configuration parameters).
@ -43,7 +47,7 @@ event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr, host_name: st
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string%);
event dhcp_offer%(c: connection, msg: DHCP::dhcp_msg, mask: addr, router: DHCP::dhcp_router_list, lease: interval, serv_addr: addr, host_name: string%);
## Generated for DHCP messages of type *DHCPREQUEST* (Client message to servers either
## (a) requesting offered parameters from one server and implicitly declining offers
@ -60,6 +64,10 @@ event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_
##
## host_name: The value of the host name option, if specified by the client.
##
## client_id: The client id.
##
## req_parms: The Parameters Request List.
##
## .. bro:see:: dhcp_discover dhcp_offer dhcp_decline dhcp_ack dhcp_nak
## dhcp_release dhcp_inform
##
@ -67,7 +75,7 @@ event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string%);
event dhcp_request%(c: connection, msg: DHCP::dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string, client_id: DHCP::dhcp_client_id, req_params: DHCP::dhcp_params_list%);
## Generated for DHCP messages of type *DHCPDECLINE* (Client to server indicating
## network address is already in use).
@ -85,7 +93,7 @@ event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: add
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
event dhcp_decline%(c: connection, msg: dhcp_msg, host_name: string%);
event dhcp_decline%(c: connection, msg: DHCP::dhcp_msg, host_name: string%);
## Generated for DHCP messages of type *DHCPACK* (Server to client with configuration
## parameters, including committed network address).
@ -105,10 +113,21 @@ event dhcp_decline%(c: connection, msg: dhcp_msg, host_name: string%);
## host_name: Optional host name value. May differ from the host name requested
## from the client.
##
## reb_time: A 32-bit unsigned integer indicating the number of seconds before
## the cilent enters the rebinding state if it has not renewed its
## current address lease with the DHCP server.
##
## ren_time: A 32-bit unsigned integer indicating the number of seconds before
## the client begins to renew its address lease with the DHCP server.
##
## sub_opt: DHCP relay agent information option list of suboption values
## (see http://slaptijack.com/networking/what-is-dhcp-option-82/ or
## http://www.juniper.net/documentation/en_US/junose14.3/topics/concept/dhcp-relay-option-82-suboptions-overview.html)
##
## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_nak
## dhcp_release dhcp_inform
##
event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string%);
event dhcp_ack%(c: connection, msg: DHCP::dhcp_msg, mask: addr, router: DHCP::dhcp_router_list, lease: interval, serv_addr: addr, host_name: string, reb_time: count, ren_time: count, sub_opt: DHCP::dhcp_sub_opt_list%);
## Generated for DHCP messages of type *DHCPNAK* (Server to client indicating client's
## notion of network address is incorrect (e.g., client has moved to new subnet) or
@ -127,7 +146,7 @@ event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_li
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
event dhcp_nak%(c: connection, msg: dhcp_msg, host_name: string%);
event dhcp_nak%(c: connection, msg: DHCP::dhcp_msg, host_name: string%);
## Generated for DHCP messages of type *DHCPRELEASE* (Client to server relinquishing
## network address and cancelling remaining lease).
@ -141,7 +160,7 @@ event dhcp_nak%(c: connection, msg: dhcp_msg, host_name: string%);
## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_nak
## dhcp_inform
##
event dhcp_release%(c: connection, msg: dhcp_msg, host_name: string%);
event dhcp_release%(c: connection, msg: DHCP::dhcp_msg, host_name: string%);
## Generated for DHCP messages of type *DHCPINFORM* (Client to server, asking only for
## local configuration parameters; client already has externally configured network
@ -153,6 +172,8 @@ event dhcp_release%(c: connection, msg: dhcp_msg, host_name: string%);
##
## host_name: The value of the host name option, if specified by the client.
##
## req_parms: The Parameters Request List.
##
## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_nak
## dhcp_release
##
@ -160,5 +181,5 @@ event dhcp_release%(c: connection, msg: dhcp_msg, host_name: string%);
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
event dhcp_inform%(c: connection, msg: dhcp_msg, host_name: string%);
event dhcp_inform%(c: connection, msg: DHCP::dhcp_msg, host_name: string, req_params: DHCP::dhcp_params_list%);

10
src/analyzer/protocol/dhcp/types.bif Normal file
View file

@ -0,0 +1,10 @@
module DHCP;
type dhcp_msg: record;
type dhcp_router_list: table;
type dhcp_params_list: table;
type dhcp_sub_opt_list: table;
type dhcp_sub_opt: record;
type dhcp_client_id: record;
module GLOBAL;

10
testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-ack-msg-types/dhcp.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dhcp
#open 2018-01-08-17-58-31
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p mac assigned_ip lease_time trans_id msg_type client_id server_id host_name subscriber_id agent_remote_id
#types time string addr port addr port string addr interval count string string addr string string string
1102274184.387798 CHhAvVGS1DHFjwGM9 10.10.0.10 68 10.10.0.1 67 00:0a:28:00:fa:42 192.168.0.10 3600.000000 15633 DHCP_ACK - 10.10.0.1 (empty) -subID- 13
#close 2018-01-08-17-58-31

10
testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-discover-msg-types/dhcp.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dhcp
#open 2018-01-08-17-58-41
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p mac assigned_ip lease_time trans_id msg_type client_id server_id host_name subscriber_id agent_remote_id
#types time string addr port addr port string addr interval count string string addr string string string
1102274184.317453 CHhAvVGS1DHFjwGM9 0.0.0.0 68 255.255.255.255 67 - - - 15633 DHCP_DISCOVER 00:0b:82:01:fc:42 - test0000 - -
#close 2018-01-08-17-58-41

BIN
testing/btest/Traces/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/dhcp/dhcp_discover_param_req_and_client_id.trace Normal file
View file

Binary file not shown.

6
testing/btest/scripts/base/protocols/dhcp/dhcp-ack-msg-types.btest Normal file
View file

@ -0,0 +1,6 @@
# This tests that DHCP leases are logged in dhcp.log
# The trace has a message of each DHCP message type,
# but only one lease should show up in the logs.
# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT
# @TEST-EXEC: btest-diff dhcp.log

6
testing/btest/scripts/base/protocols/dhcp/dhcp-discover-msg-types.btest Normal file
View file

@ -0,0 +1,6 @@
# This tests that DHCP leases are logged in dhcp.log
# The trace has a message of each DHCP message type,
# but only one lease should show up in the logs.
# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_discover_param_req_and_client_id.trace %INPUT
# @TEST-EXEC: btest-diff dhcp.log