##! Implements base functionality for RADIUS analysis. Generates the radius.log file.

# Generated by binpac_quickstart

module RADIUS;

@load ./consts.bro

export {
	redef enum Log::ID += { LOG };

	type Info: record {
		## Timestamp for when the event happened.
		ts:     time    &log;
		## Unique ID for the connection.
		uid:    string  &log;
		## The connection's 4-tuple of endpoint addresses/ports.
		id:     conn_id &log;
		msg_type: string &log;
	};

	## Event that can be handled to access the RADIUS record as it is sent on
	## to the loggin framework.
	global log_radius: event(rec: Info);
}

const ports = { 1812/udp };

event bro_init() &priority=5
	{
	Log::create_stream(RADIUS::LOG, [$columns=Info, $ev=log_radius]);
	Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports);
	}

event radius_message(c: connection, msg_type: count, trans_id: count)
	{
	local info: Info;
	info$ts  = network_time();
	info$uid = c$uid;
	info$id  = c$id;
	info$msg_type = msg_types[msg_type];

	Log::write(RADIUS::LOG, info);
	}

event radius_attribute(c: connection, attr_type: count, trans_id: count, value: string)
	{
	switch ( attr_types[attr_type] ) {
#	case "Calling-Station-Id":
#		tmp = normalize_mac(value);
#		if ( tmp != "" )
#			print cat(attr_types[attr_type], " ", tmp);
#		else
#			print cat(attr_types[attr_type], " ", value);
#		break;
#	case "Called-Station-Id":
#		fallthrough;

	## Strings:
	case "Reply-Message":
		fallthrough;
	case "User-Name":
		print cat(attr_types[attr_type], ": ", value);
		break;
		
	## IPs:

	case "Framed-IP-Address":
		fallthrough;
	case "Framed-IP-Netmask":
		fallthrough;
	case "NAS-IP-Address":
		print cat(attr_types[attr_type], ": ", count_to_v4_addr(bytestring_to_count(value)));
		break;

	## Counts:
		
	case "Framed-MTU":
		fallthrough;
	case "NAS-Port":
		fallthrough;
	case "Session-Timeout":
		print cat(attr_types[attr_type], ": ", bytestring_to_count(value));
		break;

	## Other:

	case "NAS-Port-Type":
		print cat(attr_types[attr_type], ": ", nas_port_types[bytestring_to_count(value)]);
		break;
	case "Service-Type":
		print cat(attr_types[attr_type], ": ", service_types[bytestring_to_count(value)]);
		break;
	case "Framed-Protocol":
		print cat(attr_types[attr_type], ": ", framed_protocol_types[bytestring_to_count(value)]);
		break;
	case "Vendor-Specific":
		switch(bytestring_to_count(sub_bytes(value, 0, 4))) {
		case 9:
			# Cisco IOS/PIX 6.0
			print cat(vendor_9_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
			break;
		case 255:
			# Cisco VPN 5000
			print cat(vendor_255_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
			break;
		case 311:
			# Microsoft
			print cat(vendor_311_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
			break;
		case 3076:
			# Cisco VPN 3000
			print cat(vendor_3076_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
			break;
		case 14823:
			# Aruba
			print cat(vendor_14823_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
			break;
		default:
			print cat("Unknown vendor: ", bytestring_to_count(sub_bytes(value, 0, 4)));
			break;
		}
		break;
	default:
		print cat(attr_types[attr_type], ": ", value);
		break;
	}
	}

# Called-Station-Id: 
# Calling-Station-Id: 
# Class: 
# NAS-Identifier: 
# State: 
# Vendor-Specific: 
# unknown-185: 
# unknown-66: 
# unknown-77: 
# unknown-79: 
# unknown-80: 
# unknown-87: 
# unknown-95: