mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
81133f3116
* origin/topic/seth/dhcp-update: Rework to the DHCP analyzer. First step of DHCP analyzer rearchitecture. Add .btest scripts for dhck_ack and dhcp_discover messages verifying that new options are correctly reported in dhcp.log records. Extend DHCP protocol analyzer with new options. BIT-1924 #merged Additional changes: * Removed known-hosts.bro as the only thing populating its table was the already-removed known-hosts-and-devices.bro. So a known_devices.log will no longer be generated. * In dhcp-options.pac, the process_relay_agent_inf_option had a memleak and also process_auto_proxy_config_option looked like it accessed one byte past the end of the available bytestring, so fixed those.
63 lines
1.8 KiB
Text
63 lines
1.8 KiB
Text
##! Software identification and extraction for DHCP traffic.
|
|
|
|
@load base/protocols/dhcp
|
|
@load base/frameworks/software
|
|
|
|
module DHCP;
|
|
|
|
export {
|
|
redef enum Software::Type += {
|
|
## Identifier for web servers in the software framework.
|
|
DHCP::SERVER,
|
|
## Identifier for web browsers in the software framework.
|
|
DHCP::CLIENT,
|
|
};
|
|
|
|
redef record DHCP::Info += {
|
|
## Software reported by the client in the `vendor_class` option.
|
|
client_software: string &log &optional;
|
|
## Software reported by the server in the `vendor_class` option.
|
|
server_software: string &log &optional;
|
|
};
|
|
}
|
|
|
|
event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=5
|
|
{
|
|
if ( options?$vendor_class )
|
|
{
|
|
if ( is_orig )
|
|
log_info$client_software = options$vendor_class;
|
|
else
|
|
{
|
|
log_info$server_software = options$vendor_class;
|
|
Software::found(id, [$unparsed_version=options$vendor_class,
|
|
$host=id$resp_h,
|
|
$software_type=DHCP::SERVER]);
|
|
}
|
|
}
|
|
}
|
|
|
|
event DHCP::log_dhcp(rec: DHCP::Info)
|
|
{
|
|
if ( rec?$assigned_addr && rec?$server_addr &&
|
|
(rec?$client_software || rec?$server_software) )
|
|
{
|
|
# Not quite right to just blindly use 67 and 68 as the ports
|
|
local id: conn_id = [$orig_h=rec$assigned_addr, $orig_p=68/udp,
|
|
$resp_h=rec$server_addr, $resp_p=67/udp];
|
|
|
|
if ( rec?$client_software && rec$assigned_addr != 255.255.255.255 )
|
|
{
|
|
Software::found(id, [$unparsed_version=rec$client_software,
|
|
$host=rec$assigned_addr,
|
|
$software_type=DHCP::CLIENT]);
|
|
}
|
|
|
|
if ( rec?$server_software )
|
|
{
|
|
Software::found(id, [$unparsed_version=rec$server_software,
|
|
$host=rec$server_addr,
|
|
$software_type=DHCP::SERVER]);
|
|
}
|
|
}
|
|
}
|