mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 08:38:20 +00:00
c2f35920fd
Old event prototypes have changed and the events are broken right now and may be removed in favor of the new generic "dhcp_message" event. DHCP option parsing is abstracted from the main code base of the protocol parser and are all now located in their own file. Documentation, tests, and final code cleanup are still pending.
118 lines
3.3 KiB
Text
118 lines
3.3 KiB
Text
##! Analyzes DHCP traffic in order to log DHCP leases given to clients.
|
|
##! This script ignores large swaths of the protocol, since it is rather
|
|
##! noisy on most networks, and focuses on the end-result: assigned leases.
|
|
##!
|
|
##! If you'd like to track known DHCP devices and to log the hostname
|
|
##! supplied by the client, see
|
|
##! :doc:`/scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro`.
|
|
|
|
@load ./utils.bro
|
|
|
|
module DHCP;
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
|
|
## The record type which contains the column fields of the DHCP log.
|
|
type Info: record {
|
|
## The earliest time at which a DHCP message over the
|
|
## associated connection is observed.
|
|
ts: time &log;
|
|
## A unique identifier of the connection over which DHCP is
|
|
## occurring.
|
|
uid: string &log;
|
|
## The connection's 4-tuple of endpoint addresses/ports.
|
|
id: conn_id &log;
|
|
## Client's hardware address.
|
|
mac: string &log &optional;
|
|
## Client's actual assigned IP address.
|
|
assigned_ip: addr &log &optional;
|
|
## IP address lease interval.
|
|
lease_time: interval &log &optional;
|
|
## A random number chosen by the client for this transaction.
|
|
trans_id: count &log;
|
|
## the message type
|
|
msg_type: string &log &optional;
|
|
## client ID
|
|
client_id: string &log &optional;
|
|
## the server ID
|
|
server_id: addr &log &optional;
|
|
## the host name
|
|
host_name: string &log &optional;
|
|
## the subscriber id (if present)
|
|
subscriber_id: string &log &optional;
|
|
## the agent remote id (if present)
|
|
agent_remote_id: string &log &optional;
|
|
};
|
|
|
|
## Event that can be handled to access the DHCP
|
|
## record as it is sent on to the logging framework.
|
|
global log_dhcp: event(rec: Info);
|
|
}
|
|
|
|
# Add the dhcp info to the connection record.
|
|
redef record connection += {
|
|
dhcp: Info &optional;
|
|
};
|
|
|
|
# 67/udp is the server's port, 68/udp the client.
|
|
const ports = { 67/udp, 68/udp };
|
|
redef likely_server_ports += { 67/udp };
|
|
|
|
event bro_init() &priority=5
|
|
{
|
|
Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path="dhcp"]);
|
|
Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
|
|
}
|
|
|
|
event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=-5
|
|
{
|
|
if ( msg$m_type == 5 ) # DHCP_ACK
|
|
{
|
|
local info = Info($ts = network_time(),
|
|
$id = c$id,
|
|
$uid = c$uid,
|
|
$trans_id = msg$xid);
|
|
|
|
if ( msg$h_addr != "" )
|
|
info$mac = msg$h_addr;
|
|
|
|
if ( reverse_ip(msg$yiaddr) != 0.0.0.0 )
|
|
info$assigned_ip = reverse_ip(msg$yiaddr);
|
|
else
|
|
info$assigned_ip = c$id$orig_h;
|
|
|
|
if ( options?$lease )
|
|
info$lease_time = options$lease;
|
|
|
|
if ( options?$sub_opt )
|
|
{
|
|
for ( param in options$sub_opt )
|
|
{
|
|
local sub_opt = options$sub_opt[param];
|
|
|
|
#if ( sub_opt$code == 1 )
|
|
# {
|
|
# print fmt("Relay Agent Information:");
|
|
# print fmt( "sub option: code=%d circuit id=%s",sub_opt$code,sub_opt$value );
|
|
# }
|
|
|
|
if ( sub_opt$code == 2 )
|
|
info$agent_remote_id = bytestring_to_hexstr(sub_opt$value);
|
|
|
|
if ( sub_opt$code == 6 )
|
|
info$subscriber_id = (sub_opt$value);
|
|
}
|
|
}
|
|
|
|
c$dhcp = info;
|
|
}
|
|
}
|
|
|
|
event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=-5
|
|
{
|
|
if ( msg$m_type == 5 ) # DHCP_ACK
|
|
{
|
|
Log::write(DHCP::LOG, c$dhcp);
|
|
}
|
|
}
|