mirror of
https://github.com/zeek/zeek.git
synced 2025-10-05 08:08:19 +00:00
142 lines
No EOL
3.5 KiB
Text
142 lines
No EOL
3.5 KiB
Text
##! Implements base functionality for RADIUS analysis. Generates the radius.log file.
|
|
|
|
# Generated by binpac_quickstart
|
|
|
|
module RADIUS;
|
|
|
|
@load ./consts.bro
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
|
|
type Info: record {
|
|
## Timestamp for when the event happened.
|
|
ts: time &log;
|
|
## Unique ID for the connection.
|
|
uid: string &log;
|
|
## The connection's 4-tuple of endpoint addresses/ports.
|
|
id: conn_id &log;
|
|
msg_type: string &log;
|
|
};
|
|
|
|
## Event that can be handled to access the RADIUS record as it is sent on
|
|
## to the loggin framework.
|
|
global log_radius: event(rec: Info);
|
|
}
|
|
|
|
const ports = { 1812/udp };
|
|
|
|
event bro_init() &priority=5
|
|
{
|
|
Log::create_stream(RADIUS::LOG, [$columns=Info, $ev=log_radius]);
|
|
Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports);
|
|
}
|
|
|
|
event radius_message(c: connection, msg_type: count, trans_id: count)
|
|
{
|
|
local info: Info;
|
|
info$ts = network_time();
|
|
info$uid = c$uid;
|
|
info$id = c$id;
|
|
info$msg_type = msg_types[msg_type];
|
|
|
|
Log::write(RADIUS::LOG, info);
|
|
}
|
|
|
|
event radius_attribute(c: connection, attr_type: count, trans_id: count, value: string)
|
|
{
|
|
switch ( attr_types[attr_type] ) {
|
|
# case "Calling-Station-Id":
|
|
# tmp = normalize_mac(value);
|
|
# if ( tmp != "" )
|
|
# print cat(attr_types[attr_type], " ", tmp);
|
|
# else
|
|
# print cat(attr_types[attr_type], " ", value);
|
|
# break;
|
|
# case "Called-Station-Id":
|
|
# fallthrough;
|
|
|
|
## Strings:
|
|
case "Reply-Message":
|
|
fallthrough;
|
|
case "User-Name":
|
|
print cat(attr_types[attr_type], ": ", value);
|
|
break;
|
|
|
|
## IPs:
|
|
|
|
case "Framed-IP-Address":
|
|
fallthrough;
|
|
case "Framed-IP-Netmask":
|
|
fallthrough;
|
|
case "NAS-IP-Address":
|
|
print cat(attr_types[attr_type], ": ", count_to_v4_addr(bytestring_to_count(value)));
|
|
break;
|
|
|
|
## Counts:
|
|
|
|
case "Framed-MTU":
|
|
fallthrough;
|
|
case "NAS-Port":
|
|
fallthrough;
|
|
case "Session-Timeout":
|
|
print cat(attr_types[attr_type], ": ", bytestring_to_count(value));
|
|
break;
|
|
|
|
## Other:
|
|
|
|
case "NAS-Port-Type":
|
|
print cat(attr_types[attr_type], ": ", nas_port_types[bytestring_to_count(value)]);
|
|
break;
|
|
case "Service-Type":
|
|
print cat(attr_types[attr_type], ": ", service_types[bytestring_to_count(value)]);
|
|
break;
|
|
case "Framed-Protocol":
|
|
print cat(attr_types[attr_type], ": ", framed_protocol_types[bytestring_to_count(value)]);
|
|
break;
|
|
case "Vendor-Specific":
|
|
switch(bytestring_to_count(sub_bytes(value, 0, 4))) {
|
|
case 9:
|
|
# Cisco IOS/PIX 6.0
|
|
print cat(vendor_9_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
|
|
break;
|
|
case 255:
|
|
# Cisco VPN 5000
|
|
print cat(vendor_255_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
|
|
break;
|
|
case 311:
|
|
# Microsoft
|
|
print cat(vendor_311_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
|
|
break;
|
|
case 3076:
|
|
# Cisco VPN 3000
|
|
print cat(vendor_3076_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
|
|
break;
|
|
case 14823:
|
|
# Aruba
|
|
print cat(vendor_14823_types[bytestring_to_count(sub_bytes(value, 5, 1))], ": ", sub_bytes(value, 7, 128));
|
|
break;
|
|
default:
|
|
print cat("Unknown vendor: ", bytestring_to_count(sub_bytes(value, 0, 4)));
|
|
break;
|
|
}
|
|
break;
|
|
default:
|
|
print cat(attr_types[attr_type], ": ", value);
|
|
break;
|
|
}
|
|
}
|
|
|
|
# Called-Station-Id:
|
|
# Calling-Station-Id:
|
|
# Class:
|
|
# NAS-Identifier:
|
|
# State:
|
|
# Vendor-Specific:
|
|
# unknown-185:
|
|
# unknown-66:
|
|
# unknown-77:
|
|
# unknown-79:
|
|
# unknown-80:
|
|
# unknown-87:
|
|
# unknown-95: |