base/protocols/radius/main.zeek
- RADIUS
Implements base functionality for RADIUS analysis. Generates the radius.log file.
- Namespace:
RADIUS
- Imports:
base/protocols/conn/removal-hooks.zeek, base/protocols/radius/consts.zeek, base/utils/addrs.zeek
Summary
Types
Redefinitions
|
|
Events
Event that can be handled to access the RADIUS record as it is sent on to the logging framework. |
Hooks
RADIUS finalization hook. |
|
Detailed Interface
Types
- RADIUS::Info
- Type:
-
- ts:
time
&log
Timestamp for when the event happened.
- uid:
string
&log
Unique ID for the connection.
- id:
conn_id
&log
The connection’s 4-tuple of endpoint addresses/ports.
- username:
string
&log
&optional
The username, if present.
- mac:
string
&log
&optional
MAC address, if present.
- framed_addr:
addr
&log
&optional
The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.
- tunnel_client:
string
&log
&optional
Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel, if present. This is collected from the Tunnel-Client-Endpoint attribute.
- connect_info:
string
&log
&optional
Connect info, if present.
- reply_msg:
string
&log
&optional
Reply message from the server challenge. This is frequently shown to the user authenticating.
- result:
string
&log
&optional
Successful or failed authentication.
- ttl:
interval
&log
&optional
The duration between the first request and either the “Access-Accept” message or an error. If the field is empty, it means that either the request or response was not seen.
- logged:
bool
&default
=F
&optional
Whether this has already been logged and can be ignored.
- ts:
Events
- RADIUS::log_radius
- Type:
event
(rec:RADIUS::Info
)
Event that can be handled to access the RADIUS record as it is sent on to the logging framework.
Hooks
- RADIUS::finalize_radius
- Type:
RADIUS finalization hook. Remaining RADIUS info may get logged when it’s called.