main.zeek

Implements base functionality for RADIUS analysis. Generates the radius.log file.

Namespace: RADIUS
Imports: base/protocols/conn/removal-hooks.zeek, base/protocols/radius/consts.zeek, base/utils/addrs.zeek

Summary

`Log::ID`: `enum`	`RADIUS::LOG`
`connection`: `record`	New Fields `connection` radius: `RADIUS::Info` `&optional`
`likely_server_ports`: `set` `&redef`

Event that can be handled to access the RADIUS record as it is sent on to the logging framework.

`RADIUS::finalize_radius`: `Conn::RemovalHook`	RADIUS finalization hook.
`RADIUS::log_policy`: `Log::PolicyHook`

Type

record

ts: time &log: Timestamp for when the event happened.
uid: string &log: Unique ID for the connection.
id: conn_id &log: The connection’s 4-tuple of endpoint addresses/ports.
username: string &log &optional: The username, if present.
mac: string &log &optional: MAC address, if present.
framed_addr: addr &log &optional: The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.
tunnel_client: string &log &optional: Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel, if present. This is collected from the Tunnel-Client-Endpoint attribute.
connect_info: string &log &optional: Connect info, if present.
reply_msg: string &log &optional: Reply message from the server challenge. This is frequently shown to the user authenticating.
result: string &log &optional: Successful or failed authentication.
ttl: interval &log &optional: The duration between the first request and either the “Access-Accept” message or an error. If the field is empty, it means that either the request or response was not seen.
logged: bool &default = F &optional: Whether this has already been logged and can be ignored.

Event that can be handled to access the RADIUS record as it is sent on to the logging framework.

RADIUS finalization hook. Remaining RADIUS info may get logged when it’s called.