base/protocols/radius/main.bro
-
RADIUS
Implements base functionality for RADIUS analysis. Generates the radius.log file.
| Namespace: | RADIUS |
|---|---|
| Imports: | base/protocols/radius/consts.bro, base/utils/addrs.bro |
| Source File: | /scripts/base/protocols/radius/main.bro |
Summary
Types
RADIUS::Info: record |
Redefinitions
Log::ID: enum |
|
connection: record |
|
likely_server_ports: set &redef |
Events
RADIUS::log_radius: event |
Event that can be handled to access the RADIUS record as it is sent on to the logging framework. |
Detailed Interface
Types
-
RADIUS::Info Type: - ts:
time&log Timestamp for when the event happened.
- uid:
string&log Unique ID for the connection.
- id:
conn_id&log The connection’s 4-tuple of endpoint addresses/ports.
- username:
string&log&optional The username, if present.
- mac:
string&log&optional MAC address, if present.
- framed_addr:
addr&log&optional The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.
- remote_ip:
addr&log&optional Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute.
- connect_info:
string&log&optional Connect info, if present.
- reply_msg:
string&log&optional Reply message from the server challenge. This is frequently shown to the user authenticating.
- result:
string&log&optional Successful or failed authentication.
- ttl:
interval&log&optional The duration between the first request and either the “Access-Accept” message or an error. If the field is empty, it means that either the request or response was not seen.
- logged:
bool&default=F&optional Whether this has already been logged and can be ignored.
- ts:
Events
-
RADIUS::log_radius Type: event(rec:RADIUS::Info)Event that can be handled to access the RADIUS record as it is sent on to the logging framework.
