STUN

Session Traversal Utilities for NAT (STUN)

This is a Zeek protocol analyzer that detects STUN based on Spicy. You must install Spicy to use this package.

This package will create two logs:

stun.log - This log has every STUN message.
stun_nat.log - This log has NAT detections from mapped addresses.

Additional logic has been added to the original logic found here:

https://github.com/r-franke/spicy_stun (BSD License for original code and PCAP here.)
https://github.com/r-franke/spicy_stun/issues/1 (Permission to move this work over to spicy-analyzers here.)

More info about STUN:

Example

$ zeek -Cr stun-ice-testcall.pcap packages

$ head -n 20 stun.log
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	stun
#open	2021-11-23-19-48-14
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	is_orig	trans_id	method	class	attr_types	attr_vals
#types	time	string	addr	port	addr	port	enum	bool	string	string	string	vector[string]	vector[string]
1377211115.029606	CHhAvVGS1DHFjwGM9	192.168.43.155	60020	74.125.141.127	19302	udp	T	SOpCii5Jfc1z	BINDING	REQUEST	(empty)	(empty)
1377211115.073291	CHhAvVGS1DHFjwGM9	192.168.43.155	60020	74.125.141.127	19302	udp	F	SOpCii5Jfc1z	BINDING	RESPONSE_SUCCESS	MAPPED_ADDRESS	70.199.128.46:4604
1377211125.073812	CHhAvVGS1DHFjwGM9	192.168.43.155	60020	74.125.141.127	19302	udp	T	KIkrzjV7Aan8	BINDING	REQUEST	(empty)	(empty)
1377211125.173831	CHhAvVGS1DHFjwGM9	192.168.43.155	60020	74.125.141.127	19302	udp	T	KIkrzjV7Aan8	BINDING	REQUEST	(empty)	(empty)
1377211125.183611	CHhAvVGS1DHFjwGM9	192.168.43.155	60020	74.125.141.127	19302	udp	F	KIkrzjV7Aan8	BINDING	RESPONSE_SUCCESS	MAPPED_ADDRESS	70.199.128.46:4604
1377211125.210098	CHhAvVGS1DHFjwGM9	192.168.43.155	60020	74.125.141.127	19302	udp	F	KIkrzjV7Aan8	BINDING	RESPONSE_SUCCESS	MAPPED_ADDRESS	70.199.128.46:4604
1377211128.184058	ClEkJM2Vm5giqnMf4h	192.168.43.155	59977	155.212.214.188	23130	udp	T	5YSnBqpVwa9O	BINDING	REQUEST	USERNAME,ICE_CONTROLLING,USE_CANDIDATE,PRIORITY,MESSAGE_INTEGRITY,FINGERPRINT	pLyZHR:GwL3AHBovubLvCqn,\x18\x8b\x10Li{\xf6[,(empty),1845501695,`+\xc7\xfc\x0d\x10c\xaa\xc58\x1c\xcb\x96\xa9s\x08s\x9a\x96\x0c,3512920677
1377211128.184433	C4J4Th3PJpwUYZZ6gc	192.168.43.155	59977	155.212.214.188	23131	udp	T	mPEXdyYbuuQm	BINDING	REQUEST	USERNAME,ICE_CONTROLLING,USE_CANDIDATE,PRIORITY,MESSAGE_INTEGRITY,FINGERPRINT	pLyZHR:GwL3AHBovubLvCqn,\x18\x8b\x10Li{\xf6[,(empty),1845501695,\xed<\x90\xdaN+2\xd5\xd3\xe4\x8b&\xdc\xcd\xddv\xbakc\xe9,3908864856
1377211128.232201	CtPZjS20MLrsMUOJi2	192.168.43.155	60020	155.212.214.188	23130	udp	T	akReei85OatV	BINDING	REQUEST	USERNAME,ICE_CONTROLLING,USE_CANDIDATE,PRIORITY,MESSAGE_INTEGRITY,FINGERPRINT	pLyZHR:GwL3AHBovubLvCqn,\x18\x8b\x10Li{\xf6[,(empty),1845501695,x\xb7\x14\xa9\x9fi\xf9+\xcc;\\\xe0\x0f\xee\x911\x02\xb9\x83a,2846465274
1377211128.232522	CUM0KZ3MLUfNB0cl11	192.168.43.155	60020	155.212.214.188	23131	udp	T	K32zssmQHem3	BINDING	REQUEST	USERNAME,ICE_CONTROLLING,USE_CANDIDATE,PRIORITY,MESSAGE_INTEGRITY,FINGERPRINT	pLyZHR:GwL3AHBovubLvCqn,\x18\x8b\x10Li{\xf6[,(empty),1845501695,\xdb\xae\x92\x92\xba\xb9\xaao\xf7\x95\x98\xde\x2c\xd4\x9a\xdae\xc9\x2c\x08,1949326560
1377211128.280083	ClEkJM2Vm5giqnMf4h	192.168.43.155	59977	155.212.214.188	23130	udp	T	VPPyM5LqxI7r	BINDING	REQUEST	USERNAME,ICE_CONTROLLING,USE_CANDIDATE,PRIORITY,MESSAGE_INTEGRITY,FINGERPRINT	pLyZHR:GwL3AHBovubLvCqn,\x18\x8b\x10Li{\xf6[,(empty),1845501695, \x01\x0e\x94\xea\x90\x07F\xa1\x18\x87\x85\x10{q5\x9c\x92)},2756207482
1377211128.280402	C4J4Th3PJpwUYZZ6gc	192.168.43.155	59977	155.212.214.188	23131	udp	T	jDsAa/4ATcQN	BINDING	REQUEST	USERNAME,ICE_CONTROLLING,USE_CANDIDATE,PRIORITY,MESSAGE_INTEGRITY,FINGERPRINT	pLyZHR:GwL3AHBovubLvCqn,\x18\x8b\x10Li{\xf6[,(empty),1845501695,\xf8\x98-!\x0bG\xa6\x85\xcc \xcf^\x0b`\xe6\xcd::\xae5,3444520530

$ head -n 20 stun_nat.log
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	stun_nat
#open	2021-11-23-19-48-14
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	is_orig	wan_addrs	wan_ports	lan_addrs
#types	time	string	addr	port	addr	port	enum	bool	vector[addr]	vector[count]	vector[addr]
1377211115.073291	CHhAvVGS1DHFjwGM9	192.168.43.155	60020	74.125.141.127	19302	udp	F	70.199.128.46	4604	192.168.43.155
1377211125.183611	CHhAvVGS1DHFjwGM9	192.168.43.155	60020	74.125.141.127	19302	udp	F	70.199.128.46	4604	192.168.43.155
1377211125.210098	CHhAvVGS1DHFjwGM9	192.168.43.155	60020	74.125.141.127	19302	udp	F	70.199.128.46	4604	192.168.43.155
1377211128.309676	ClEkJM2Vm5giqnMf4h	192.168.43.155	59977	155.212.214.188	23130	udp	F	70.199.128.46	4587	192.168.43.155
1377211128.309677	C4J4Th3PJpwUYZZ6gc	192.168.43.155	59977	155.212.214.188	23131	udp	F	70.199.128.46	4587	192.168.43.155
1377211128.358745	CUM0KZ3MLUfNB0cl11	192.168.43.155	60020	155.212.214.188	23131	udp	F	70.199.128.46	4604	192.168.43.155
1377211128.359514	CtPZjS20MLrsMUOJi2	192.168.43.155	60020	155.212.214.188	23130	udp	F	70.199.128.46	4604	192.168.43.155
1377211128.394673	ClEkJM2Vm5giqnMf4h	192.168.43.155	59977	155.212.214.188	23130	udp	F	70.199.128.46	4587	192.168.43.155
1377211128.405706	C4J4Th3PJpwUYZZ6gc	192.168.43.155	59977	155.212.214.188	23131	udp	F	70.199.128.46	4587	192.168.43.155
1377211128.458800	C4J4Th3PJpwUYZZ6gc	192.168.43.155	59977	155.212.214.188	23131	udp	F	70.199.128.46	4587	192.168.43.155
1377211128.459477	ClEkJM2Vm5giqnMf4h	192.168.43.155	59977	155.212.214.188	23130	udp	F	70.199.128.46	4587	192.168.43.155
1377211128.940537	ClEkJM2Vm5giqnMf4h	192.168.43.155	59977	155.212.214.188	23130	udp	F	70.199.128.46	4587	192.168.43.155

$ cat conn.log
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	conn
#open	2021-11-23-19-48-14
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
1377211115.029606	CHhAvVGS1DHFjwGM9	192.168.43.155	60020	74.125.141.127	19302	udp	spicy_stun	20.187972	80	128	SF	-	-	0	Dd	4	192	4	240	-
1377211128.184058	ClEkJM2Vm5giqnMf4h	192.168.43.155	59977	155.212.214.188	23130	udp	spicy_stun	7.955804	2136	1972	SF	-	-	0	Dd	22	2752	22	2588	-
1377211128.232201	CtPZjS20MLrsMUOJi2	192.168.43.155	60020	155.212.214.188	23130	udp	spicy_stun	0.274303	288	288	SF	-	-	0	Dd	4	400	3	372	-
1377211128.184433	C4J4Th3PJpwUYZZ6gc	192.168.43.155	59977	155.212.214.188	23131	udp	spicy_stun	7.955427	2088	1872	SF	-	-	0	Dd	21	2676	21	2460	-
1377211128.232522	CUM0KZ3MLUfNB0cl11	192.168.43.155	60020	155.212.214.188	23131	udp	spicy_stun	0.242014	288	288	SF	-	-	0	Dd	4	400	3	372	-
#close	2021-11-23-19-48-14

Testing Pcaps:

stun-ice-testcall.pcap
stun-attribute-length-ffff.pcap (self-made)
stun-malformed-error.pcap (self-made)

zeek-spicy-stun

STUN

Example

Package Version :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :

Description :

Script Dir :

Plugin Dir :

Build Command :

Test Command :