From 1eda26d16f960c1372103bd3bcf60bc930b166c9 Mon Sep 17 00:00:00 2001
From: Jay Wren <jawren@cisco.com>
Date: Fri, 22 Feb 2019 15:51:17 -0500
Subject: [PATCH] add some dhcp options

---
 scripts/base/init-bare.zeek                   |  12 ++
 src/analyzer/protocol/dhcp/dhcp-options.pac   | 124 ++++++++++++++++++
 .../.stdout                                   |   4 +
 .../dhcp/dhcp_time_and_nameserver.trace       | Bin 0 -> 790 bytes
 .../dhcp/dhcp-time-nameserver-events.btest    |  12 ++
 5 files changed, 152 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-time-nameserver-events/.stdout
 create mode 100644 testing/btest/Traces/dhcp/dhcp_time_and_nameserver.trace
 create mode 100644 testing/btest/scripts/base/protocols/dhcp/dhcp-time-nameserver-events.btest

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index c41613aaef..5fadee3128 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -3521,6 +3521,18 @@ export {
 
 		## URL to find a proxy.pac for auto proxy config (Option 252)
 		auto_proxy_config: string &optional;
+
+		## 25
+		time_offset:	int &optional;
+
+		## 26
+		timeserver_list: 	DHCP::Addrs &optional;
+
+		## 27
+		nameserver_list: 	DHCP::Addrs &optional;
+
+		## 28
+		ntpserver_list:	DHCP::Addrs &optional;
 	};
 }
 
diff --git a/src/analyzer/protocol/dhcp/dhcp-options.pac b/src/analyzer/protocol/dhcp/dhcp-options.pac
index 75236b311c..3aac447fea 100644
--- a/src/analyzer/protocol/dhcp/dhcp-options.pac
+++ b/src/analyzer/protocol/dhcp/dhcp-options.pac
@@ -21,6 +21,29 @@ refine typeattr Option += &let {
 };
 
 
+##############################
+# TIME OFFSET OPTION
+##############################
+let TIME_OFFSET_OPTION = 2;
+
+# Parse the option
+refine casetype OptionValue += {
+	TIME_OFFSET_OPTION -> time_offset : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_time_offset_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(25, new Val(${v.time_offset}, TYPE_INT));
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_timeoffset_option = $context.flow.process_time_offset_option(info.value) &if(code==TIME_OFFSET_OPTION);
+};
+
+
 ##############################
 # ROUTER OPTION
 ##############################
@@ -55,6 +78,74 @@ refine typeattr Option += &let {
 };
 
 
+##############################
+# TIME SERVER OPTION
+##############################
+let TIME_SERVER_OPTION = 4;
+
+# Parse the option
+refine casetype OptionValue += {
+	TIME_SERVER_OPTION -> timeserver_list : uint32[length/4];
+};
+
+refine flow DHCP_Flow += {
+	function process_timeserver_option(v: OptionValue): bool
+		%{
+		VectorVal* timeserver_list = new VectorVal(BifType::Vector::DHCP::Addrs);
+		int num_servers = ${v.timeserver_list}->size();
+		vector<uint32>* rlist = ${v.timeserver_list};
+
+		for ( int i = 0; i < num_servers; ++i )
+			{
+			uint32 raddr = (*rlist)[i];
+			timeserver_list->Assign(i, new AddrVal(htonl(raddr)));
+			}
+
+		${context.flow}->options->Assign(26, timeserver_list);
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_timeserver_option = $context.flow.process_timeserver_option(info.value) &if(code==TIME_SERVER_OPTION);
+};
+
+
+##############################
+# NAME SERVER OPTION
+##############################
+let NAME_SERVER_OPTION = 5;
+
+# Parse the option
+refine casetype OptionValue += {
+	NAME_SERVER_OPTION -> nameserver_list : uint32[length/4];
+};
+
+refine flow DHCP_Flow += {
+	function process_nameserver_option(v: OptionValue): bool
+		%{
+		VectorVal* nameserver_list = new VectorVal(BifType::Vector::DHCP::Addrs);
+		int num_servers = ${v.nameserver_list}->size();
+		vector<uint32>* rlist = ${v.nameserver_list};
+
+		for ( int i = 0; i < num_servers; ++i )
+			{
+			uint32 raddr = (*rlist)[i];
+			nameserver_list->Assign(i, new AddrVal(htonl(raddr)));
+			}
+
+		${context.flow}->options->Assign(27, nameserver_list);
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_nameserver_option = $context.flow.process_nameserver_option(info.value) &if(code==NAME_SERVER_OPTION);
+};
+
+
 ##############################
 # DNS SERVER OPTION
 ##############################
@@ -194,6 +285,39 @@ refine typeattr Option += &let {
 };
 
 
+##############################
+# NTP SERVER OPTION
+##############################
+let NTP_SERVER_OPTION = 42;
+
+# Parse the option
+refine casetype OptionValue += {
+	NTP_SERVER_OPTION -> ntpserver_list : uint32[length/4];
+};
+
+refine flow DHCP_Flow += {
+	function process_ntpserver_option(v: OptionValue): bool
+		%{
+		VectorVal* ntpserver_list = new VectorVal(BifType::Vector::DHCP::Addrs);
+		int num_servers = ${v.ntpserver_list}->size();
+		vector<uint32>* rlist = ${v.ntpserver_list};
+
+		for ( int i = 0; i < num_servers; ++i )
+			{
+			uint32 raddr = (*rlist)[i];
+			ntpserver_list->Assign(i, new AddrVal(htonl(raddr)));
+			}
+
+		${context.flow}->options->Assign(28, ntpserver_list);
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_ntpserver_option = $context.flow.process_ntpserver_option(info.value) &if(code==NTP_SERVER_OPTION);
+};
+
 ##############################
 # VENDOR SPECIFIC OPTION
 ##############################
diff --git a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-time-nameserver-events/.stdout b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-time-nameserver-events/.stdout
new file mode 100644
index 0000000000..9dc07f18e6
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-time-nameserver-events/.stdout
@@ -0,0 +1,4 @@
+time_offset, 4294949296
+timeserver_list, [192.168.15.101]
+nameserver_list, [192.168.15.101]
+ntpserver_list, [192.168.15.101]
diff --git a/testing/btest/Traces/dhcp/dhcp_time_and_nameserver.trace b/testing/btest/Traces/dhcp/dhcp_time_and_nameserver.trace
new file mode 100644
index 0000000000000000000000000000000000000000..3395e48d6e68c236bcf65294998bb0a2c5901b95
GIT binary patch
literal 790
zcmca|c+)~A1{MYcU}0bca@K~uh&k)ezz_!Hfbf4XV3_cA;#qkP23G+_50H)qLCa|%
z8YIc!!r;tk(wo4@$i}cSG%*t-jsd{>F+_)~Kyp)XvMD385zB!U{J(hE3i1nd^NY=e
z7-g84`Ps^Obo8YvwOCkxD*pM8-HV`577b%y=m3T=2t&e`LH<JP&2DfgSAq032+r6H
zv>+8^34=3(3uBtxK_;|N2FZccfbF4jC>K<u=49rTR_GakO{Y5n31wC@P$;Jw1Jh@K
zFCz;m#mRs~{xbpDJ2x<cW%)S^^2<|;3QE(`*uVl>V3Gw)vVzG!iWwy(1y=g{DXBS$
UmBo5+4f+K|`4yFV1&PW30SfeTNB{r;

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/dhcp/dhcp-time-nameserver-events.btest b/testing/btest/scripts/base/protocols/dhcp/dhcp-time-nameserver-events.btest
new file mode 100644
index 0000000000..a5257c4cea
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dhcp/dhcp-time-nameserver-events.btest
@@ -0,0 +1,12 @@
+# @TEST-EXEC: bro -b -r $TRACES/dhcp/dhcp_time_and_nameserver.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/dhcp
+
+event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=5
+	{
+    print "time_offset", options$time_offset;
+    print "timeserver_list", options$timeserver_list;
+    print "nameserver_list", options$nameserver_list;
+    print "ntpserver_list", options$ntpserver_list;
+    }