From 269e80b3e19228c4a61fa9e89aee81a9d234ed7b Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 1 Jun 2015 18:57:16 -0700
Subject: [PATCH] make pacf logging deal with wildcards in flows.

---
 scripts/base/frameworks/pacf/main.bro | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/scripts/base/frameworks/pacf/main.bro b/scripts/base/frameworks/pacf/main.bro
index 2faa13e74d..efb5cd60d0 100644
--- a/scripts/base/frameworks/pacf/main.bro
+++ b/scripts/base/frameworks/pacf/main.bro
@@ -241,9 +241,21 @@ function entity_to_info(info: Info, e: Entity)
 			break;
 
 		case FLOW:
-			info$entity = fmt("%s/%d->%s/%d",
-					  e$flow$src_h, e$flow$src_p,
-					  e$flow$dst_h, e$flow$dst_p);
+			local ffrom_ip = "*";
+			local ffrom_port = "*";
+			local fto_ip = "*";
+			local fto_port = "*";
+			if ( e$flow?$src_h )
+				ffrom_ip = cat(e$flow$src_h);
+			if ( e$flow?$src_p )
+				ffrom_port = fmt("%d", e$flow$src_p);
+			if ( e$flow?$dst_h )
+				fto_ip = cat(e$flow$dst_h);
+			if ( e$flow?$dst_p )
+				fto_port = fmt("%d", e$flow$dst_p);
+			info$entity = fmt("%s/%s->%s/%s",
+					  ffrom_ip, ffrom_port,
+					  fto_ip, fto_port);
 			break;
 
 		case MAC: