Merge remote-tracking branch 'origin/topic/vladg/sumstats-tweaks' into topic/seth/sumstats-updates

CHANGES

@@ -1,4 +1,55 @@
 
+2.1-1036 | 2013-08-05 17:29:11 -0400
+
+  * Fix the SSL infinite loop I just created. (Seth Hall)
+
+2.1-1035 | 2013-08-05 16:44:50 -0400
+
+  * Change to SSL log delay to cause the log to write even if delay times out. (Seth Hall)
+
+2.1-1034 | 2013-08-03 20:27:43 -0700
+
+  * A set of DHCP extensions. (Vlad Grigorescu)
+
+     - Leases are logged to dhcp.log as they are seen.
+     - scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro
+     - Added DPD sig.
+
+2.1-1027 | 2013-08-03 01:57:37 -0400
+
+  * Fix a major memory issue in the SumStats framework.
+
+2.1-1026 | 2013-08-02 22:35:09 -0400
+
+  * Fix the SumStats top-k plugin and test. (Seth Hall)
+
+  * Rework of SumStats API to reduce high instantaneous memory
+    use on clusters. (Seth Hall)
+
+  * Large update for the SumStats framework.
+
+     - On-demand access to sumstats results through "return from"
+       functions named SumStats::request and Sumstats::request_key.
+       Both functions are tested in standalone and clustered modes.
+
+     - $name field has returned to SumStats which simplifies cluster
+       code and makes the on-demand access stuff possible.
+
+     - Clustered results can only be collected for 1 minute from their
+       time of creation now instead of time of last read.
+
+     - Thresholds use doubles instead of counts everywhere now.
+
+     - Calculation dependency resolution occurs at start up time now
+       instead of doing it at observation time which provide a minor
+       cpu performance improvement.  A new plugin registration mechanism
+       was created to support this change.
+
+     - AppStats now has a minimal doc string and is broken into hook-based
+       plugins.
+
+     - AppStats and traceroute detection added to local.bro (Seth Hall)
+
 2.1-1009 | 2013-08-02 17:19:08 -0700
 
   * A number of exec module and raw input reader fixes. (Jon Siwek)

VERSION

@@ -1 +1 @@
-2.1-1009
+2.1-1036

doc/scripts/DocSourcesList.cmake

@@ -139,6 +139,9 @@ rest_target(${psd} base/protocols/conn/contents.bro)
 rest_target(${psd} base/protocols/conn/inactivity.bro)
 rest_target(${psd} base/protocols/conn/main.bro)
 rest_target(${psd} base/protocols/conn/polling.bro)
+rest_target(${psd} base/protocols/dhcp/consts.bro)
+rest_target(${psd} base/protocols/dhcp/main.bro)
+rest_target(${psd} base/protocols/dhcp/utils.bro)
 rest_target(${psd} base/protocols/dns/consts.bro)
 rest_target(${psd} base/protocols/dns/main.bro)
 rest_target(${psd} base/protocols/ftp/files.bro)
@@ -215,6 +218,7 @@ rest_target(${psd} policy/misc/app-stats/plugins/pandora.bro)
 rest_target(${psd} policy/misc/app-stats/plugins/youtube.bro)
 rest_target(${psd} policy/misc/capture-loss.bro)
 rest_target(${psd} policy/misc/detect-traceroute/main.bro)
+rest_target(${psd} policy/misc/known-devices.bro)
 rest_target(${psd} policy/misc/load-balancing.bro)
 rest_target(${psd} policy/misc/loaded-scripts.bro)
 rest_target(${psd} policy/misc/profiling.bro)
@@ -224,6 +228,7 @@ rest_target(${psd} policy/misc/trim-trace-file.bro)
 rest_target(${psd} policy/protocols/conn/known-hosts.bro)
 rest_target(${psd} policy/protocols/conn/known-services.bro)
 rest_target(${psd} policy/protocols/conn/weirds.bro)
+rest_target(${psd} policy/protocols/dhcp/known-devices-and-hostnames.bro)
 rest_target(${psd} policy/protocols/dns/auth-addl.bro)
 rest_target(${psd} policy/protocols/dns/detect-external-names.bro)
 rest_target(${psd} policy/protocols/ftp/detect-bruteforcing.bro)

scripts/base/frameworks/sumstats/cluster.bro

@@ -73,7 +73,7 @@ global recent_global_view_keys: table[string, Key] of count &create_expire=1min
 
 # Result tables indexed on a uid that are currently being sent to the
 # manager.
-global sending_results: table[string] of ResultTable = table();
+global sending_results: table[string] of ResultTable = table() &create_expire=1min;
 
 # This is done on all non-manager node types in the event that a sumstat is
 # being collected somewhere other than a worker.
@@ -171,7 +171,7 @@ event SumStats::cluster_ss_request(uid: string, ss_name: string, cleanup: bool)
 	#print fmt("WORKER %s: received the cluster_ss_request event for %s.", Cluster::node, id);
 
 	# Create a back store for the result
-	sending_results[uid] = (ss_name in result_store) ? copy(result_store[ss_name]) : table();
+	sending_results[uid] = (ss_name in result_store) ? result_store[ss_name] : table();
 
 	# Lookup the actual sumstats and reset it, the reference to the data
 	# currently stored will be maintained internally from the 
@@ -357,12 +357,16 @@ function request_all_current_keys(uid: string, ss_name: string, cleanup: bool)
 event SumStats::send_no_key(uid: string, ss_name: string)
 	{
 	#print "send_no_key";
+
+	if ( uid !in done_with )
+		done_with[uid] = 0;
+
 	++done_with[uid];
 	if ( Cluster::worker_count == done_with[uid] )
 		{
 		delete done_with[uid];
 
-		if ( |stats_keys[uid]| > 0 )
+		if ( uid in stats_keys && |stats_keys[uid]| > 0 )
 			{
 			#print "we need more keys!";
 			# Now that we have a key from each worker, lets
@@ -426,6 +430,9 @@ event SumStats::cluster_send_result(uid: string, ss_name: string, key: Key, resu
 		key_requests[uid] = compose_results(key_requests[uid], result);
 
 	# Mark that a worker is done.
+	if ( uid !in done_with )
+		done_with[uid] = 0;
+	
 	++done_with[uid];
 
 	#if ( Cluster::worker_count == done_with[uid] )

scripts/base/init-default.bro

@@ -39,6 +39,7 @@
 @load base/frameworks/tunnels
 
 @load base/protocols/conn
+@load base/protocols/dhcp
 @load base/protocols/dns
 @load base/protocols/ftp
 @load base/protocols/http

scripts/base/protocols/dhcp/__load__.bro

@@ -0,0 +1,4 @@
+@load ./consts
+@load ./main
+
+@load-sigs ./dpd.sig

scripts/base/protocols/dhcp/consts.bro

@@ -0,0 +1,20 @@
+##! Types, errors, and fields for analyzing DHCP data.  A helper file
+##! for DHCP analysis scripts.
+
+module DHCP;
+
+export {
+
+	## Types of DHCP messages. See RFC 1533.
+	const message_types = {
+		[1] = "DHCP_DISCOVER",
+		[2] = "DHCP_OFFER",
+		[3] = "DHCP_REQUEST",
+		[4] = "DHCP_DECLINE",
+		[5] = "DHCP_ACK",
+		[6] = "DHCP_NAK",
+		[7] = "DHCP_RELEASE",
+		[8] = "DHCP_INFORM",
+	} &default = function(n: count): string { return fmt("unknown-message-type-%d", n); };
+
+}

scripts/base/protocols/dhcp/dpd.sig

@@ -0,0 +1,5 @@
+signature dhcp_cookie {
+  ip-proto == udp
+  payload /^.*\x63\x82\x53\x63/
+  enable "dhcp"
+}

scripts/base/protocols/dhcp/main.bro

@@ -0,0 +1,75 @@
+##! Analyzes DHCP traffic in order to log DHCP leases given to clients.
+##! This script ignores large swaths of the protocol, since it is rather
+##! noisy on most networks, and focuses on the end-result: assigned leases.
+##!
+##! If you'd like to track known DHCP devices and to log the hostname
+##! supplied by the client, see policy/protocols/dhcp/known-devices.bro
+
+@load ./utils.bro
+
+module DHCP;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	## The record type which contains the column fields of the DHCP log.
+	type Info: record {
+		## The earliest time at which a DHCP message over the
+		## associated connection is observed.
+		ts:		time		&log;
+		## A unique identifier of the connection over which DHCP is
+		## occuring.
+		uid:		string		&log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id:		conn_id		&log;
+		## Client's hardware address.
+		mac:		string		&log &optional;
+		## Client's actual assigned IP address.
+		assigned_ip:	addr		&log &optional;
+		## IP address lease interval.
+		lease_time:	interval	&log &optional;
+		## A random number choosen by the client for this transaction.
+		trans_id:	count		&log;
+	};
+
+	## Event that can be handled to access the DHCP
+	## record as it is sent on to the logging framework.
+	global log_dhcp: event(rec: Info);
+}
+
+# Add the dhcp info to the connection record
+redef record connection += {
+	dhcp: Info &optional;
+};
+
+# 67/udp is the server's port, 68/udp the client.
+const ports = { 67/udp, 68/udp };
+redef likely_server_ports += { 67/udp };
+
+event bro_init()
+	{
+	Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
+	}
+
+event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string)
+	{
+	local info: Info;
+	info$ts          = network_time();
+	info$id          = c$id;
+	info$uid         = c$uid;
+	info$lease_time  = lease;
+	info$trans_id    = msg$xid;
+
+	if ( msg$h_addr != "" )
+		info$mac = msg$h_addr;
+
+	if ( reverse_ip(msg$yiaddr) != 0.0.0.0 )
+		info$assigned_ip = reverse_ip(msg$yiaddr);
+	else
+		info$assigned_ip = c$id$orig_h;
+
+	c$dhcp = info;
+
+	Log::write(DHCP::LOG, c$dhcp);
+	}

scripts/base/protocols/dhcp/utils.bro

@@ -0,0 +1,21 @@
+##! Utilities specific for DHCP processing.
+
+@load ./main
+
+module DHCP;
+
+export {
+	## Reverse the octets of an IPv4 IP.
+	##
+	## ip: An :bro:type:`addr` IPv4 address.
+	##
+	## Returns: A reversed addr.
+	global reverse_ip: function(ip: addr): addr;
+}
+
+function reverse_ip(ip: addr): addr
+	{
+	local octets = split(cat(ip), /\./);
+	return to_addr(cat(octets[4], ".", octets[3], ".", octets[2], ".", octets[1]));
+	}
+

scripts/base/protocols/ssl/main.bro

@@ -137,8 +137,9 @@ function log_record(info: Info)
 			}
 		timeout 15secs
 			{
-			Reporter::info(fmt("SSL delay tokens not released in time (%s tokens remaining)",
+			# We are just going to log the record anyway.
-			                   |info$delay_tokens|));
+			delete info$delay_tokens;
+			log_record(info);
 			}
 		}
 	}

scripts/policy/misc/known-devices.bro

@@ -0,0 +1,41 @@
+##! This script provides infrastructure for logging devices for which Bro has been
+##! able to determine the MAC address, and it logs them once per day (by default).
+##! The log that is output provides an easy way to determine a count of the devices
+##! in use on a network per day.
+##!
+##! ..note::
+##!
+##!     This script will not generate any logs on its own, it needs to be
+##!     supplied with information from elsewhere, such as
+##!     :doc:`policy/protocols/dhcp/known-devices-and-hostnames/scripts/.
+
+module Known;
+
+export {
+	## The known-hosts logging stream identifier.
+	redef enum Log::ID += { DEVICES_LOG };
+
+	## The record type which contains the column fields of the known-devices log.
+	type DevicesInfo: record {
+		## The timestamp at which the host was detected.
+		ts:      time &log;
+		## The MAC address that was detected.
+		mac:     string &log;
+	};
+
+	## The set of all known MAC addresses. It can accessed from other
+        ## to add, and check for, addresses seen in use.
+        ##
+	## We maintain each entry for 24 hours by default so that the existence of
+	## individual addressed is logged each day.
+	global known_devices: set[string] &create_expire=1day &synchronized &redef;
+
+	## An event that can be handled to access the :bro:type:`Known::DevicesInfo`
+	## record as it is sent on to the logging framework.
+	global log_known_devices: event(rec: DevicesInfo);
+}
+
+event bro_init()
+	{
+	Log::create_stream(Known::DEVICES_LOG, [$columns=DevicesInfo, $ev=log_known_devices]);
+	}

scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro

@@ -0,0 +1,37 @@
+##! Tracks MAC address with hostnames seen in DHCP traffic. They are logged into
+##! ``devices.log``.
+
+@load policy/misc/known-devices
+
+module Known;
+
+export {
+	redef record DevicesInfo += {
+		## The value of the DHCP host name option, if seen
+		dhcp_host_name:	string		&log &optional;
+	};
+}
+
+event dhcp_request(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string)
+	{
+	if ( msg$h_addr == "" )
+		return;
+
+	if ( msg$h_addr !in known_devices )
+		{
+		add known_devices[msg$h_addr];
+		Log::write(Known::DEVICES_LOG, [$ts=network_time(), $mac=msg$h_addr, $dhcp_host_name=host_name]);
+		}
+	}
+
+event dhcp_inform(c: connection, msg: dhcp_msg, host_name: string)
+	{
+	if ( msg$h_addr == "" )
+		return;
+
+	if ( msg$h_addr !in known_devices )
+		{
+		add known_devices[msg$h_addr];
+		Log::write(Known::DEVICES_LOG, [$ts=network_time(), $mac=msg$h_addr, $dhcp_host_name=host_name]);
+		}
+	}

scripts/test-all-policy.bro

@@ -47,6 +47,7 @@
 @load misc/capture-loss.bro
 @load misc/detect-traceroute/__load__.bro
 @load misc/detect-traceroute/main.bro
+@load misc/known-devices.bro
 @load misc/load-balancing.bro
 @load misc/loaded-scripts.bro
 @load misc/profiling.bro
@@ -56,6 +57,7 @@
 @load protocols/conn/known-hosts.bro
 @load protocols/conn/known-services.bro
 @load protocols/conn/weirds.bro
+@load protocols/dhcp/known-devices-and-hostnames.bro
 @load protocols/dns/auth-addl.bro
 @load protocols/dns/detect-external-names.bro
 @load protocols/ftp/detect-bruteforcing.bro

src/analyzer/protocol/dhcp/DHCP.cc

@@ -1,4 +1,3 @@
-
 #include "DHCP.h"
 
 #include "events.bif.h"

src/analyzer/protocol/dhcp/dhcp-analyzer.pac

@@ -8,12 +8,10 @@ flow DHCP_Flow(is_orig: bool) {
 
 	%member{
 		BroVal dhcp_msg_val_;
-		BroAnalyzer interp;
 	%}
 
 	%init{
 		dhcp_msg_val_ = 0;
-		interp = connection->bro_analyzer();
 	%}
 
 	%cleanup{
@@ -45,7 +43,7 @@ flow DHCP_Flow(is_orig: bool) {
 			}
 
 		if ( type == 0 )
-			interp->Weird("DHCP_no_type_option");
+			connection()->bro_analyzer()->ProtocolViolation("no DHCP message type option");
 
 		return type;
 		%}
@@ -56,11 +54,12 @@ flow DHCP_Flow(is_orig: bool) {
 
 		// Requested IP address to the server.
 		::uint32 req_addr = 0, serv_addr = 0;
+		StringVal* host_name = 0;
 
-		for ( ptr = options->begin();
+		for ( ptr = options->begin();  ptr != options->end() && ! (*ptr)->last(); ++ptr )
-		       ptr != options->end() && ! (*ptr)->last(); ++ptr )
+			{
+			switch ( (*ptr)->code() )
 				{
-			switch ( (*ptr)->code() ) {
 				case REQ_IP_OPTION:
 					req_addr = htonl((*ptr)->info()->req_addr());
 					break;
@@ -68,40 +67,48 @@ flow DHCP_Flow(is_orig: bool) {
 				case SERV_ID_OPTION:
 					serv_addr = htonl((*ptr)->info()->serv_addr());
 					break;
+
+				case HOST_NAME_OPTION:
+					host_name = new StringVal((*ptr)->info()->host_name().length(),
+								  (const char*) (*ptr)->info()->host_name().begin());
+					break;
 				}
 			}
 
+		if ( host_name == 0 )
+			host_name = new StringVal("");
+
 		switch ( type )
 			{
 			case DHCPDISCOVER:
 				BifEvent::generate_dhcp_discover(connection()->bro_analyzer(),
 								 connection()->bro_analyzer()->Conn(),
-					dhcp_msg_val_->Ref(), new AddrVal(req_addr));
+								 dhcp_msg_val_->Ref(), new AddrVal(req_addr), host_name);
 				break;
 
 			case DHCPREQUEST:
 				BifEvent::generate_dhcp_request(connection()->bro_analyzer(),
 								connection()->bro_analyzer()->Conn(),
 								dhcp_msg_val_->Ref(), new AddrVal(req_addr),
-				new AddrVal(serv_addr));
+								new AddrVal(serv_addr), host_name);
 				break;
 
 			case DHCPDECLINE:
 				BifEvent::generate_dhcp_decline(connection()->bro_analyzer(),
 								connection()->bro_analyzer()->Conn(),
-					dhcp_msg_val_->Ref());
+								dhcp_msg_val_->Ref(), host_name);
 				break;
 
 			case DHCPRELEASE:
 				BifEvent::generate_dhcp_release(connection()->bro_analyzer(),
 								connection()->bro_analyzer()->Conn(),
-					dhcp_msg_val_->Ref());
+								dhcp_msg_val_->Ref(), host_name);
 				break;
 
 			case DHCPINFORM:
 				BifEvent::generate_dhcp_inform(connection()->bro_analyzer(),
 							       connection()->bro_analyzer()->Conn(),
-					dhcp_msg_val_->Ref());
+							       dhcp_msg_val_->Ref(), host_name);
 				break;
 			}
 
@@ -118,11 +125,13 @@ flow DHCP_Flow(is_orig: bool) {
 		::uint32 subnet_mask = 0, serv_addr = 0;
 
 		uint32 lease = 0;
+		StringVal* host_name = 0;
 
 		for ( ptr = options->begin();
 		      ptr != options->end() && ! (*ptr)->last(); ++ptr )
 			{
-			switch ( (*ptr)->code() ) {
+			switch ( (*ptr)->code() )
+				{
 				case SUBNET_OPTION:
 					subnet_mask = htonl((*ptr)->info()->mask());
 					break;
@@ -134,16 +143,16 @@ flow DHCP_Flow(is_orig: bool) {
 					router_list = new TableVal(dhcp_router_list);
 
 						{
-				int num_routers =
+						int num_routers = (*ptr)->info()->router_list()->size();
-					(*ptr)->info()->router_list()->size();
 
 						for ( int i = 0; i < num_routers; ++i )
 							{
-					vector<uint32>* rlist =
+							vector<uint32>* rlist = (*ptr)->info()->router_list();
-						(*ptr)->info()->router_list();
+
 							uint32 raddr = (*rlist)[i];
 							::uint32 tmp_addr;
 							tmp_addr = htonl(raddr);
+
 							// index starting from 1
 							Val* index = new Val(i + 1, TYPE_COUNT);
 							router_list->Assign(index, new AddrVal(tmp_addr));
@@ -159,28 +168,37 @@ flow DHCP_Flow(is_orig: bool) {
 				case SERV_ID_OPTION:
 					serv_addr = htonl((*ptr)->info()->serv_addr());
 					break;
+
+				case HOST_NAME_OPTION:
+					host_name = new StringVal((*ptr)->info()->host_name().length(),
+								  (const char*) (*ptr)->info()->host_name().begin());
+					break;
 				}
 			}
 
-		switch ( type ) {
+			if ( host_name == 0 )
+				host_name = new StringVal("");
+
+		switch ( type )
+			{
 			case DHCPOFFER:
 				BifEvent::generate_dhcp_offer(connection()->bro_analyzer(),
 							      connection()->bro_analyzer()->Conn(),
 							      dhcp_msg_val_->Ref(), new AddrVal(subnet_mask),
-					router_list, lease, new AddrVal(serv_addr));
+							      router_list, lease, new AddrVal(serv_addr), host_name);
 				break;
 
 			case DHCPACK:
 				BifEvent::generate_dhcp_ack(connection()->bro_analyzer(),
 							    connection()->bro_analyzer()->Conn(),
 							    dhcp_msg_val_->Ref(), new AddrVal(subnet_mask),
-					router_list, lease, new AddrVal(serv_addr));
+							    router_list, lease, new AddrVal(serv_addr), host_name);
 				break;
 
 			case DHCPNAK:
 				BifEvent::generate_dhcp_nak(connection()->bro_analyzer(),
 							    connection()->bro_analyzer()->Conn(),
-					dhcp_msg_val_->Ref());
+							    dhcp_msg_val_->Ref(), host_name);
 				break;
 
 			}
@@ -195,7 +213,10 @@ flow DHCP_Flow(is_orig: bool) {
 		// DHCP or BOOTP.  If not, we are unable to interpret
 		// the message options.
 		if ( ${msg.cookie} != 0x63825363 )
+			{
+			connection()->bro_analyzer()->ProtocolViolation(fmt("bad cookie (%d)", ${msg.cookie}));
 			return false;
+			}
 
 		Unref(dhcp_msg_val_);
 		RecordVal* r = new RecordVal(dhcp_msg);
@@ -203,17 +224,15 @@ flow DHCP_Flow(is_orig: bool) {
 		r->Assign(0, new Val(${msg.op}, TYPE_COUNT));
 		r->Assign(1, new Val(${msg.type}, TYPE_COUNT));
 		r->Assign(2, new Val(${msg.xid}, TYPE_COUNT));
-
+		r->Assign(3, new StringVal(fmt_mac(${msg.chaddr}.data(), ${msg.chaddr}.length())));
-		// We want only 6 bytes for Ethernet address.
-		r->Assign(3, new StringVal(6, (const char*) ${msg.chaddr}.begin()));
-
 		r->Assign(4, new AddrVal(${msg.ciaddr}));
 		r->Assign(5, new AddrVal(${msg.yiaddr}));
 
 		dhcp_msg_val_ = r;
 
-		switch ( ${msg.op} ) {
+		switch ( ${msg.op} )
-		case BOOTREQUEST:	// presumablye from client to server
+			{
+			case BOOTREQUEST:	// presumably from client to server
 				if ( ${msg.type} == DHCPDISCOVER ||
 			     	     ${msg.type} == DHCPREQUEST ||
 			     	     ${msg.type} == DHCPDECLINE ||
@@ -221,22 +240,28 @@ flow DHCP_Flow(is_orig: bool) {
 			     	     ${msg.type} == DHCPINFORM )
 					parse_request(${msg.options}, ${msg.type});
 				else
-				interp->Weird("DHCP_wrong_msg_type");
+					connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message type option for BOOTREQUEST (%d)",
+											    ${msg.type}));
 				break;
 
 			case BOOTREPLY:		// presumably from server to client
 				if ( ${msg.type} == DHCPOFFER ||
-			     ${msg.type} == DHCPACK || ${msg.type} == DHCPNAK )
+			     	     ${msg.type} == DHCPACK ||
+				     ${msg.type} == DHCPNAK )
 					parse_reply(${msg.options}, ${msg.type});
 				else
-				interp->Weird("DHCP_wrong_msg_type");
+					connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message type option for BOOTREPLY (%d)",
+											    ${msg.type}));
+
 				break;
 
 			default:
-			interp->Weird("DHCP_wrong_op_type");
+				connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message op code (%d). Known codes: 1=BOOTREQUEST, 2=BOOTREPLY",
+										${msg.op}));
 				break;
 			}
 
+		connection()->bro_analyzer()->ProtocolConfirmation();
 		return true;
 		%}
 };

src/analyzer/protocol/dhcp/dhcp-protocol.pac

@@ -12,6 +12,7 @@ enum OP_type {
 enum OPTION_type {
 	SUBNET_OPTION	 = 1,
 	ROUTER_OPTION	 = 3,
+	HOST_NAME_OPTION = 12,
 	REQ_IP_OPTION	 = 50,
 	LEASE_OPTION	 = 51,
 	MSG_TYPE_OPTION  = 53,
@@ -35,12 +36,13 @@ type Option_Info(code: uint8)  = record {
 	length		: uint8;
 	value		: case code of {
 		SUBNET_OPTION	-> mask	: uint32;
-		ROUTER_OPTION   -> router_list: uint32[length/4];
+		ROUTER_OPTION	-> router_list : uint32[length/4];
 		REQ_IP_OPTION	-> req_addr	: uint32;
 		LEASE_OPTION	-> lease	: uint32;
 		MSG_TYPE_OPTION	-> msg_type	: uint8;
-		SERV_ID_OPTION  -> serv_addr: uint32;
+		SERV_ID_OPTION	-> serv_addr	: uint32;
-		default		-> other: bytestring &length = length;
+		HOST_NAME_OPTION-> host_name	: bytestring &length = length;
+		default		-> other	: bytestring &length = length;
 	};
 };
 

src/analyzer/protocol/dhcp/dhcp.pac

@@ -1,3 +1,4 @@
+%include binpac.pac
 %include bro.pac
 
 %extern{

src/analyzer/protocol/dhcp/events.bif

@@ -1,8 +1,5 @@
-## Generated for DHCP messages of type *discover*.
+## Generated for DHCP messages of type *DHCPDISCOVER* (client broadcast to locate
-##
+## available servers).
-## See `Wikipedia
-## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
-## more information about the DHCP protocol.
 ##
 ## c: The connection record describing the underlying UDP flow.
 ##
@@ -10,33 +7,23 @@
 ##
 ## req_addr: The specific address requested by the client.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## host_name: The value of the host name option, if specified by the client.
-##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_nak
-##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##              dhcp_release dhcp_inform
-##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
-##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
-##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
 ##
 ## .. note:: Bro does not support broadcast packets (as used by the DHCP
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr, host_name: string%);
-##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
-##    register a port for it or add a DPD payload signature.
-event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%);
 
-## Generated for DHCP messages of type *offer*.
+## Generated for DHCP messages of type *DHCPOFFER* (server to client in response to
-##
+## DHCPDISCOVER with offer of configuration parameters).
-## See `Wikipedia
-## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
-## more information about the DHCP protocol.
 ##
 ## c: The connection record describing the underlying UDP flow.
 ##
-## msg: TODO.
+## msg: The parsed type-independent part of the DHCP message.
 ##
 ## mask: The subnet mask specified by the message.
 ##
@@ -46,28 +33,21 @@ event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%);
 ##
 ## serv_addr: The server address specified by the message.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## host_name: The value of the host name option, if specified by the client.
-##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+## .. bro:see:: dhcp_discover dhcp_request dhcp_decline dhcp_ack dhcp_nak
-##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##              dhcp_release dhcp_inform
-##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
-##    dns_rejected dns_request non_dns_request
 ##
 ## .. note:: Bro does not support broadcast packets (as used by the DHCP
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string%);
-##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
-##    register a port for it or add a DPD payload signature.
-event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%);
 
-## Generated for DHCP messages of type *request*.
+## Generated for DHCP messages of type *DHCPREQUEST* (Client message to servers either
-##
+## (a) requesting offered parameters from one server and implicitly declining offers
-## See `Wikipedia
+## from all others, (b) confirming correctness of previously allocated address after,
-## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
+## e.g., system reboot, or (c) extending the lease on a particular network address.)
-## more information about the DHCP protocol.
 ##
 ## c: The connection record describing the underlying UDP flow.
 ##
@@ -77,55 +57,37 @@ event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_
 ##
 ## serv_addr: The server address specified by the message.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## host_name: The value of the host name option, if specified by the client.
-##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+## .. bro:see:: dhcp_discover dhcp_offer dhcp_decline dhcp_ack dhcp_nak
-##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##              dhcp_release dhcp_inform
-##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
-##    dns_rejected dns_request non_dns_request
 ##
 ## .. note:: Bro does not support broadcast packets (as used by the DHCP
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string%);
-##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
-##    register a port for it or add a DPD payload signature.
-event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%);
 
-## Generated for DHCP messages of type *decline*.
+## Generated for DHCP messages of type *DHCPDECLINE* (Client to server indicating
-##
+## network address is already in use).
-## See `Wikipedia
-## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
-## more information about the DHCP protocol.
 ##
 ## c: The connection record describing the underlying UDP flow.
 ##
 ## msg: The parsed type-independent part of the DHCP message.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## host_name: The value of the host name option, if specified by the client.
-##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_ack dhcp_nak
-##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##              dhcp_release dhcp_inform
-##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
-##    dns_rejected dns_request non_dns_request
 ##
 ## .. note:: Bro does not support broadcast packets (as used by the DHCP
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+event dhcp_decline%(c: connection, msg: dhcp_msg, host_name: string%);
-##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
-##    register a port for it or add a DPD payload signature.
-event dhcp_decline%(c: connection, msg: dhcp_msg%);
 
-## Generated for DHCP messages of type *acknowledgment*.
+## Generated for DHCP messages of type *DHCPACK* (Server to client with configuration
-##
+## parameters, including committed network address).
-## See `Wikipedia
-## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
-## more information about the DHCP protocol.
 ##
 ## c: The connection record describing the underlying UDP flow.
 ##
@@ -139,101 +101,62 @@ event dhcp_decline%(c: connection, msg: dhcp_msg%);
 ##
 ## serv_addr: The server address specified by the message.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## host_name: The value of the host name option, if specified by the client.
-##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
-##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
-##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
-##    dns_rejected dns_request non_dns_request
 ##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
+## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_nak
-##    protocol). It treats broadcast addresses just like any other and
+##              dhcp_release dhcp_inform
-##    associates packets into transport-level flows in the same way as usual.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string%);
-##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
-##    register a port for it or add a DPD payload signature.
-event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%);
 
-## Generated for DHCP messages of type *negative acknowledgment*.
+## Generated for DHCP messages of type *DHCPNAK* (Server to client indicating client's
-##
+## notion of network address is incorrect (e.g., client has moved to new subnet) or
-## See `Wikipedia
+## client's lease has expired).
-## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
-## more information about the DHCP protocol.
 ##
 ## c: The connection record describing the underlying UDP flow.
 ##
 ## msg: The parsed type-independent part of the DHCP message.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## host_name: The value of the host name option, if specified by the client.
-##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_release
-##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##              dhcp_inform
-##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
-##    dns_rejected dns_request non_dns_request
 ##
 ## .. note:: Bro does not support broadcast packets (as used by the DHCP
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+event dhcp_nak%(c: connection, msg: dhcp_msg, host_name: string%);
-##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
-##    register a port for it or add a DPD payload signature.
-event dhcp_nak%(c: connection, msg: dhcp_msg%);
 
-## Generated for DHCP messages of type *release*.
+## Generated for DHCP messages of type *DHCPRELEASE* (Client to server relinquishing
-##
+## network address and cancelling remaining lease).
-## See `Wikipedia
-## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
-## more information about the DHCP protocol.
 ##
 ## c: The connection record describing the underlying UDP flow.
 ##
 ## msg: The parsed type-independent part of the DHCP message.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## host_name: The value of the host name option, if specified by the client.
-##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
-##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
-##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
-##    dns_rejected dns_request non_dns_request
 ##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
+## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_nak
-##    protocol). It treats broadcast addresses just like any other and
+##              dhcp_inform
-##    associates packets into transport-level flows in the same way as usual.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+event dhcp_release%(c: connection, msg: dhcp_msg, host_name: string%);
-##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
-##    register a port for it or add a DPD payload signature.
-event dhcp_release%(c: connection, msg: dhcp_msg%);
 
-## Generated for DHCP messages of type *inform*.
+## Generated for DHCP messages of type *DHCPINFORM* (Client to server, asking only for
-##
+## local configuration parameters; client already has externally configured network
-## See `Wikipedia
+## address).
-## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
-## more information about the DHCP protocol.
 ##
 ## c: The connection record describing the underlying UDP flow.
 ##
 ## msg: The parsed type-independent part of the DHCP message.
 ##
-## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+## host_name: The value of the host name option, if specified by the client.
-##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_nak
-##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##              dhcp_release
-##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
-##    dns_rejected dns_request non_dns_request
 ##
 ## .. note:: Bro does not support broadcast packets (as used by the DHCP
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+event dhcp_inform%(c: connection, msg: dhcp_msg, host_name: string%);
-##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
-##    register a port for it or add a DPD payload signature.
-event dhcp_inform%(c: connection, msg: dhcp_msg%);
 

src/net_util.cc

@@ -148,6 +148,26 @@ const char* fmt_conn_id(const uint32* src_addr, uint32 src_port,
 	return fmt_conn_id(src, src_port, dst, dst_port);
 	}
 
+char* fmt_mac(const unsigned char* m, int len)
+	{
+	char* buf = new char[25];
+
+	if ( len < 8 )
+		{
+		*buf = '\0';
+		return buf;
+		}
+
+	if ( m[6] == 0 && m[7] == 0 ) // EUI-48
+		snprintf(buf, 19, "%02x:%02x:%02x:%02x:%02x:%02x",
+			 m[0], m[1], m[2], m[3], m[4], m[5]);
+	else
+		snprintf(buf, 25, "%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
+			 m[0], m[1], m[2], m[3], m[4], m[5], m[6], m[7]);
+
+	return buf;
+	}
+
 uint32 extract_uint32(const u_char* data)
 	{
 	uint32 val;

src/net_util.h

@@ -156,6 +156,18 @@ extern const char* fmt_conn_id(const IPAddr& src_addr, uint32 src_port,
 extern const char* fmt_conn_id(const uint32* src_addr, uint32 src_port,
 				const uint32* dst_addr, uint32 dst_port);
 
+/**
+* Given a MAC address, formats it in hex as 00:de:ad:be:ef.
+* Supports both EUI-48 and EUI-64. If it's neither, returns
+* an empty string.
+*
+* @param m EUI-48 or EUI-64 MAC address to format, as a char array
+* @param len Number of bytes valid starting at *n*. This must be at
+*            least 8 for a valid address.
+* @return A string of the formatted MAC. Passes ownership to caller.
+*/
+extern char* fmt_mac(const unsigned char* m, int len);
+
 // Read 4 bytes from data and return in network order.
 extern uint32 extract_uint32(const u_char* data);
 

testing/btest/Baseline/core.print-bpf-filters/output2

@@ -26,6 +26,8 @@
 1 6667
 1 6668
 1 6669
+1 67
+1 68
 1 80
 1 8000
 1 8080
@@ -36,8 +38,8 @@
 1 992
 1 993
 1 995
-40 and
+42 and
-39 or
+41 or
-40 port
+42 port
 31 tcp
-9 udp
+11 udp

testing/btest/Baseline/core.tunnels.teredo/conn.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2008-05-16-15-50-57
+#open	2013-08-04-03-28-45
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
 1210953047.736921	arKYeMETxOg	192.168.2.16	1576	75.126.130.163	80	tcp	-	0.000357	0	0	SHR	-	0	fA	1	40	1	40	(empty)
@@ -21,10 +21,10 @@
 1210953074.570439	c4Zw9TmAE05	192.168.2.16	1580	67.228.110.120	80	tcp	http	0.466677	469	3916	SF	-	0	ShADadFf	7	757	6	4164	(empty)
 1210953052.202579	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	8.928880	129	48	SF	-	0	Dd	2	185	1	76	(empty)
 1210953060.829233	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	13.293994	2359	11243	SF	-	0	Dd	12	2695	13	11607	(empty)
-1210953058.933954	iE6yhOq3SF	0.0.0.0	68	255.255.255.255	67	udp	-	-	-	-	S0	-	0	D	1	328	0	0	(empty)
+1210953058.933954	iE6yhOq3SF	0.0.0.0	68	255.255.255.255	67	udp	dhcp	-	-	-	S0	-	0	D	1	328	0	0	(empty)
 1210953052.324629	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	udp	-	-	-	-	SHR	-	0	d	0	0	1	137	(empty)
 1210953046.591933	UWkUyAuUGXf	192.168.2.16	138	192.168.2.255	138	udp	-	28.448321	416	0	S0	-	0	D	2	472	0	0	(empty)
 1210953052.324629	FrJExwHcSal	fe80::8000:f227:bec8:61af	134	fe80::8000:ffff:ffff:fffd	133	icmp	-	-	-	-	OTH	-	0	-	1	88	0	0	TEfuqmmG4bh
 1210953060.829303	qCaWGmzFtM5	2001:0:4137:9e50:8000:f12a:b9c8:2815	128	2001:4860:0:2001::68	129	icmp	-	0.463615	4	4	OTH	-	0	-	1	52	1	52	GSxOnSLghOa,nQcgTWjvg4c
 1210953052.202579	j4u32Pc5bif	fe80::8000:ffff:ffff:fffd	133	ff02::2	134	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	nQcgTWjvg4c
-#close	2008-05-16-15-51-16
+#close	2013-08-04-03-28-45

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2013-07-29-22-37-52
+#open	2013-08-04-03-27-22
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -91,6 +91,7 @@ scripts/base/init-bare.bro
       scripts/base/utils/site.bro
         scripts/base/utils/patterns.bro
   build/scripts/base/bif/__load__.bro
+    build/scripts/base/bif/top-k.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2013-07-29-22-37-52
+#close	2013-08-04-03-27-22

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2013-07-29-22-37-53
+#open	2013-08-04-03-27-23
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -91,6 +91,7 @@ scripts/base/init-bare.bro
       scripts/base/utils/site.bro
         scripts/base/utils/patterns.bro
   build/scripts/base/bif/__load__.bro
+    build/scripts/base/bif/top-k.bif.bro
 scripts/base/init-default.bro
   scripts/base/utils/active-http.bro
     scripts/base/utils/exec.bro
@@ -147,6 +148,7 @@ scripts/base/init-default.bro
       scripts/base/frameworks/sumstats/plugins/std-dev.bro
         scripts/base/frameworks/sumstats/plugins/variance.bro
       scripts/base/frameworks/sumstats/plugins/sum.bro
+      scripts/base/frameworks/sumstats/plugins/topk.bro
       scripts/base/frameworks/sumstats/plugins/unique.bro
     scripts/base/frameworks/sumstats/non-cluster.bro
   scripts/base/frameworks/tunnels/__load__.bro
@@ -156,6 +158,10 @@ scripts/base/init-default.bro
     scripts/base/protocols/conn/contents.bro
     scripts/base/protocols/conn/inactivity.bro
     scripts/base/protocols/conn/polling.bro
+  scripts/base/protocols/dhcp/__load__.bro
+    scripts/base/protocols/dhcp/consts.bro
+    scripts/base/protocols/dhcp/main.bro
+      scripts/base/protocols/dhcp/utils.bro
   scripts/base/protocols/dns/__load__.bro
     scripts/base/protocols/dns/consts.bro
     scripts/base/protocols/dns/main.bro
@@ -202,4 +208,4 @@ scripts/base/init-default.bro
     scripts/base/files/extract/main.bro
   scripts/base/misc/find-checksum-offloading.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2013-07-29-22-37-53
+#close	2013-08-04-03-27-23

testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/dhcp.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dhcp
+#open	2013-07-31-21-00-49
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mac	assigned_ip	lease_time	trans_id
+#types	time	string	addr	port	addr	port	string	addr	interval	count
+1370200444.371332	nQcgTWjvg4c	128.2.6.189	68	128.2.6.152	67	90:b1:1c:99:49:29	128.2.6.189	900.000000	1984
+#close	2013-07-31-21-00-50

testing/btest/Baseline/scripts.base.protocols.dhcp.inform/dhcp.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dhcp
+#open	2013-08-03-01-18-52
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mac	assigned_ip	lease_time	trans_id
+#types	time	string	addr	port	addr	port	string	addr	interval	count
+1374432420.191205	UWkUyAuUGXf	128.2.6.122	68	128.2.6.152	67	90:b1:1c:99:49:29	128.2.6.122	0.000000	2754407505
+#close	2013-08-03-01-18-52

testing/btest/Baseline/scripts.policy.protocols.dhcp.known-devices-and-hostnames.basic/known_devices.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	known_devices
+#open	2013-07-31-21-27-41
+#fields	ts	mac	dhcp_host_name
+#types	time	string	string
+1370200443.344965	90:b1:1c:99:49:29	btest.is.cool
+1374432420.186878	90:b1:1c:99:49:29	(empty)
+#close	2013-07-31-21-27-41

testing/btest/scripts/base/protocols/dhcp/dhcp-all-msg-types.btest

@@ -0,0 +1,6 @@
+# This tests that DHCP leases are logged in dhcp.log
+# The trace has a message of each DHCP message type,
+# but only one lease should show up in the logs.
+
+# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp.trace %INPUT
+# @TEST-EXEC: btest-diff dhcp.log

testing/btest/scripts/base/protocols/dhcp/inform.test

@@ -0,0 +1,5 @@
+# DHCPINFORM leases are special-cased in the code.
+# This tests that those leases are correctly logged.
+
+# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_inform.trace %INPUT
+# @TEST-EXEC: btest-diff dhcp.log

testing/btest/scripts/policy/protocols/dhcp/known-devices-and-hostnames/basic.test

@@ -0,0 +1,8 @@
+# This tests that the known_devices log is created,
+# that devices are logged by MAC address, and that
+# the DHCP hostname is added, if available.
+
+# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp.trace -r $TRACES/dhcp/dhcp_inform.trace %INPUT
+# @TEST-EXEC: btest-diff known_devices.log
+
+@load policy/protocols/dhcp/known-devices-and-hostnames