From 7fdf621a1dca5a3e2cb5d427f50b5a97fec6b2d8 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 16 Aug 2018 16:07:14 -0500
Subject: [PATCH] BIT-1924: add DHCP port to software.log for completeness

---
 CHANGES                                    |  5 +++++
 VERSION                                    |  2 +-
 scripts/base/protocols/dhcp/main.bro       |  9 +++++++++
 scripts/policy/protocols/dhcp/software.bro | 11 ++++++-----
 4 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index d4e7fff78b..b2dbd0714d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.5-847 | 2018-08-16 16:07:14 -0500
+
+  * BIT-1924: add DHCP port to software.log for completeness
+    (Jon Siwek, Corelight)
+
 2.5-846 | 2018-08-16 14:11:02 -0500
 
   * BIT-1858: fix logged-names for DNS RR types 44 and 45 (Jon Siwek, Corelight)
diff --git a/VERSION b/VERSION
index 6a9fd73a7d..2903be358d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-846
+2.5-847
diff --git a/scripts/base/protocols/dhcp/main.bro b/scripts/base/protocols/dhcp/main.bro
index ae102e6085..2f0bb6c933 100644
--- a/scripts/base/protocols/dhcp/main.bro
+++ b/scripts/base/protocols/dhcp/main.bro
@@ -41,6 +41,13 @@ export {
 		## IP address.
 		server_addr:    addr        &log &optional;
 
+		## Client port number seen at time of server handing out IP (expected
+		## as 68/udp).
+		client_port:    port             &optional;
+		## Server port number seen at time of server handing out IP (expected
+		## as 67/udp).
+		server_port:    port             &optional;
+
 		## Client's hardware address.
 		mac:            string      &log &optional;
 
@@ -224,6 +231,8 @@ event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, ms
 		     id$resp_h != 255.255.255.255 )
 			{
 			log_info$server_addr = id$resp_h;
+			log_info$server_port = id$resp_p;
+			log_info$client_port = id$orig_p;
 			}
 
 		# Only use the client hardware address from the server
diff --git a/scripts/policy/protocols/dhcp/software.bro b/scripts/policy/protocols/dhcp/software.bro
index 6509550622..111de0bfd8 100644
--- a/scripts/policy/protocols/dhcp/software.bro
+++ b/scripts/policy/protocols/dhcp/software.bro
@@ -42,21 +42,22 @@ event DHCP::log_dhcp(rec: DHCP::Info)
 	if ( rec?$assigned_addr && rec?$server_addr &&
 	     (rec?$client_software || rec?$server_software) )
 		{
-		# Not quite right to just blindly use 67 and 68 as the ports
-		local id: conn_id = [$orig_h=rec$assigned_addr, $orig_p=68/udp,
-		                     $resp_h=rec$server_addr, $resp_p=67/udp];
+		local id: conn_id = [$orig_h=rec$assigned_addr,
+		                     $orig_p=rec$client_port,
+		                     $resp_h=rec$server_addr,
+		                     $resp_p=rec$server_port];
 
 		if ( rec?$client_software && rec$assigned_addr != 255.255.255.255 )
 			{
 			Software::found(id, [$unparsed_version=rec$client_software,
-			                     $host=rec$assigned_addr,
+			                     $host=rec$assigned_addr, $host_p=id$orig_p,
 			                     $software_type=DHCP::CLIENT]);
 			}
 
 		if ( rec?$server_software )
 			{
 			Software::found(id, [$unparsed_version=rec$server_software,
-			                     $host=rec$server_addr,
+			                     $host=rec$server_addr, $host_p=id$resp_p,
 			                     $software_type=DHCP::SERVER]);
 			}
 		}