Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

BIT-1924: add DHCP port to software.log for completeness

Browse source
This commit is contained in:
Jon Siwek 2018-08-16 16:07:14 -05:00
parent 81a8961f16
commit 7fdf621a1d
4 changed files with 21 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

5
CHANGES
View file

@ -1,4 +1,9 @@
2.5-847 | 2018-08-16 16:07:14 -0500
* BIT-1924: add DHCP port to software.log for completeness
(Jon Siwek, Corelight)
2.5-846 | 2018-08-16 14:11:02 -0500 2.5-846 | 2018-08-16 14:11:02 -0500
* BIT-1858: fix logged-names for DNS RR types 44 and 45 (Jon Siwek, Corelight) * BIT-1858: fix logged-names for DNS RR types 44 and 45 (Jon Siwek, Corelight)

2
VERSION
View file

@ -1 +1 @@
2.5-846 2.5-847

9
scripts/base/protocols/dhcp/main.bro
View file

@ -41,6 +41,13 @@ export {
## IP address. ## IP address.
server_addr: addr &log &optional; server_addr: addr &log &optional;
## Client port number seen at time of server handing out IP (expected
## as 68/udp).
client_port: port &optional;
## Server port number seen at time of server handing out IP (expected
## as 67/udp).
server_port: port &optional;
## Client's hardware address. ## Client's hardware address.
mac: string &log &optional; mac: string &log &optional;
@ -224,6 +231,8 @@ event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, ms
id$resp_h != 255.255.255.255 ) id$resp_h != 255.255.255.255 )
{ {
log_info$server_addr = id$resp_h; log_info$server_addr = id$resp_h;
log_info$server_port = id$resp_p;
log_info$client_port = id$orig_p;
} }
# Only use the client hardware address from the server # Only use the client hardware address from the server

11
scripts/policy/protocols/dhcp/software.bro
View file

@ -42,21 +42,22 @@ event DHCP::log_dhcp(rec: DHCP::Info)
if ( rec?$assigned_addr && rec?$server_addr && if ( rec?$assigned_addr && rec?$server_addr &&
(rec?$client_software || rec?$server_software) ) (rec?$client_software || rec?$server_software) )
{ {
# Not quite right to just blindly use 67 and 68 as the ports local id: conn_id = [$orig_h=rec$assigned_addr,
local id: conn_id = [$orig_h=rec$assigned_addr, $orig_p=68/udp, $orig_p=rec$client_port,
$resp_h=rec$server_addr, $resp_p=67/udp]; $resp_h=rec$server_addr,
$resp_p=rec$server_port];
if ( rec?$client_software && rec$assigned_addr != 255.255.255.255 ) if ( rec?$client_software && rec$assigned_addr != 255.255.255.255 )
{ {
Software::found(id, [$unparsed_version=rec$client_software, Software::found(id, [$unparsed_version=rec$client_software,
$host=rec$assigned_addr, $host=rec$assigned_addr, $host_p=id$orig_p,
$software_type=DHCP::CLIENT]); $software_type=DHCP::CLIENT]);
} }
if ( rec?$server_software ) if ( rec?$server_software )
{ {
Software::found(id, [$unparsed_version=rec$server_software, Software::found(id, [$unparsed_version=rec$server_software,
$host=rec$server_addr, $host=rec$server_addr, $host_p=id$resp_p,
$software_type=DHCP::SERVER]); $software_type=DHCP::SERVER]);
} }
} }