BIT-1924: add DHCP port to software.log for completeness

2025-10-02 06:38:20 +00:00 · 2018-08-16 16:07:14 -05:00 · 2018-08-16 16:07:14 -05:00 · 7fdf621a1d
commit 7fdf621a1d
parent 81a8961f16
4 changed files with 21 additions and 6 deletions
--- a/5
+++ b/5
@ -1,4 +1,9 @@

+2.5-847 | 2018-08-16 16:07:14 -0500
+
+  * BIT-1924: add DHCP port to software.log for completeness
+    (Jon Siwek, Corelight)
+
 2.5-846 | 2018-08-16 14:11:02 -0500

  * BIT-1858: fix logged-names for DNS RR types 44 and 45 (Jon Siwek, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-2.5-846
+2.5-847
--- a/scripts/base/protocols/dhcp/main.bro
+++ b/scripts/base/protocols/dhcp/main.bro
@ -41,6 +41,13 @@ export {
 		## IP address.
 		server_addr:    addr        &log &optional;

+		## Client port number seen at time of server handing out IP (expected
+		## as 68/udp).
+		client_port:    port             &optional;
+		## Server port number seen at time of server handing out IP (expected
+		## as 67/udp).
+		server_port:    port             &optional;
+
 		## Client's hardware address.
 		mac:            string      &log &optional;

@ -224,6 +231,8 @@ event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, ms
 		     id$resp_h != 255.255.255.255 )
 			{
 			log_info$server_addr = id$resp_h;
+			log_info$server_port = id$resp_p;
+			log_info$client_port = id$orig_p;
 			}

 		# Only use the client hardware address from the server
--- a/scripts/policy/protocols/dhcp/software.bro
+++ b/scripts/policy/protocols/dhcp/software.bro
@ -42,21 +42,22 @@ event DHCP::log_dhcp(rec: DHCP::Info)
 	if ( rec?$assigned_addr && rec?$server_addr &&
 	     (rec?$client_software || rec?$server_software) )
 		{
-		# Not quite right to just blindly use 67 and 68 as the ports
-		local id: conn_id = [$orig_h=rec$assigned_addr, $orig_p=68/udp,
-		                     $resp_h=rec$server_addr, $resp_p=67/udp];
+		local id: conn_id = [$orig_h=rec$assigned_addr,
+		                     $orig_p=rec$client_port,
+		                     $resp_h=rec$server_addr,
+		                     $resp_p=rec$server_port];

 		if ( rec?$client_software && rec$assigned_addr != 255.255.255.255 )
 			{
 			Software::found(id, [$unparsed_version=rec$client_software,
-			                     $host=rec$assigned_addr,
+			                     $host=rec$assigned_addr, $host_p=id$orig_p,
 			                     $software_type=DHCP::CLIENT]);
 			}

 		if ( rec?$server_software )
 			{
 			Software::found(id, [$unparsed_version=rec$server_software,
-			                     $host=rec$server_addr,
+			                     $host=rec$server_addr, $host_p=id$resp_p,
 			                     $software_type=DHCP::SERVER]);
 			}
 		}
 @ -1 +1 @@
 .5-846
 .5-847