IPBasedAnalyzer: Don't flip connections when destination is broadcast

Closes #3235

NEWS

@@ -78,6 +78,10 @@ Changed Functionality
   ``policy/protocols/conn/community-id-logging.zeek`` was loaded before. This
   was fairly unusual and hard to debug behavior.
 
+- Connections to broadcast addresses are not flipped based on ``likely_server_ports``
+  anymore. Previously, broadcast packets originating from a likely server port
+  resulted in 255.255.255.255 being the originator in ``conn.log``.
+
 Removed Functionality
 ---------------------
 

src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc

@@ -171,7 +171,7 @@ zeek::Connection* IPBasedAnalyzer::NewConn(const ConnTuple* id, const detail::Co
 	                                  pkt->ip_hdr->FlowLabel(), pkt);
 	conn->SetTransport(transport);
 
-	if ( flip )
+	if ( flip && ! id->dst_addr.IsBroadcast() )
 		conn->FlipRoles();
 
 	BuildSessionAnalyzerTree(conn);

testing/btest/Baseline/core.udp-broadcast-no-flip/conn.log.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	history
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.1	40190	255.255.255.255	7437	D

testing/btest/core/udp-broadcast-no-flip.zeek

@@ -0,0 +1,9 @@
+# @TEST-DOC: Pcap contains broadcast with port 40190 to port 7437. Set likely_server_ports to 40190 but don't expect this connection to be flipped.
+
+# @TEST-EXEC: zeek -b -r $TRACES/udp-broadcast.pcap %INPUT
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+
+@load base/protocols/conn
+
+redef likely_server_ports += { 40190/udp };