diff --git a/scripts/base/protocols/dhcp/main.zeek b/scripts/base/protocols/dhcp/main.zeek index 6bbd5d13e2..1d53cbfd63 100644 --- a/scripts/base/protocols/dhcp/main.zeek +++ b/scripts/base/protocols/dhcp/main.zeek @@ -204,11 +204,16 @@ event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, ms log_info$msg_types += DHCP::message_types[msg$m_type]; + # The is_orig flag is T for "connections" initiated by servers + # to broadcast addresses, otherwise is_orig indicates that this + # is a DHCP client. + local is_client = is_orig && (id$orig_h == 0.0.0.0 || id$orig_p == 68/udp || id$resp_p == 67/udp); + # Let's watch for messages in any DHCP message type # and split them out based on client and server. if ( options?$message ) { - if ( is_orig ) + if ( is_client ) log_info$client_message = options$message; else log_info$server_message = options$message; @@ -218,7 +223,7 @@ event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, ms # expiration handling. log_info$last_message_ts = ts; - if ( is_orig ) # client requests + if ( is_client ) # client requests { # Assign the client addr in case this is a session # of only INFORM messages (no lease handed out). @@ -246,12 +251,27 @@ event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, ms { # Only log the address of the server if it handed out # an IP address. - if ( msg$yiaddr != 0.0.0.0 && - id$resp_h != 255.255.255.255 ) + if ( msg$yiaddr != 0.0.0.0 ) { - log_info$server_addr = id$resp_h; - log_info$server_port = id$resp_p; - log_info$client_port = id$orig_p; + if ( is_orig ) + { + # This is a server message and is_orig is T. + # This means it's a DHCP server broadcasting + # and the server is the originator. + log_info$server_addr = id$orig_h; + log_info$server_port = id$orig_p; + log_info$client_port = id$resp_p; + } + else + { + # When a server sends to a non-broadcast + # address, Zeek's connection flipping is + # in effect and the server is the responder + # instead. + log_info$server_addr = id$resp_h; + log_info$server_port = id$resp_p; + log_info$client_port = id$orig_p; + } } # Only use the client hardware address from the server diff --git a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/conn.log b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/conn.log new file mode 100644 index 0000000000..9f18c0e6e7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/conn.log @@ -0,0 +1,14 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 0.0.0.0 68 255.255.255.255 67 udp dhcp 5.099034 1560 0 S0 T T 0 D 6 1728 0 0 - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 128.2.6.97 68 128.2.6.152 67 udp dhcp - - - SHR F F 0 ^d 0 0 1 395 - +XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 128.2.6.189 68 128.2.6.152 67 udp dhcp - - - SHR F F 0 ^d 0 0 1 395 - +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 128.2.6.152 67 255.255.255.255 68 udp dhcp - - - S0 F T 0 D 1 328 0 0 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/scripts/base/protocols/dhcp/dhcp-all-msg-types.zeek b/testing/btest/scripts/base/protocols/dhcp/dhcp-all-msg-types.zeek index ed6a49b015..4f549d01c0 100644 --- a/testing/btest/scripts/base/protocols/dhcp/dhcp-all-msg-types.zeek +++ b/testing/btest/scripts/base/protocols/dhcp/dhcp-all-msg-types.zeek @@ -3,6 +3,8 @@ # but only one lease should show up in the logs. # @TEST-EXEC: zeek -b -r $TRACES/dhcp/dhcp.trace %INPUT +# @TEST-EXEC: btest-diff conn.log # @TEST-EXEC: btest-diff dhcp.log +@load base/protocols/conn @load base/protocols/dhcp