dhcp: Handle is_orig=T for connections from server to 255.255.255.255

This works around the new semantics of is_orig=T for "connections"
from DHCP servers to broadcast addresses. IMO, having the server address
as originator in the conn.log is still more intuitive.

scripts/base/protocols/dhcp/main.zeek

@@ -204,11 +204,16 @@ event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, ms
 
 	log_info$msg_types += DHCP::message_types[msg$m_type];
 
+	# The is_orig flag is T for "connections" initiated by servers
+	# to broadcast addresses, otherwise is_orig indicates that this
+	# is a DHCP client.
+	local is_client = is_orig && (id$orig_h == 0.0.0.0 || id$orig_p == 68/udp || id$resp_p == 67/udp);
+
 	# Let's watch for messages in any DHCP message type
 	# and split them out based on client and server.
 	if ( options?$message )
 		{
-		if ( is_orig )
+		if ( is_client )
 			log_info$client_message = options$message;
 		else
 			log_info$server_message = options$message;
@@ -218,7 +223,7 @@ event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, ms
 	# expiration handling.
 	log_info$last_message_ts = ts;
 
-	if ( is_orig ) # client requests
+	if ( is_client ) # client requests
 		{
 		# Assign the client addr in case this is a session
 		# of only INFORM messages (no lease handed out).
@@ -246,12 +251,27 @@ event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, ms
 		{
 		# Only log the address of the server if it handed out
 		# an IP address.
-		if ( msg$yiaddr != 0.0.0.0 &&
+		if ( msg$yiaddr != 0.0.0.0 )
-		     id$resp_h != 255.255.255.255 )
 			{
-			log_info$server_addr = id$resp_h;
+			if ( is_orig )
-			log_info$server_port = id$resp_p;
+				{
-			log_info$client_port = id$orig_p;
+				# This is a server message and is_orig is T.
+				# This means it's a DHCP server broadcasting
+				# and the server is the originator.
+				log_info$server_addr = id$orig_h;
+				log_info$server_port = id$orig_p;
+				log_info$client_port = id$resp_p;
+				}
+			else
+				{
+				# When a server sends to a non-broadcast
+				# address, Zeek's connection flipping is
+				# in effect and the server is the responder
+				# instead.
+				log_info$server_addr = id$resp_h;
+				log_info$server_port = id$resp_p;
+				log_info$client_port = id$orig_p;
+				}
 			}
 
 		# Only use the client hardware address from the server

testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/conn.log

@@ -0,0 +1,14 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	0.0.0.0	68	255.255.255.255	67	udp	dhcp	5.099034	1560	0	S0	T	T	0	D	6	1728	0	0	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	128.2.6.97	68	128.2.6.152	67	udp	dhcp	-	-	-	SHR	F	F	0	^d	0	0	1	395	-
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	128.2.6.189	68	128.2.6.152	67	udp	dhcp	-	-	-	SHR	F	F	0	^d	0	0	1	395	-
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	128.2.6.152	67	255.255.255.255	68	udp	dhcp	-	-	-	S0	F	T	0	D	1	328	0	0	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/scripts/base/protocols/dhcp/dhcp-all-msg-types.zeek

@@ -3,6 +3,8 @@
 # but only one lease should show up in the logs.
 
 # @TEST-EXEC: zeek -b -r $TRACES/dhcp/dhcp.trace %INPUT
+# @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff dhcp.log
 
+@load base/protocols/conn
 @load base/protocols/dhcp