Unable to append to DHCP's Log Type

Zeek
1

Hi

I am attempting to append DHCP Option 55 params to my default dhcp.log, but the script I’ve written is failing to do so. Using my debug logger, I can see the values are being extracted correctly. For example, here’s a line from that file running now:

1664383600.022221	1.1.1.1	67	2.2.2.2	67	DHCP	DHCP => opcode: 1 params_hash: 7640efd95cc17edd9c42701966512588 params_list: 1,3,4,6,12,15,28,42,43,60

However, dhcp.log fails to add them values to the log:

#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	dhcp
#open	2022-09-28-09-25-13
#fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration	log_type	**param_list**	**param_hash**
#types	time	set[string]	addr	addr	string	string	string	string	addraddr	interval	string	string	vector[string]	interval	string	string	string
1664382301.369788	CgbRI23aP1qTCA2Fw5	1.1.1.1	-	11:11:11:11:11:11	place	-	-	-	-	-	-	-	DISCOVER	0.000000	BRO_DHCP	**-**	**-**

As you can see, the fields are added to the log as param_hash and param_list, but the values are logged as the default -.

After some debugging, I noticed that when I assign the relevant values to c$dhcp$param* before logging to Debug, I don’t see the values in my debug.log file either. This makes me thing there’s something wrong with my assign statements, but I’m not sure what else to try here. Am I missing something obvious here?

Here’s the script for reference:

@load base/protocols/dhcp
@load policy/custom_scripts/debug_logger
@load base/frameworks/logging

module DHCP;


# Redefine DHCP's log output to include param_list and param_hash
export {
  redef record Info += {
    param_list: string &optional &log;
    param_hash: string &optional &log;
  };
}

event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=5

{
  if ( msg$op !=1 )
    return;

  local s1: string = "";
  local s2: string = "";
  local s3: string = "";

  # If param_list exists and has at least one element
  if ( options?$param_list && |options$param_list|>0 )
  {
    local h = md5_hash_init();

    # Stringify params_list
    s1 = sub(cat(options$param_list), /\[/, "");
    s2 = sub(s1, /\]/, "");
    s3 = subst_string(s2, " ", "");
    md5_hash_update(h, s3);
    # Hash params_list
    local hash = md5_hash_finish(h);

    # Create Debug log event
    local rec: Debug::Info = [
      $ts=network_time(),
      $id=c$id,
      $service="DHCP",
      $data=fmt("DHCP => opcode: %d params_hash: %s params_list: %s", msg$op, hash, s3)
    ];
    Log::write($id=Debug::LOG, $columns=rec);

    # Add values to DHCP log
    c$dhcp$param_hash = hash;
    c$dhcp$param_list = s3;

  }
}
2

Solved the issue. After digging into dhcp.zeek, I noticed the event dealing with building the log file is actually event aggregate_msgs(...), and the assignments must happen to the global variable log_info.

Swapping out the event signature and replacing the last two lines with:

log_info$param_hash = hash;
log_info$param_list = s3;

fixed the issue.