-
Notifications
You must be signed in to change notification settings - Fork 1
/
bro_dhcp_parse.lua
47 lines (43 loc) · 1.71 KB
/
bro_dhcp_parse.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
require('parse_helpers')
function bro_dhcp_prefix_all(tag, timestamp, record)
return 1, timestamp, record_prefix_all(record, "zeek_dhcp_")
end
function bro_dhcp_parse_uids(tag, timestamp, record)
local vector = record["zeek_dhcp_uids"]
if vector ~= nil and type(vector) == "string" and vector ~= "-" then
record["zeek_dhcp_uids"] = vector:split(",")
return 1, timestamp, record
else
record["zeek_dhcp_uids"] = nil
return 1, timestamp, record
end
end
function bro_dhcp_parse_msg_types(tag, timestamp, record)
local vector = record["zeek_dhcp_msg_types"]
if vector ~= nil and type(vector) == "string" and vector ~= "-" then
record["zeek_dhcp_msg_types"] = vector:split(",")
return 1, timestamp, record
else
record["zeek_dhcp_msg_types"] = nil
return 1, timestamp, record
end
end
-- NOT IN USE, move to zeer_hosts to choose between dns resolved fqdn and ip if not resolved for host.name field
-- If zeek_dhcp_client_fqdn (DHCP Option 81) is empty, use host.hostname + "." + host.domain to populate the field
function bro_dhcp_populate_missing_host_name(tag, timestamp, record)
if (record["host_name"] == nil or record["host_name"] == "-") then
if (record["host_hostname"] ~= nil and record["host_hostname"] ~= "-") then
record["host_name"] = record["host_hostname"]
if (record["host_domain"] ~= nil and record["host_domain"] ~= "-") then
record["host_name"] = record["host_name"].."."..record["host_domain"]
return 1, timestamp, record
end
else
if (record["host_ip"] ~= nil and record["host_ip"] ~= "-") then
record["host_name"] = record["host_ip"]
return 1, timestamp, record
end
end
end
return 0, timestamp, record
end