I am working on a capability using Suricata that would alert me to specific vender identifiers from DHCP Inform packets. I have Suricata configured with the DHCP logging enabled and the extended option set to 'yes'. This ensures all DHCP packets are logged in the EVE log from Suricata. However, I cannot seem to extract the vendor class identifier (option 60) from the options in the packet using these settings. I have verified with Wireshark this option does indeed exist in my packets (screenshot below with option I want highlighted), but I do not see that data in the EVE log (example below).
{"timestamp":"2015-04-13T09:31:26.508501+0000","flow_id":1912151869407829,"pcap_cnt":77868,"event_type":"dhcp","src_ip":"192.168.0.54","src_port":68,"dest_ip":"255.255.255.255","dest_port":67,"proto":"UDP","ether":{"src_mac":"ec:f4:bb:4f:b0:96","dest_mac":"ff:ff:ff:ff:ff:ff"},"dhcp":{"type":"request","id":41767348,"client_mac":"ec:f4:bb:4f:b0:96","assigned_ip":"0.0.0.0","client_ip":"192.168.0.54","dhcp_type":"inform","client_id":"ec:f4:bb:4f:b0:96","hostname":"Dell-Dator32","params":["subnet_mask","domain","router","dns_server"]},"pcap_filename":"snort.log.1428883207"}
I do, however, see other options such as client identifier (essentially the MAC) and client host name in the EVE log. Is this a case of these options simply not being parsed by Suricata parsers? I did look at the Suricata source code and it seems like the Rust parser has logic to parse all options. Has anyone encountered this issue before or could point me in the right direction? Thank you!
The DHCP options logged by Suricata are not exchaustive, and option 60 currently isn't logged. Doesn't look like it would be hard to do. I suggest filing a feature request in the issue tracker:
https://redmine.openinfosecfoundation.org/projects/suricata/issues