From 262263b535390c79e8f7f08adf3e4fce5558c977 Mon Sep 17 00:00:00 2001
From: lisa <lisa.s.woody@gmail.com>
Date: Thu, 4 Mar 2021 13:53:08 -0700
Subject: [PATCH] hotfix for bug on not being able to record fqdn beacons that
 are also ip beacons (#616)

FQDN strobes are now properly flagged.
---
 pkg/beaconfqdn/dissector.go | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/pkg/beaconfqdn/dissector.go b/pkg/beaconfqdn/dissector.go
index f58534ac..ed26672a 100644
--- a/pkg/beaconfqdn/dissector.go
+++ b/pkg/beaconfqdn/dissector.go
@@ -102,8 +102,18 @@ func (d *dissector) start() {
 					"tbytes": bson.M{"$sum": "$tbytes"},
 					"icerts": bson.M{"$push": "$icerts"},
 				}},
-				{"$unwind": "$ts"},
-				{"$unwind": "$ts"},
+				{"$unwind": bson.M{
+					"path": "$ts",
+					// by default, $unwind does not output a document if the field value is null,
+					// missing, or an empty array. Since uconns stops storing ts and byte array
+					// results if a result is going to be guaranteed to be a beacon, we need this
+					// to not discard the result so we can update the fqdn beacon accurately
+					"preserveNullAndEmptyArrays": true,
+				}},
+				{"$unwind": bson.M{
+					"path":                       "$ts",
+					"preserveNullAndEmptyArrays": true,
+				}},
 				{"$group": bson.M{
 					"_id": "$_id",
 					// need to unique-ify timestamps or else results
@@ -114,8 +124,14 @@ func (d *dissector) start() {
 					"tbytes": bson.M{"$first": "$tbytes"},
 					"icerts": bson.M{"$first": "$icerts"},
 				}},
-				{"$unwind": "$bytes"},
-				{"$unwind": "$bytes"},
+				{"$unwind": bson.M{
+					"path":                       "$bytes",
+					"preserveNullAndEmptyArrays": true,
+				}},
+				{"$unwind": bson.M{
+					"path":                       "$bytes",
+					"preserveNullAndEmptyArrays": true,
+				}},
 				{"$group": bson.M{
 					"_id":    "$_id",
 					"ts":     bson.M{"$first": "$ts"},