<div dir="ltr">Awesome, thanks! <br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 7, 2020 at 3:35 AM Jon Siwek <<a href="mailto:jsiwek@corelight.com">jsiwek@corelight.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Sat, Apr 4, 2020 at 9:55 PM Nabil Memon <<a href="mailto:nabilmemon.ec@gmail.com" target="_blank">nabilmemon.ec@gmail.com</a>> wrote:<br>
<br>
> Is there any way I can extract UDP contents from both request(no problem extracting request content) and response without adding ports in "likely_server_ports" list??<br>
<br>
Think modifying "likely_server_ports" is the right approach here.<br>
<br>
> Even when I am adding those ports in the list, I don't get the event.<br>
<br>
Yeah, that looks like a bit of a deficiency in how UDP contents<br>
generally works for those "content delivery ports" tables: it's just<br>
tracking the exact "destination port" per UDP packet, so I'm<br>
suggesting to add an additional option to instead track according to<br>
the Connection's "responder" port. That will also correctly track any<br>
role flipping that occurs from the "likely server ports" logic. The<br>
PR for this is here:<br>
<br>
<a href="https://github.com/zeek/zeek/pull/900" rel="noreferrer" target="_blank">https://github.com/zeek/zeek/pull/900</a><br>
<br>
- Jon<br>
</blockquote></div>