[Zeek] Regarding udp_content event

Nabil Memon nabilmemon.ec at gmail.com
Sat Apr 4 21:51:34 PDT 2020 

Hi,

I am going through UDP events bro generates.
I have a one use case, for example, UDP transaction is initiated by a
control point to auto discover devices present in the network. Control
point broadcasts, UDP request for lets say,
IP1(192.168.1.1)->Broadcast(192.168.1.255)->SP(54632->DP(3702)->UDP and the
contents exchanged in the request.
Devices who receives those broadcast requests, responds with unicast
message saying I am the one you are looking for,
IP2(192.168.1.2)->IP1(192.168.1.1)->DP(3702)->SP(54632)->UDP and the
contents exchanged in the response.

There will be two different connections for bro because of two different 5
tuples.
What I wish to extract is the raw content exchanged over both request and
response packet.
I came across udp_content event. After looking in the implementation,
configuration supports only destination ports to be checked. But for
response packet, bro has maintained a different connection in which source
port is the one I am interested in. Flow also will not be flipped by bro
because the port is not added in *"likely_server_ports"*. Also I tried
adding port 3702 in *"likely_server_ports" *list, bro still did not raise
udp_content event.

Is there any way I can extract UDP contents from both request(no problem
extracting request content) and response without adding ports in "
*likely_server_ports" *list??
Or
Even when I am adding those ports in the list, I don't get the event.


*Here's how the configuration looks like,*
const udp_content_delivery_ports_orig: table[port] of bool = {[3702/udp] =
T} &redef;
const udp_content_delivery_ports_resp: table[port] of bool = {[3702/udp] =
T} &redef;
const udp_content_deliver_all_orig = F &redef;
const udp_content_deliver_all_resp = F &redef;

*test.bro*
const ports = {37020/udp, 1900/udp, 3702/udp};
redef likely_server_ports += { ports };
event udp_contents(c: connection, is_orig: bool, contents: string)
{
    print "-----------------------------------------------------";
    print "Contents:", c$id, is_orig, |contents|, contents;
    print "-----------------------------------------------------";
}

Output:
-----------------------------------------------------
Contents:, [orig_h=10.113.14.94, orig_p=50818/udp, resp_h=239.255.255.250,
resp_p=3702/udp], T, 488, <real content>
-----------------------------------------------------
Bro did not raise an event for response packet.





*When I change configuration to,*
const udp_content_deliver_all_orig = T &redef;
const udp_content_deliver_all_resp = T &redef;

*Output:*
-----------------------------------------------------
Contents:, [orig_h=10.113.14.94, orig_p=50818/udp, resp_h=239.255.255.250,
resp_p=3702/udp], T, 488, <real content>
-----------------------------------------------------
-----------------------------------------------------
Contents:, [orig_h=10.113.14.94, orig_p=50818/udp, resp_h=10.113.14.197,
resp_p=3702/udp], F, 3289, <real content>
-----------------------------------------------------

I got event for both request and response.


What am I doing wrong?


Thanks and Regards,
Nabil
Phone: +91 81477 17034
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200405/897c7929/attachment.html

More information about the Zeek mailing list