[Zeek] Regarding udp_content event

Jon Siwek jsiwek at corelight.com
Mon Apr 6 15:05:37 PDT 2020


On Sat, Apr 4, 2020 at 9:55 PM Nabil Memon <nabilmemon.ec at gmail.com> wrote:

> Is there any way I can extract UDP contents from both request(no problem extracting request content) and response without adding ports in "likely_server_ports" list??

Think modifying "likely_server_ports" is the right approach here.

> Even when I am adding those ports in the list, I don't get the event.

Yeah, that looks like a bit of a deficiency in how UDP contents
generally works for those "content delivery ports" tables: it's just
tracking the exact "destination port" per UDP packet, so I'm
suggesting to add an additional option to instead track according to
the Connection's "responder" port.  That will also correctly track any
role flipping that occurs from the "likely server ports" logic.  The
PR for this is here:

    https://github.com/zeek/zeek/pull/900

- Jon


More information about the Zeek mailing list