[Zeek] Regarding udp_content event
Nabil Memon
nabilmemon.ec at gmail.com
Tue Apr 7 02:11:47 PDT 2020
Awesome, thanks!
On Tue, Apr 7, 2020 at 3:35 AM Jon Siwek <jsiwek at corelight.com> wrote:
> On Sat, Apr 4, 2020 at 9:55 PM Nabil Memon <nabilmemon.ec at gmail.com>
> wrote:
>
> > Is there any way I can extract UDP contents from both request(no problem
> extracting request content) and response without adding ports in
> "likely_server_ports" list??
>
> Think modifying "likely_server_ports" is the right approach here.
>
> > Even when I am adding those ports in the list, I don't get the event.
>
> Yeah, that looks like a bit of a deficiency in how UDP contents
> generally works for those "content delivery ports" tables: it's just
> tracking the exact "destination port" per UDP packet, so I'm
> suggesting to add an additional option to instead track according to
> the Connection's "responder" port. That will also correctly track any
> role flipping that occurs from the "likely server ports" logic. The
> PR for this is here:
>
> https://github.com/zeek/zeek/pull/900
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200407/9f259b24/attachment.html
More information about the Zeek
mailing list