[Zeek] Regarding udp_content event

Nabil Memon nabilmemon.ec at gmail.com
Tue Apr 7 02:43:35 PDT 2020


Hi Jon,

Instead configuring zeek to say these are likely to be server ports.
What would happen if we introduce a check for source port as well with the
destination port?
Did you consider this approach?

Thanks and Regards,
Nabil
Phone: +91 81477 17034


On Tue, Apr 7, 2020 at 2:41 PM Nabil Memon <nabilmemon.ec at gmail.com> wrote:

> Awesome, thanks!
>
> On Tue, Apr 7, 2020 at 3:35 AM Jon Siwek <jsiwek at corelight.com> wrote:
>
>> On Sat, Apr 4, 2020 at 9:55 PM Nabil Memon <nabilmemon.ec at gmail.com>
>> wrote:
>>
>> > Is there any way I can extract UDP contents from both request(no
>> problem extracting request content) and response without adding ports in
>> "likely_server_ports" list??
>>
>> Think modifying "likely_server_ports" is the right approach here.
>>
>> > Even when I am adding those ports in the list, I don't get the event.
>>
>> Yeah, that looks like a bit of a deficiency in how UDP contents
>> generally works for those "content delivery ports" tables: it's just
>> tracking the exact "destination port" per UDP packet, so I'm
>> suggesting to add an additional option to instead track according to
>> the Connection's "responder" port.  That will also correctly track any
>> role flipping that occurs from the "likely server ports" logic.  The
>> PR for this is here:
>>
>>     https://github.com/zeek/zeek/pull/900
>>
>> - Jon
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200407/b7472bbf/attachment.html 


More information about the Zeek mailing list