[Zeek] Regarding udp_content event
nabilmemon.ec at gmail.com
Tue Apr 7 02:43:35 PDT 2020
Instead configuring zeek to say these are likely to be server ports.
What would happen if we introduce a check for source port as well with the
Did you consider this approach?
Thanks and Regards,
Phone: +91 81477 17034
On Tue, Apr 7, 2020 at 2:41 PM Nabil Memon <nabilmemon.ec at gmail.com> wrote:
> Awesome, thanks!
> On Tue, Apr 7, 2020 at 3:35 AM Jon Siwek <jsiwek at corelight.com> wrote:
>> On Sat, Apr 4, 2020 at 9:55 PM Nabil Memon <nabilmemon.ec at gmail.com>
>> > Is there any way I can extract UDP contents from both request(no
>> problem extracting request content) and response without adding ports in
>> "likely_server_ports" list??
>> Think modifying "likely_server_ports" is the right approach here.
>> > Even when I am adding those ports in the list, I don't get the event.
>> Yeah, that looks like a bit of a deficiency in how UDP contents
>> generally works for those "content delivery ports" tables: it's just
>> tracking the exact "destination port" per UDP packet, so I'm
>> suggesting to add an additional option to instead track according to
>> the Connection's "responder" port. That will also correctly track any
>> role flipping that occurs from the "likely server ports" logic. The
>> PR for this is here:
>> - Jon
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Zeek