[Zeek] Regarding udp_content event

Nabil Memon nabilmemon.ec at gmail.com
Tue Apr 7 02:43:35 PDT 2020

Hi Jon,

Instead configuring zeek to say these are likely to be server ports.
What would happen if we introduce a check for source port as well with the
destination port?
Did you consider this approach?

Thanks and Regards,
Phone: +91 81477 17034

On Tue, Apr 7, 2020 at 2:41 PM Nabil Memon <nabilmemon.ec at gmail.com> wrote:

> Awesome, thanks!
> On Tue, Apr 7, 2020 at 3:35 AM Jon Siwek <jsiwek at corelight.com> wrote:
>> On Sat, Apr 4, 2020 at 9:55 PM Nabil Memon <nabilmemon.ec at gmail.com>
>> wrote:
>> > Is there any way I can extract UDP contents from both request(no
>> problem extracting request content) and response without adding ports in
>> "likely_server_ports" list??
>> Think modifying "likely_server_ports" is the right approach here.
>> > Even when I am adding those ports in the list, I don't get the event.
>> Yeah, that looks like a bit of a deficiency in how UDP contents
>> generally works for those "content delivery ports" tables: it's just
>> tracking the exact "destination port" per UDP packet, so I'm
>> suggesting to add an additional option to instead track according to
>> the Connection's "responder" port.  That will also correctly track any
>> role flipping that occurs from the "likely server ports" logic.  The
>> PR for this is here:
>>     https://github.com/zeek/zeek/pull/900
>> - Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200407/b7472bbf/attachment.html 

More information about the Zeek mailing list