[Zeek] Regarding udp_content event

Jon Siwek jsiwek at corelight.com
Tue Apr 7 13:10:38 PDT 2020

On Tue, Apr 7, 2020 at 2:43 AM Nabil Memon <nabilmemon.ec at gmail.com> wrote:

> Instead configuring zeek to say these are likely to be server ports.
> What would happen if we introduce a check for source port as well with the destination port?
> Did you consider this approach?

Yeah, that's an alternate idea that would work.  I added such an
option, called "udp_content_ports", to the Pull Request if you find it
more convenient, although configuring likely server ports may still
generally be useful if you commonly find inspected-traffic where the
originator/responder roles would better to have been flipped to
reflect a known-server.

- Jon

More information about the Zeek mailing list