[Zeek] Regarding udp_content event
jsiwek at corelight.com
Tue Apr 7 13:10:38 PDT 2020
On Tue, Apr 7, 2020 at 2:43 AM Nabil Memon <nabilmemon.ec at gmail.com> wrote:
> Instead configuring zeek to say these are likely to be server ports.
> What would happen if we introduce a check for source port as well with the destination port?
> Did you consider this approach?
Yeah, that's an alternate idea that would work. I added such an
option, called "udp_content_ports", to the Pull Request if you find it
more convenient, although configuring likely server ports may still
generally be useful if you commonly find inspected-traffic where the
originator/responder roles would better to have been flipped to
reflect a known-server.
More information about the Zeek