[Zeek] Regarding udp_content event
Nabil Memon
nabilmemon.ec at gmail.com
Thu Apr 9 23:06:54 PDT 2020
Fair enough. Thanks Jon.
On Wed, Apr 8, 2020 at 1:40 AM Jon Siwek <jsiwek at corelight.com> wrote:
> On Tue, Apr 7, 2020 at 2:43 AM Nabil Memon <nabilmemon.ec at gmail.com>
> wrote:
>
> > Instead configuring zeek to say these are likely to be server ports.
> > What would happen if we introduce a check for source port as well with
> the destination port?
> > Did you consider this approach?
>
> Yeah, that's an alternate idea that would work. I added such an
> option, called "udp_content_ports", to the Pull Request if you find it
> more convenient, although configuring likely server ports may still
> generally be useful if you commonly find inspected-traffic where the
> originator/responder roles would better to have been flipped to
> reflect a known-server.
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200410/df9f3b34/attachment-0001.html
More information about the Zeek
mailing list