Listening on both UDP/TCP

Zeek
1

Hello There,

I see many of the existing protocols focus on either TCP or UDP, but nothing for both. I did notice that SIP has both TCP and UDP, however, the TCP portion is “not activated” (https://github.com/bro/bro/tree/master/src/analyzer/protocol/sip). Is there a good example of how to handle both? Is this something where I would need register listener in main.bro? For example:

const ports = { 5060/udp }; # existing
const ports_tcp = { 1234/tcp }; # new
redef likely_server_ports += { ports, ports_tcp };

event bro_init() &priority=5 {

Log::create_stream(SIP::LOG, [$columns=Info, $ev=log_sip, $path=“sip”]); Analyzer::register_for_ports(Analyzer::ANALYZER_SIP, ports); # existing
Analyzer_TCP::register_for_ports(Analyzer_TCP::ANALYZER_SIP_TCP, ports_tcp); # new

}

Thanks,

2

Hi,

I see many of the existing protocols focus on either TCP or UDP, but
nothing for both. I did notice that SIP has both TCP and UDP, however, the
TCP portion is "not activated" (
https://github.com/bro/bro/tree/master/src/analyzer/protocol/sip). Is
there a good example of how to handle both? Is this something where I
would need register listener in main.bro? For example:

[...]

the closest to this is probably the TLS/DTLS analyzer. Similarly to SIP,
it actually is 2 analyzers (one for TLS over TCP and one for DTLS over
UDP) that share a lot of the code.

scripts/base/protocols/ssl/main.bro shows that both of them are just
initialized separately from each other. From a very cursory glance over
SIP, I think that one could just do the same there.

I hope this helps,
Johanna

3

Hey Johanna,

I followed your suggestion and looked at SSL, works great!

Thanks,