Regarding udp_content event

Zeek
1

Hi,

I am going through UDP events bro generates.
I have a one use case, for example, UDP transaction is initiated by a control point to auto discover devices present in the network. Control point broadcasts, UDP request for lets say, IP1(192.168.1.1)->Broadcast(192.168.1.255)->SP(54632->DP(3702)->UDP and the contents exchanged in the request.
Devices who receives those broadcast requests, responds with unicast message saying I am the one you are looking for, IP2(192.168.1.2)->IP1(192.168.1.1)->DP(3702)->SP(54632)->UDP and the contents exchanged in the response.

There will be two different connections for bro because of two different 5 tuples.
What I wish to extract is the raw content exchanged over both request and response packet.
I came across udp_content event. After looking in the implementation, configuration supports only destination ports to be checked. But for response packet, bro has maintained a different connection in which source port is the one I am interested in. Flow also will not be flipped by bro because the port is not added in “likely_server_ports”. Also I tried adding port 3702 in “likely_server_ports” list, bro still did not raise udp_content event.

Is there any way I can extract UDP contents from both request(no problem extracting request content) and response without adding ports in "likely_server_ports" list??
Or
Even when I am adding those ports in the list, I don’t get the event.

Here’s how the configuration looks like,
const udp_content_delivery_ports_orig: table[port] of bool = {[3702/udp] = T} &redef;
const udp_content_delivery_ports_resp: table[port] of bool = {[3702/udp] = T} &redef;

const udp_content_deliver_all_orig = F &redef;
const udp_content_deliver_all_resp = F &redef;

test.bro
const ports = {37020/udp, 1900/udp, 3702/udp};
redef likely_server_ports += { ports };

event udp_contents(c: connection, is_orig: bool, contents: string)
{
print “-----------------------------------------------------”;
print “Contents:”, c$id, is_orig, |contents|, contents;
print “-----------------------------------------------------”;
}

Output:

2

Is there any way I can extract UDP contents from both request(no problem extracting request content) and response without adding ports in "likely_server_ports" list??

Think modifying "likely_server_ports" is the right approach here.

Even when I am adding those ports in the list, I don't get the event.

Yeah, that looks like a bit of a deficiency in how UDP contents
generally works for those "content delivery ports" tables: it's just
tracking the exact "destination port" per UDP packet, so I'm
suggesting to add an additional option to instead track according to
the Connection's "responder" port. That will also correctly track any
role flipping that occurs from the "likely server ports" logic. The
PR for this is here:

    Add new "udp_content_delivery_ports_use_resp" option by jsiwek · Pull Request #900 · zeek/zeek · GitHub

- Jon

3

Awesome, thanks!

4

Hi Jon,

Instead configuring zeek to say these are likely to be server ports.
What would happen if we introduce a check for source port as well with the destination port?
Did you consider this approach?

Thanks and Regards,
Nabil
Phone: +91 81477 17034

5

Yeah, that's an alternate idea that would work. I added such an
option, called "udp_content_ports", to the Pull Request if you find it
more convenient, although configuring likely server ports may still
generally be useful if you commonly find inspected-traffic where the
originator/responder roles would better to have been flipped to
reflect a known-server.

- Jon

6

Fair enough. Thanks Jon.