my question is: why does bro recognizes udp_reply events and not udp_request
events? the packets were only sent from one host to another and there
were no packets in the opposite direction.
i know that udp packets from port 53 are often dns replies but an
assumption which is made because of the application layer protocol
shouldn't have any impact on events on the transport protocol layer...
Shouldn't - yes, that would be ideal. But in complex environments where
you don't necessarily see both sides of a request/response (due to reordering
caused by dual NICs, or multipathing, or drops, or "cold start" where the
request happened before Bro began running), it's proven beneficial to infer
directionality based on well-known ports.
It would be reasonable to add a script variable that turns this off, if
you want to contribute a patch.