Event 3 connections with UDP report Destination IP as 127.0.0.1

[tmccurry-whiskerlabs]

Describe the bug Event 3 network connections list the destination IP as 127.0.0.1 when using the UDP protocol. This should be the actually UDP destination.

To Reproduce install sysmon using the configuration below. run netcat or nmap with udp EX. '''netcat -u -z -v microsoft.com 1-1000''' or '''sudo nmap -sU micosoft.com'''

Sysmon version Version of Sysmon or if built from source. Sysmon v1.1.1

Distro/kernel version DISTRIB_ID=Ubuntu DISTRIB_RELEASE=20.04 DISTRIB_CODENAME=focal DISTRIB_DESCRIPTION="Ubuntu 20.04.6 LTS" NAME="Ubuntu" VERSION="20.04.6 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.6 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal

Sysmon configuration

ssm-agent-worker

Logs May 16 16:05:17 ip-172-16-101-22 sysmon: 354300x80000000000000002090Linux-Sysmon/Operationalip-172-16-101-22-2023-05-16 16:05:17.776{ec27765c-a9bd-6463-0597-4ede36560000}132004/usr/bin/nc.openbsd-udpfalsefalse127.0.0.53-53-false127.0.0.1-49232- May 16 16:05:22 ip-172-16-101-22 sysmon: 354300x80000000000000002093Linux-Sysmon/Operationalip-172-16-101-22-2023-05-16 16:05:22.749{ec27765c-a9c2-6463-0517-9f7a3e560000}132005/usr/bin/nc.openbsd-udpfalsefalse127.0.0.53-53-false127.0.0.1-49787- May 16 16:05:53 ip-172-16-101-22 sysmon: 354300x80000000000000002098Linux-Sysmon/Operationalip-172-16-101-22-2023-05-16 16:05:53.157{ec27765c-a9e1-6463-7592-9a8eb8550000}132007/usr/bin/hostname-udpfalsefalse127.0.0.53-53-false127.0.0.1-54098-

Expected behavior The actual destination IP should be in the log not 127.0.0.1

Additional context Add any other context about the problem here.