<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Zeek is mainly connection oriented, rather than packet oriented. However, you *could* write a policy that allows for detection of these packets using the raw_packet, new_packet, or tcp packet events, bearing in mind the caveats in the documentation, particularly the expense of triggering events at the packet level.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">If there is a particular concern about these packets (covert communication channel, perhaps?), it would be of interest.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Hope this helps,</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Jim</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 28, 2019 at 9:02 AM anthony kasza <<a href="mailto:anthony.kasza@gmail.com">anthony.kasza@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div>I tried feeding Zeek two pcap files. <div dir="auto"><br></div><div dir="auto">The first was a single TCP SYN packet with the flags nulled out. Zeek complained that the pcap only contained TCP control packets. The single entry in the conn.log file had a conn_state of OTH.</div><div dir="auto"><br></div><div dir="auto">The second was a single TLS connection over TCP. I nulled out the TCP flags of a single encrypted data packet (after the TCP and TLS handshakes had completed) and ran it through Zeek. Zeek processed the stream normally, with correct files, conn, x509, and ssl log entries, as if the packet I changed had the appropriate flags.</div><div dir="auto"><br></div><div dir="auto">Could you say more about the null-flag packets you are referring to? Do you know what they are generated from?</div><div dir="auto"><br></div><div dir="auto">-AK</div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Feb 27, 2019, 20:51 eshelton <<a href="mailto:eshelton@butler.net" target="_blank">eshelton@butler.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Good evening,<div><br></div><div>My Google-fu is failing me right now, so I wanted to reach out to the list to see if anyone has ever attempted to use Zeek to detect packets with no TCP flags set?</div><div><br></div><div>In Snort land, a signature would look something like this:</div><div><br></div><div><div>alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"LOCAL Port 443 and no TCP flags set"; flags:0; classtype:misc-activity; sid:7;)</div></div><div><br></div><div>Before anyone asks, I'll just ahead and state that "yes Virginia, these packets do really exist in the real world..." (though rare).</div><div><br></div><div>Thanks in advance,</div><div><br></div><div>-E</div></div></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" rel="noreferrer" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div></div></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div>