[Zeek] dpd.sig rejection syntax
TQ
nothinrandom at gmail.com
Sun Apr 21 14:48:43 PDT 2019
Hello All,
There are two protocols, A and B which use <STX> and <ETX> to encapsulate
their data. Both protocols operate over 20+ ports, and the only difference
is that protocol B starts with lowercase 's' after \x02. I've looked over
the dpd.sig files on Zeek GitHub but didn't find anything for rejection.
I've tried adding (!s), [!s] after \x02, but protocol A stops logging... so
I know there's a syntax issue.
##! Match for <STX>...<ETX>
signature dpd_02_03_client {
ip-proto == tcp
payload /\x02.{0,1500}\x03/
tcp-state originator
enable "A"
}
##! Match for <STX>...<ETX>
signature dpd_02_03_server {
ip-proto == tcp
payload /\x02.{0,1500}\x03/
tcp-state responder
enable " A"
}
Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190421/78fa48ee/attachment.html
More information about the Zeek
mailing list