[Zeek] dpd.sig rejection syntax
Jon Siwek
jsiwek at corelight.com
Mon Apr 22 11:22:32 PDT 2019
On Sun, Apr 21, 2019 at 2:58 PM TQ <nothinrandom at gmail.com> wrote:
> There are two protocols, A and B which use <STX> and <ETX> to encapsulate their data. Both protocols operate over 20+ ports, and the only difference is that protocol B starts with lowercase 's' after \x02. I've looked over the dpd.sig files on Zeek GitHub but didn't find anything for rejection.
Here's more extensive documentation on signatures:
https://docs.zeek.org/en/latest/frameworks/signatures.html
The negated "requires-signature" condition may be relevant to you.
> I've tried adding (!s), [!s] after \x02, but protocol A stops logging... so I know there's a syntax issue.
The syntax generally follows these rules:
http://westes.github.io/flex/manual/Patterns.html
So [^s] means "anything except an 's' character"
- Jon
More information about the Zeek
mailing list