[Zeek] dpd.sig rejection syntax
TQ
nothinrandom at gmail.com
Mon Apr 22 16:21:19 PDT 2019
Thanks Jon. Life saver as always!
On Mon, Apr 22, 2019 at 11:22 AM Jon Siwek <jsiwek at corelight.com> wrote:
> On Sun, Apr 21, 2019 at 2:58 PM TQ <nothinrandom at gmail.com> wrote:
>
> > There are two protocols, A and B which use <STX> and <ETX> to
> encapsulate their data. Both protocols operate over 20+ ports, and the
> only difference is that protocol B starts with lowercase 's' after \x02.
> I've looked over the dpd.sig files on Zeek GitHub but didn't find anything
> for rejection.
>
> Here's more extensive documentation on signatures:
>
> https://docs.zeek.org/en/latest/frameworks/signatures.html
>
> The negated "requires-signature" condition may be relevant to you.
>
> > I've tried adding (!s), [!s] after \x02, but protocol A stops
> logging... so I know there's a syntax issue.
>
> The syntax generally follows these rules:
>
> http://westes.github.io/flex/manual/Patterns.html
>
> So [^s] means "anything except an 's' character"
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190422/e026d55b/attachment.html
More information about the Zeek
mailing list