[Zeek] PE import table

[Neslog]

I'd like to generate an alert for Go binaries for Windows platforms.  Looks
like there's a .symtab section and I'd like to pattern match in that
section.  I'd like to do something like below.

event pe_section_header(f: fa_file, h: PE::SectionHeader)
if  ( /symtab/ in h$name )
  if ( /Go build ID/ in h$data )   #h$data not available yet?
         Raise notice.

Has anyone done anything like this yet?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190807/8a82a693/attachment.html