[Zeek] Detection of packets with no TCP flags set
eshelton
eshelton at butler.net
Wed Feb 27 19:47:57 PST 2019
Good evening,
My Google-fu is failing me right now, so I wanted to reach out to the list
to see if anyone has ever attempted to use Zeek to detect packets with no
TCP flags set?
In Snort land, a signature would look something like this:
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"LOCAL Port 443 and no
TCP flags set"; flags:0; classtype:misc-activity; sid:7;)
Before anyone asks, I'll just ahead and state that "yes Virginia, these
packets do really exist in the real world..." (though rare).
Thanks in advance,
-E
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190227/6bed1c25/attachment.html
More information about the Zeek
mailing list