[Zeek] Detection of packets with no TCP flags set
anthony kasza
anthony.kasza at gmail.com
Thu Feb 28 08:43:51 PST 2019
I tried feeding Zeek two pcap files.
The first was a single TCP SYN packet with the flags nulled out. Zeek
complained that the pcap only contained TCP control packets. The single
entry in the conn.log file had a conn_state of OTH.
The second was a single TLS connection over TCP. I nulled out the TCP flags
of a single encrypted data packet (after the TCP and TLS handshakes had
completed) and ran it through Zeek. Zeek processed the stream normally,
with correct files, conn, x509, and ssl log entries, as if the packet I
changed had the appropriate flags.
Could you say more about the null-flag packets you are referring to? Do you
know what they are generated from?
-AK
On Wed, Feb 27, 2019, 20:51 eshelton <eshelton at butler.net> wrote:
> Good evening,
>
> My Google-fu is failing me right now, so I wanted to reach out to the list
> to see if anyone has ever attempted to use Zeek to detect packets with no
> TCP flags set?
>
> In Snort land, a signature would look something like this:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"LOCAL Port 443 and no
> TCP flags set"; flags:0; classtype:misc-activity; sid:7;)
>
> Before anyone asks, I'll just ahead and state that "yes Virginia, these
> packets do really exist in the real world..." (though rare).
>
> Thanks in advance,
>
> -E
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190228/2cea3562/attachment.html
More information about the Zeek
mailing list