[Zeek] More in payload in a signature

Vincenzo vincyforce at gmail.com
Wed Apr 29 03:46:34 PDT 2020


Hi everyone, in Zeek's signature framework, is it possible to set multiple
payloads in "AND" and not in "OR" within a signature?
Example
my-first-sig signature {
     ip-proto == tcp
     dst-port == 80
     payload /.*root/
     payload / Hello /

     event "Found root!"
}

>From the tests carried out it seems that the two payloads are in 'OR' and
not in 'AND' conditions, do you have any suggestions?
Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200429/d9bbd856/attachment.html 


More information about the Zeek mailing list