[Zeek] More in payload in a signature

James Lay jlay at slave-tothe-box.net
Wed Apr 29 08:13:03 PDT 2020


On Wed, 2020-04-29 at 12:46 +0200, Vincenzo wrote:
> Hi everyone, in Zeek's signature framework, is it possible to set
> multiple payloads in "AND" and not in "OR" within a signature?
> Example
> my-first-sig signature {
>      ip-proto == tcp
>      dst-port == 80
>      payload /.*root/
>      payload / Hello /
> 
>      event "Found root!"
> }
> 
> From the tests carried out it seems that the two payloads are in 'OR'
> and not in 'AND' conditions, do you have any suggestions?
> Thank you
> 
> _______________________________________________Zeek mailing
> listzeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

Not that I found.  Have to make two separate sigs.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200429/50955828/attachment.html 


More information about the Zeek mailing list