Hello all,
I apologize if this is a newbie question, but that's it, I am new to this system so I am having a hard time finding out how to add a script snippet to the Zeek configuration files.
I had opened an issue on Zeek Github with the same subject: https://github.com/zeek/zeek/issues/1968
And a developer kindly super-quickly replied with the following code snippet:
If I understand correctly, you need to put the zeek script into a file named, say hperm.zeek. Next, place the file in your share/zeek/site directory. Then in the same directory edit local.zeek and at the bottom add:
@load hperm.zeek
Hope this helps.
Gary
Gary Huband
Sr. Software and Systems Engineer
Office: 434.284.8071 x720
Direct: 434.260.4995
Gary@MissionSecure.com
Follow Us!
LinkedIn | Blog | Website
: : : : : : : : : : : : : : : : : : : : : : : : : : :
This email and any files transmitted with it are confidential and proprietary and intended solely for the use of the individual or entity to whom they are addressed. Any dissemination, distribution or copying of this communication is strictly prohibited without our prior permission. If you received this in error, please contact the sender and delete the material from any computer.
Hello Gary,
thanks to your reply it is confirmed that I was using the correct syntax.
At the end, the problem turned out to be that, in order to decode the HP_ERM datagrams, I had to strip out the first 12 bytes from the UDP packet, not the first 8 bytes.
So the script that right now is working for me is: