There are two protocols, A and B which use and to encapsulate their data. Both protocols operate over 20+ ports, and the only difference is that protocol B starts with lowercase ‘s’ after \x02. I’ve looked over the dpd.sig files on Zeek GitHub but didn’t find anything for rejection. I’ve tried adding (!s), [!s] after \x02, but protocol A stops logging… so I know there’s a syntax issue.
##! Match for …
signature dpd_02_03_client {
ip-proto == tcp
There are two protocols, A and B which use <STX> and <ETX> to encapsulate their data. Both protocols operate over 20+ ports, and the only difference is that protocol B starts with lowercase 's' after \x02. I've looked over the dpd.sig files on Zeek GitHub but didn't find anything for rejection.
Here's more extensive documentation on signatures: