dpd.sig rejection syntax

Hello All,

There are two protocols, A and B which use and to encapsulate their data. Both protocols operate over 20+ ports, and the only difference is that protocol B starts with lowercase ‘s’ after \x02. I’ve looked over the dpd.sig files on Zeek GitHub but didn’t find anything for rejection. I’ve tried adding (!s), [!s] after \x02, but protocol A stops logging… so I know there’s a syntax issue.

##! Match for …
signature dpd_02_03_client {
ip-proto == tcp

payload /\x02.{0,1500}\x03/
tcp-state originator
enable “A”
}

##! Match for …
signature dpd_02_03_server {
ip-proto == tcp
payload /\x02.{0,1500}\x03/
tcp-state responder
enable " A"
}

Thanks,

There are two protocols, A and B which use <STX> and <ETX> to encapsulate their data. Both protocols operate over 20+ ports, and the only difference is that protocol B starts with lowercase 's' after \x02. I've looked over the dpd.sig files on Zeek GitHub but didn't find anything for rejection.

Here's more extensive documentation on signatures:

https://docs.zeek.org/en/latest/frameworks/signatures.html

The negated "requires-signature" condition may be relevant to you.

I've tried adding (!s), [!s] after \x02, but protocol A stops logging... so I know there's a syntax issue.

The syntax generally follows these rules:

http://westes.github.io/flex/manual/Patterns.html

So [^s] means "anything except an 's' character"

- Jon

Thanks Jon. Life saver as always!