Help with zeek script

Manju_Lalwani · April 27, 2019, 10:47am

Hi Team,

I am working on a Zeek script and would like to understand how can I make Zeek look only for the first ten packets in a tcp session.The first ten packets are enough to fingerprint the traffic I am trying to identify and so would to ensure my script also looks at only the first 10 packets to save processing time.

The communication is as follows :

There is the initial 3 way handshake and then there are 7 packets with variable lengths and on a non-default destination port/service. So I had to use the tcp_packet event in my script. Is there a better way of doing it ? Using tcp_packet would make my script to check for all tcp packets increasing the load on my zeek system.

Please do let me know if you have any suggestions for me on this. Looking forward to your response.

Thanks,
Manju Lalwani

johanna · June 20, 2019, 5:27pm

Hi,

also a bit late, but...

I am working on a Zeek script and would like to understand how can I make
Zeek look only for the first ten packets in a tcp session.

At the moment - there sadly probably is not better approach than what you
already found in script-land - we don't offer any specialized event to
only get notified for the first x packets.

A more complicated alternative is to write a C++-level analyzer - which could drop out
after a set number of packets.

Johanna

Topic		Replies	Views
Zeek script to look for first few packets Zeek	3	204	May 6, 2022
zeek performance with some events activated Zeek	4	100	May 6, 2022
Method to detect tcp urgent flag Zeek	1	139	May 6, 2022
Mirror the first N packets of a flow to Zeek Zeek	3	115	May 6, 2022
zeek and tcpdump packet mismatch Zeek development	5	526	December 25, 2023

Help with zeek script

Related topics