Hi,
First time posting. Links to documentation and RTM comments are welcome responses. Please be patient.
Is there an easy method to trigger an event based on the TCP urgent flag? I am looking at Zeek::TCP tcp_packet but it is listed as a low level and noisy event. I’d like to setup something that leverages Zeek instead of a separate tcpdump. I’d like to use connection events but I do not see an easy way to detect if the urgent flag is set.
If anyone has ideas/solutions better than tcp_packet or tcpdump, I’d love to get that feedback. Thanks.
Tyrone Smith
University of Delaware
Security Operations