Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/testing/btest/signatures/tcp-syn-with-payload.zeek
Jon Siwek 9c4e44924f GH-664: fix signature matching for payload-carrying SYN packets 
Or more generally, signatures would not work correctly for any case
where the first TCP packet seen contained payload data, regardless of
its TCP flags.
2019-10-29 17:20:08 -07:00

20 lines
756 B
Text
Raw Permalink Blame History

# @TEST-EXEC: zeek -b -s payload-http.sig -r $TRACES/tcp/payload-syn.pcap %INPUT >payload-syn.out
# @TEST-EXEC: zeek -b -s payload-http.sig -r $TRACES/tcp/payload-synack.pcap %INPUT >payload-synack.out
# @TEST-EXEC: zeek -b -s payload-http.sig -r $TRACES/tcp/tcp-fast-open.pcap %INPUT >tcp-fast-open.out
# @TEST-EXEC: btest-diff payload-syn.out
# @TEST-EXEC: btest-diff payload-synack.out
# @TEST-EXEC: btest-diff tcp-fast-open.out
@TEST-START-FILE payload-http.sig
signature test-signature {
ip-proto == tcp
dst-port = 80
payload /.*passwd/
event "payload of dst-port=80/tcp contains 'passwd'"
}
@TEST-END-FILE
event signature_match(state: signature_state, msg: string, data: string)
{
print fmt("signature_match %s - %s", state$conn$id, msg);
}
Reference in a new issue View git blame Copy permalink