Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/testing/btest/signatures/udp-state.zeek
Jon Siwek 5904d0708f GH-779: Add "udp-state" signature condition 
It accepts "originator" or "responder" states as a way to enforce that
the signature only matches packets in the associated direction.
The "established" state is rejected as an error since it doesn't
have a useful meaning like it does for the "tcp-state" condition.
2020-10-09 13:43:17 -07:00

36 lines
872 B
Text
Raw Permalink Blame History

# @TEST-EXEC: zeek -b -s udp-states.sig -r $TRACES/dns-caa.pcap %INPUT >out
# @TEST-EXEC-FAIL: zeek -b -s udp-established.sig -r $TRACES/dns-caa.pcap %INPUT >reject 2>&1
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff reject
@TEST-START-FILE udp-states.sig
signature my_sig_udp_orig {
ip-proto == udp
payload /.+/
udp-state originator
event "my_sig_udp_orig"
}
signature my_sig_udp_resp {
ip-proto == udp
payload /.+/
udp-state responder
event "my_sig_udp_resp"
}
@TEST-END-FILE
@TEST-START-FILE udp-established.sig
signature my_sig_udp_est {
ip-proto == udp
payload /.+/
udp-state established
event "my_sig_udp_est"
}
@TEST-END-FILE
event signature_match(state: signature_state, msg: string, data: string)
{
print fmt("signature_match %s - %s", state$conn$id, msg);
local s = split_string(hexdump(data), /\n/);
for ( i in s ) print s[i];
}
Reference in a new issue View git blame Copy permalink