EVENT CORRELATION

USER-DEFINED EVENT SCRIPT W/ SIGNATURE SCRIPTS

this method combines the use of zeek user-defined event scripts with signature scripts

#this is an event script that detects if our previously created "ftp-admin" rule has a hit.

root@dco:~$ BROWSER > https://docs.zeek.org/en/master/scripts/base/bif/event.bif.zeek.html
 events: signature_match
 
root@dco:~$ nano zeekScripts-FTP.zeek
 event signature_match (state: signature_state, msg: string, data: string)
 {
   if (state$sig_id == "ftp-admin")
   {
     print ("Signature hit! --> #FTP-Admin ");
   }
 }
#signature script

root@dco:~$ nano ftp-admin.sig
 signature ftp-admin {
   ip-proto == tcp
   ftp /.*USER.*admin.*/
   event "FTP Username Input Found!"
 }

LOCAL BASE SCRIPTS EVENT CORRELATION

PreviousSCRIPTINGNextFRAMEWORK

Last updated