SIGNATURES

zeek supports signatures to find noteworthy activities on the network. zeek signatures use low-level pattern matching and cover conditions similar to Snort rules. unlike sort rules, zeek's rules which has a ".sig" extention are not the primary event detection point. zeek's scripting language can be used to chain multiple events to find an event of interest.

ZEEK SIGNATURE COMPONENTS

#running zeek signature against a PCAP
root@dco:~$ zeek -C -r sample.pcap -s sample.sig
 * -C is used to ignore checksum errors.
 * -r is used for reading pcap file.
 * -s is used to supply the signature file.