0

I'm trying to learn zeek signature

Signature file name: dns.sig

    signature dns-intel{
ip-proto == udp
dst-port == 53
payload /.*life|.*bar/
event "[Suspicious DNS Query]" }

Zeek file name: myfirst.zeek

event signature_match (state: signature_state, msg: string, data: string) {
    if (state$sig_id == "dns-intel") {
        print fmt ("[Suspicious DNS query] %s", state$conn$dns$query)
    }

I'm getting error in line 5 : rule defined twice. what's the problem here ??

bhavyaraj
  • 1
  • The string `dns-intel` is the identifier of your signature, and for reasons not evident in the snippets you're showing above, Zeek is loading two signatures of that name. Try editing your code snippets so they're runnable, to allow others to reproduce — the above isn't syntactially correct. You can use https://try.zeek.org to point at a running example. – Christian Jun 18 '21 at 05:59

1 Answers1

1

Signature id has to be unique, based on your error code:

error in line 5 : rule defined twice. what's the problem here ??

It might be the case that you have multiple signatures defined with same id: dns-intel in your dns.sig file.

Modify your dns.sig file and make sure each signature has a unique id should fix the error.

I tested your signature and script on my local machine and can run without issue.

mchen
  • 41
  • 3