I'm trying to learn zeek signature
Signature file name: dns.sig
signature dns-intel{
ip-proto == udp
dst-port == 53
payload /.*life|.*bar/
event "[Suspicious DNS Query]" }
Zeek file name: myfirst.zeek
event signature_match (state: signature_state, msg: string, data: string) {
if (state$sig_id == "dns-intel") {
print fmt ("[Suspicious DNS query] %s", state$conn$dns$query)
}
I'm getting error in line 5 : rule defined twice. what's the problem here ??
Signature id has to be unique, based on your error code:
It might be the case that you have multiple signatures defined with same id:
dns-intel
in your dns.sig file.Modify your dns.sig file and make sure each signature has a unique id should fix the error.
I tested your signature and script on my local machine and can run without issue.