[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: Re: [Oisf-users] EXTERNAL: Re: Luajit access to entire reassembled payload?
From: "Rasmor, Zachary R" <zachary.r.rasmor () lmco ! com>
Date: 2016-03-31 16:46:05
Message-ID: 508F9BE7E8F6304594B421F1BB07841814CA3934 () HVXDSP25 ! us ! lmco ! com
[Download RAW message or body]
I thought that might be the answer, just making sure! I'll familiarize myself with \
the code and hopefully open a PR soon!
________________________
Zach Rasmor
Email: zachary.r.rasmor@lmco.com
Office: 301.240.6116
-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces@lists.openinfosecfoundation.org] On \
Behalf Of Victor Julien
Sent: Thursday, March 31, 2016 10:53 AM
To: oisf-users@lists.openinfosecfoundation.org
Subject: EXTERNAL: Re: [Oisf-users] Luajit access to entire reassembled payload?
On 30-03-16 20:27, Rasmor, Zachary R wrote:
> I am wondering if there is support for accessing the entire
> reassembled payload from a luajit script, similar to what you would
> find in the ‘payload_printable' value within an alert in the eve.json
> (if the alert fired against the stream). I would like to call a luajit
> script from an ‘only_stream' rule and access the entire reassembled payload.
>
>
>
> I originally thought this could be accomplished through
> ‘needs[‘payload']', but through testing and reviewing the
> documentation, I'm thinking this is only valid for individual packet payloads .
Depends on the purpose. There is a logging only support for the streaming data, both \
for tcp data and http body data (after normalization):
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output#Streaming-Data
To get access to the stream data similar to the eve 'payload_printable'
from alert output, you'll have to add support for it in the code. I'd be happy to \
take a PR for that :)
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
["smime.p7s" (application/pkcs7-signature)]
[Attachment #4 (unknown)]
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic