[Oisf-devel] http.response_body and Luajit
Chris Wakelin
c.d.wakelin at reading.ac.uk
Mon Dec 10 10:10:21 UTC 2012
Hi,
Is there a limit to the size of the http.response_body string passed to
Lua in a luajit sig? I've been trying to match exploit kit Java archives
that contain the payload in the jar, which makes them rather larger than
usual.
To do this I dump the response body as a tmpfile and then process it
with luazip:
t = tostring(args["http.response_body"])
tmpname = os.tmpname()
tmp = io.open(tmpname,'w')
tmp:write(t)
tmp:close()
z = zip.open(tmpname)
which is working well for "normal" size exploit jars, but it seems the
jars get truncated when larger than about 33-35k. They get stored
properly using filestore.
I have "response-body-limit: 1048576" in the suricata.yaml file.
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-devel
mailing list