[Oisf-devel] Add custom field to a decoder event?

Victor Julien victor at inliniac.net
Wed Jan 7 09:35:12 UTC 2015 

On 12/12/2014 07:18 PM, Adrian Falk wrote:
> I would like to pass back a uint32_t value that represents a value
> extracted from the protocol packet. 
> 
> This uint32_t value is similar to a device-id; there exist many
> device-ids for each flow and I'd like the Suricata alert to be able to
> identify the offending device in the alert.

An alternative approach would be to create a rule keyword for the
device-ids and then create rules that have both the decoder-event
keyword and the 'device-ids' keyword.

Cheers,
Victor

> Thanks.
> 
> On Fri, Dec 12, 2014 at 11:13 AM, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>> wrote:
> 
>     On 12/12/2014 04:37 PM, Adrian Falk wrote:
>     >     From an app layer pre-processor , when
>     >     AppLayerDecoderEventsSetEventRaw() is called, is it possible to add
>     >     a custom field into the decoder event? An example of a custom field
>     >     would be a field extracted from a packet that triggered the decoder
>     >     event that I would like to have show up in a Suricata alert.
> 
>     No, it's just an id that the rule language uses to match an
>     app-layer-event against. No other info is made available currently.
> 
>     What would you need to pass back?
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
>     _______________________________________________
>     Suricata IDS Devel mailing list:
>     oisf-devel at openinfosecfoundation.org
>     <mailto:oisf-devel at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Participate:
>     http://suricata-ids.org/participate/
>     List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>     Redmine: https://redmine.openinfosecfoundation.org/
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list