[Oisf-devel] Add custom field to a decoder event?

Adrian Falk adrianfalk2 at gmail.com
Wed Jan 7 17:18:54 UTC 2015 

True. May be cumbersome if device-ids are of a dynamic nature and not
always known ahead of time.

Thanks.

On Wed, Jan 7, 2015 at 4:35 AM, Victor Julien <victor at inliniac.net> wrote:

> On 12/12/2014 07:18 PM, Adrian Falk wrote:
> > I would like to pass back a uint32_t value that represents a value
> > extracted from the protocol packet.
> >
> > This uint32_t value is similar to a device-id; there exist many
> > device-ids for each flow and I'd like the Suricata alert to be able to
> > identify the offending device in the alert.
>
> An alternative approach would be to create a rule keyword for the
> device-ids and then create rules that have both the decoder-event
> keyword and the 'device-ids' keyword.
>
> Cheers,
> Victor
>
> > Thanks.
> >
> > On Fri, Dec 12, 2014 at 11:13 AM, Victor Julien <victor at inliniac.net
> > <mailto:victor at inliniac.net>> wrote:
> >
> >     On 12/12/2014 04:37 PM, Adrian Falk wrote:
> >     >     From an app layer pre-processor , when
> >     >     AppLayerDecoderEventsSetEventRaw() is called, is it possible
> to add
> >     >     a custom field into the decoder event? An example of a custom
> field
> >     >     would be a field extracted from a packet that triggered the
> decoder
> >     >     event that I would like to have show up in a Suricata alert.
> >
> >     No, it's just an id that the rule language uses to match an
> >     app-layer-event against. No other info is made available currently.
> >
> >     What would you need to pass back?
> >
> >     --
> >     ---------------------------------------------
> >     Victor Julien
> >     http://www.inliniac.net/
> >     PGP: http://www.inliniac.net/victorjulien.asc
> >     ---------------------------------------------
> >
> >     _______________________________________________
> >     Suricata IDS Devel mailing list:
> >     oisf-devel at openinfosecfoundation.org
> >     <mailto:oisf-devel at openinfosecfoundation.org>
> >     Site: http://suricata-ids.org | Participate:
> >     http://suricata-ids.org/participate/
> >     List:
> >     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> >     Redmine: https://redmine.openinfosecfoundation.org/
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20150107/38f0e6c2/attachment-0002.html>

More information about the Oisf-devel mailing list