[Oisf-devel] Lua Buffer for IPv4 headers?

Nasir Bilal bilalbox at gmail.com
Tue May 17 04:24:51 UTC 2016 

Victor,

Thanks for the confirmation of our fears! I have a couple of questions for
you:
1) We did go ahead and submit an FR (#1783) as can be seen here:
https://redmine.openinfosecfoundation.org/issues/1783
My question is, is this request properly written? What can we do to help
move this along as a non-dev?

2) I'd be interested in trying to decode the packet until a more elegant
and official solution is implemented. In what format is the packet encoded?
Are there any lua libraries that might be handy for decoding the packet and
extracting the header fiedls, such as this one?
https://nmap.org/nsedoc/lib/bin.html

Thanks!
Nasir

On Wed, May 11, 2016 at 12:00 PM, <
oisf-devel-request at lists.openinfosecfoundation.org> wrote:

> Send Oisf-devel mailing list submissions to
>         oisf-devel at lists.openinfosecfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> or, via email, send a message with subject or body 'help' to
>         oisf-devel-request at lists.openinfosecfoundation.org
>
> You can reach the person managing the list at
>         oisf-devel-owner at lists.openinfosecfoundation.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Oisf-devel digest..."
>
>
> Today's Topics:
>
>    1. Netflow data to Suricata (SiNA)
>    2. Re: Netflow data to Suricata (Victor Julien)
>    3. Re: Lua Buffer for IPv4 headers? (Victor Julien)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 10 May 2016 13:53:40 -0400
> From: SiNA <sina.rabbani at gmail.com>
> To: oisf-devel at lists.openinfosecfoundation.org
> Subject: [Oisf-devel] Netflow data to Suricata
> Message-ID:
>         <CABiB2OPO4tmYO-u9buVrE=KMU9tE=
> D9vUKiSF2cNkXetBR7UQg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hello!
>
> Is there any way to send Suricata netflow data and have them checked
> against a reputation feed for example?
>
> All the best,
> Sina
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20160510/f6728763/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Tue, 10 May 2016 23:16:01 +0200
> From: Victor Julien <victor at inliniac.net>
> To: oisf-devel at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-devel] Netflow data to Suricata
> Message-ID: <57324F91.3060009 at inliniac.net>
> Content-Type: text/plain; charset=utf-8
>
> On 10-05-16 19:53, SiNA wrote:
> > Is there any way to send Suricata netflow data and have them checked
> > against a reputation feed for example?
>
> No, Suricata needs a copy of the actual traffic, not something like
> netflow.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 10 May 2016 23:17:38 +0200
> From: Victor Julien <victor at inliniac.net>
> To: oisf-devel at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-devel] Lua Buffer for IPv4 headers?
> Message-ID: <57324FF2.6040801 at inliniac.net>
> Content-Type: text/plain; charset=utf-8
>
> On 10-05-16 01:46, Nasir Bilal wrote:
> > Hey Devs!
> >
> > We are looking for a way to expose the contents of the layer-3/IP
> > headers to our lua script. Based on this documentation
> > <
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting
> >,
> > It seems that we can only get granular HTTP headers. Are there buffers
> > available specific to the IP and TCP headers? For example, to get all
> > the HTTP header info, we'd need an init function like so:
> >
> > function init (args)
> >     local needs = {}
> >     needs["payload"] = tostring(true)
> >     return needs
> > end
> >
> > So, would we build something like:
> >
> > function init (args)
> >     local needs = {}
> >     needs["protocol"] = "ip"
> >     return needs
> > end
> >
> > Or
> >
> > function init (args)
> >     local needs = {}
> >     needs["ip.something"] = tostring(true)
> >     return needs
> > end
> >
> > In other words, is there a more comprehensive list of the buffers
> > available that includes ALL of those currently available in Suricata
> 3.0.1?
> >
>
> No, they are not. The closest thing is the 'packet' buffer, which gives
> you the raw packet including the headers. You could decode the packet
> yourself. Not ideal :)
>
> Feel free to open feature request tickets on the redmine site.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at lists.openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
> ------------------------------
>
> End of Oisf-devel Digest, Vol 77, Issue 8
> *****************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20160517/fe0ac432/attachment-0002.html>

More information about the Oisf-devel mailing list