<div dir="ltr">I would like to pass back a uint32_t value that represents a value extracted from the protocol packet. <div><br></div><div>This uint32_t value is similar to a device-id; there exist many device-ids for each flow and I'd like the Suricata alert to be able to identify the offending device in the alert.</div><div><br></div><div>Thanks.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 12, 2014 at 11:13 AM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 12/12/2014 04:37 PM, Adrian Falk wrote:<br>
> From an app layer pre-processor , when<br>
> AppLayerDecoderEventsSetEventRaw() is called, is it possible to add<br>
> a custom field into the decoder event? An example of a custom field<br>
> would be a field extracted from a packet that triggered the decoder<br>
> event that I would like to have show up in a Suricata alert.<br>
<br>
</span>No, it's just an id that the rule language uses to match an<br>
app-layer-event against. No other info is made available currently.<br>
<br>
What would you need to pass back?<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>
</div></div></blockquote></div></div>