<div dir="ltr">Jason,<div><br></div><div>Thanks, that's great! Yes, we should update the documentation. Is that something anybody can do?</div><div><br></div><div>Regards,</div><div>Nasir</div><div dir="ltr"><br><div class="gmail_quote"><div dir="ltr">On Tue, Dec 29, 2015 at 11:54 AM Jason Ish <<a href="mailto:lists@unx.ca" target="_blank">lists@unx.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Nasir,<br>
<br>
See below...<br>
<br>
On Sun, Dec 27, 2015 at 11:25 PM, Nasir Bilal <<a href="mailto:bilalbox@gmail.com" target="_blank">bilalbox@gmail.com</a>> wrote:<br>
> Hey Devs!<br>
><br>
> I wanted to throw an idea out there to see if anyone knows if this idea is<br>
> already in the works or even feasible. On our Lua scripting page, we<br>
> currently support the following buffers:<br>
><br>
> packet -- entire packet, including headers<br>
> payload -- packet payload (not stream)<br>
> http.uri<br>
> http.uri.raw<br>
> http.request_line<br>
> http.request_headers<br>
> http.request_headers.raw<br>
> http.request_cookie<br>
> http.request_user_agent<br>
> http.request_body<br>
> http.response_headers<br>
> http.response_headers.raw<br>
> http.response_body<br>
> http.response_cookie<br>
><br>
> Ref:<br>
> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting</a><br>
><br>
> Would it be possible to register any new buffers to this list? In<br>
> particular, how do you think we could go about adding some TLS keywords:<br>
> tls.version<br>
> tls.subject<br>
> tls.issuerdn<br>
> tls.fingerprint<br>
><br>
> Ref:<br>
> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords</a><br>
><br>
> These would open up a lot of power for scripting complex detections of<br>
> TLS-related attacks and exploits.<br>
<br>
Looks like the 3.0RC's have these already, see this commit for more detail:<br>
<br>
<a href="https://github.com/inliniac/suricata/commit/371648a8c61e93b42f74263bcedb9d1b8b1af354" rel="noreferrer" target="_blank">https://github.com/inliniac/suricata/commit/371648a8c61e93b42f74263bcedb9d1b8b1af354</a><br>
<br>
Looks like the documentation there may need to catch up.<br>
<br>
Jason<br>
</blockquote></div></div></div>