<p dir="ltr">No, I hadn't seen it. Thanks!</p>

<div id='cm_signature'> Sent using <a 

href="https://cloudmagic.com/k/d/mailapp?ct=pa&cv=8.0.90&pv=6.0.1&source=email_footer_2">CloudMagic 

Email</a> </div><div class="cm_quote" style=" color: #787878">On Wed, Dec 

30, 2015 at 3:53 AM, Peter Manev <<a 

href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> 

wrote:</div><br><div id="oldcontent" style="background: rgb(255, 255, 

255);"><blockquote style=""><p dir="ltr">On Tue, 2015-12-29 at 20:28 +0000, 

Nasir Bilal wrote:

<br>

> Great. BTW the new TLS buffers work great! Here's an example of a

<br>

> working sample Lua script used to test the new functionality:

<br>

> 

<br>

> 

<br>

> Suricata Rule:

<br>

> ##############

<br>

> 

<br>

> reject tls $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTPS SPORTS -

<br>

> DROPPED"; flow:established; luajit:bl_sports_https.lua; sid:10001008;

<br>

> rev:1;)

<br>

> 

<br>

> ##############

<br>

> 

<br>

> Lua Script: (bl_sports_https.lua)

<br>

> ##############

<br>

> function init (args)

<br>

>     local needs = {}

<br>

>     needs["tls.subject"] = tostring(true)

<br>

>     return needs

<br>

> end

<br>

> 

<br>

> 

<br>

> function match(args)

<br>

>         file = 

assert(io.open("blacklists/sports/domains", "r"))

<br>

>         current_url = 

tostring(args["tls.subject"])

<br>

>         if #current_url > 0 

then

<br>

>                 

for line in file:lines() do

<br>

>                         

if current_url:find(line) then

<br>

>                                 

return 1

<br>

>                         

end

<br>

>                 

end

<br>

>         end

<br>

> return 0

<br>

> end

<br>

> ##############

<br>

> 

<br>

> 

<br>

> NOTE: the "blacklists/sports/domains" file is just a flat text file

<br>

> containing all the pages we wish to block in this test.

<br>

> 

<br>

> 

<br>

> Regards,

<br>

> Nasir

<br>

> 

<br>

> On Tue, Dec 29, 2015 at 12:40 PM Jason Ish <lists@unx.ca> wrote:

<br>

> 

<br>

>         On Tue, Dec 29, 2015 

at 10:58 AM, Nasir Bilal

<br>

>         

<bilalbox@gmail.com> wrote:

<br>

>         > Jason,

<br>

>         >

<br>

>         > Thanks, that's 

great! Yes, we should update the

<br>

>         documentation. Is that

<br>

>         > something anybody 

can do?

<br>

<br>

FYI (not sure if you have seen it) - There is some documentation here

<br>

- 

<br>

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output#TLS

<br>

<br>

<br>

>         

<br>

>         Yes, I believe you 

just need an account on Redmine.  The docs

<br>

>         are

<br>

>         migrating to Sphinx 

and updates will be handled with pull

<br>

>         requests at

<br>

>         some point in the 

hopefully near future. But for now I have a

<br>

>         "watch"

<br>

>         on the Wiki to migrate 

changes made by others.

<br>

>         

<br>

>         Jason

<br>

> _______________________________________________

<br>

> Suricata IDS Devel mailing list: oisf-devel@openinfosecfoundation.org

<br>

> Site: http://suricata-ids.org | Participate: 

http://suricata-ids.org/participate/

<br>

> List: 

https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel

<br>

> Redmine: https://redmine.openinfosecfoundation.org/

<br>

> Developer Training in Copenhagen Sept 14-18: 

http://suricata-ids.org/training/

<br>

<br>

<br>

</p>

</blockquote></div>