<div dir="ltr">Victor,<div><br></div><div>Thanks for the confirmation of our fears! I have a couple of questions for you:</div><div>1) We did go ahead and submit an FR (#1783) as can be seen here:</div><div><a href="https://redmine.openinfosecfoundation.org/issues/1783">https://redmine.openinfosecfoundation.org/issues/1783</a></div><div>My question is, is this request properly written? What can we do to help move this along as a non-dev?</div><div><br></div><div>2) I'd be interested in trying to decode the packet until a more elegant and official solution is implemented. In what format is the packet encoded? Are there any lua libraries that might be handy for decoding the packet and extracting the header fiedls, such as this one?</div><div><a href="https://nmap.org/nsedoc/lib/bin.html">https://nmap.org/nsedoc/lib/bin.html</a></div><div><br></div><div>Thanks!</div><div>Nasir<br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 11, 2016 at 12:00 PM,  <span dir="ltr"><<a href="mailto:oisf-devel-request@lists.openinfosecfoundation.org" target="_blank">oisf-devel-request@lists.openinfosecfoundation.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Send Oisf-devel mailing list submissions to<br>
        <a href="mailto:oisf-devel@lists.openinfosecfoundation.org">oisf-devel@lists.openinfosecfoundation.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
        <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
or, via email, send a message with subject or body 'help' to<br>
        <a href="mailto:oisf-devel-request@lists.openinfosecfoundation.org">oisf-devel-request@lists.openinfosecfoundation.org</a><br>
<br>
You can reach the person managing the list at<br>
        <a href="mailto:oisf-devel-owner@lists.openinfosecfoundation.org">oisf-devel-owner@lists.openinfosecfoundation.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Oisf-devel digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
   1. Netflow data to Suricata (SiNA)<br>
   2. Re: Netflow data to Suricata (Victor Julien)<br>
   3. Re: Lua Buffer for IPv4 headers? (Victor Julien)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Tue, 10 May 2016 13:53:40 -0400<br>
From: SiNA <<a href="mailto:sina.rabbani@gmail.com">sina.rabbani@gmail.com</a>><br>
To: <a href="mailto:oisf-devel@lists.openinfosecfoundation.org">oisf-devel@lists.openinfosecfoundation.org</a><br>
Subject: [Oisf-devel] Netflow data to Suricata<br>
Message-ID:<br>
        <CABiB2OPO4tmYO-u9buVrE=KMU9tE=<a href="mailto:D9vUKiSF2cNkXetBR7UQg@mail.gmail.com">D9vUKiSF2cNkXetBR7UQg@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hello!<br>
<br>
Is there any way to send Suricata netflow data and have them checked<br>
against a reputation feed for example?<br>
<br>
All the best,<br>
Sina<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20160510/f6728763/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20160510/f6728763/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Tue, 10 May 2016 23:16:01 +0200<br>
From: Victor Julien <<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>><br>
To: <a href="mailto:oisf-devel@lists.openinfosecfoundation.org">oisf-devel@lists.openinfosecfoundation.org</a><br>
Subject: Re: [Oisf-devel] Netflow data to Suricata<br>
Message-ID: <<a href="mailto:57324F91.3060009@inliniac.net">57324F91.3060009@inliniac.net</a>><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
On 10-05-16 19:53, SiNA wrote:<br>
> Is there any way to send Suricata netflow data and have them checked<br>
> against a reputation feed for example?<br>
<br>
No, Suricata needs a copy of the actual traffic, not something like netflow.<br>
<br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Tue, 10 May 2016 23:17:38 +0200<br>
From: Victor Julien <<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>><br>
To: <a href="mailto:oisf-devel@lists.openinfosecfoundation.org">oisf-devel@lists.openinfosecfoundation.org</a><br>
Subject: Re: [Oisf-devel] Lua Buffer for IPv4 headers?<br>
Message-ID: <<a href="mailto:57324FF2.6040801@inliniac.net">57324FF2.6040801@inliniac.net</a>><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
On 10-05-16 01:46, Nasir Bilal wrote:<br>
> Hey Devs!<br>
><br>
> We are looking for a way to expose the contents of the layer-3/IP<br>
> headers to our lua script. Based on this documentation<br>
> <<a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting</a>>,<br>
> It seems that we can only get granular HTTP headers. Are there buffers<br>
> available specific to the IP and TCP headers? For example, to get all<br>
> the HTTP header info, we'd need an init function like so:<br>
><br>
> function init (args)<br>
>     local needs = {}<br>
>     needs["payload"] = tostring(true)<br>
>     return needs<br>
> end<br>
><br>
> So, would we build something like:<br>
><br>
> function init (args)<br>
>     local needs = {}<br>
>     needs["protocol"] = "ip"<br>
>     return needs<br>
> end<br>
><br>
> Or<br>
><br>
> function init (args)<br>
>     local needs = {}<br>
>     needs["ip.something"] = tostring(true)<br>
>     return needs<br>
> end<br>
><br>
> In other words, is there a more comprehensive list of the buffers<br>
> available that includes ALL of those currently available in Suricata 3.0.1?<br>
><br>
<br>
No, they are not. The closest thing is the 'packet' buffer, which gives<br>
you the raw packet including the headers. You could decode the packet<br>
yourself. Not ideal :)<br>
<br>
Feel free to open feature request tickets on the redmine site.<br>
<br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
Oisf-devel mailing list<br>
<a href="mailto:Oisf-devel@lists.openinfosecfoundation.org">Oisf-devel@lists.openinfosecfoundation.org</a><br>
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
<br>
------------------------------<br>
<br>
End of Oisf-devel Digest, Vol 77, Issue 8<br>
*****************************************<br>
</blockquote></div><br></div></div></div>