<div dir="auto">I started to write an app in Rust to take an ICAP feed and generate pcaps that could be replayed for analysis over an interface.  Let me see if I still have that code because it could definitely be used for this</div><br><div class="gmail_quote"><div dir="ltr">On Fri, Jan 4, 2019, 19:09 Elena Bykovchenko <<a href="mailto:holgrain@protonmail.com">holgrain@protonmail.com</a> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>Hello. I want to make Suricata work with ICAP in a way that will allow it to analyze traffic from ICAP content as if it was normal HTTP traffic (so HTTP signatures would work). Suppose I have a custom parser for ICAP. How do I notify the engine that the ICAP request body should be parsed by HTTP parser next? Is it possible? I couldn't find any code that I could use for it. Sorry, the code base is extensive, I might have missed something._______________________________________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org" target="_blank" rel="noreferrer">oisf-devel@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer noreferrer" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" rel="noreferrer noreferrer" target="_blank">http://suricata-ids.org/participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" rel="noreferrer noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" rel="noreferrer noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>
<br>
</blockquote></div>