[Oisf-devel] Add custom field to a decoder event?
Adrian Falk
adrianfalk2 at gmail.com
Fri Dec 12 18:18:53 UTC 2014
I would like to pass back a uint32_t value that represents a value
extracted from the protocol packet.
This uint32_t value is similar to a device-id; there exist many device-ids
for each flow and I'd like the Suricata alert to be able to identify the
offending device in the alert.
Thanks.
On Fri, Dec 12, 2014 at 11:13 AM, Victor Julien <victor at inliniac.net> wrote:
>
> On 12/12/2014 04:37 PM, Adrian Falk wrote:
> > From an app layer pre-processor , when
> > AppLayerDecoderEventsSetEventRaw() is called, is it possible to add
> > a custom field into the decoder event? An example of a custom field
> > would be a field extracted from a packet that triggered the decoder
> > event that I would like to have show up in a Suricata alert.
>
> No, it's just an id that the rule language uses to match an
> app-layer-event against. No other info is made available currently.
>
> What would you need to pass back?
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20141212/b347ac2f/attachment-0002.html>
More information about the Oisf-devel
mailing list