[Oisf-devel] TLS Buffers for LUA Scripting?
Jason Ish
lists at unx.ca
Tue Dec 29 16:54:38 UTC 2015
Hi Nasir,
See below...
On Sun, Dec 27, 2015 at 11:25 PM, Nasir Bilal <bilalbox at gmail.com> wrote:
> Hey Devs!
>
> I wanted to throw an idea out there to see if anyone knows if this idea is
> already in the works or even feasible. On our Lua scripting page, we
> currently support the following buffers:
>
> packet -- entire packet, including headers
> payload -- packet payload (not stream)
> http.uri
> http.uri.raw
> http.request_line
> http.request_headers
> http.request_headers.raw
> http.request_cookie
> http.request_user_agent
> http.request_body
> http.response_headers
> http.response_headers.raw
> http.response_body
> http.response_cookie
>
> Ref:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting
>
> Would it be possible to register any new buffers to this list? In
> particular, how do you think we could go about adding some TLS keywords:
> tls.version
> tls.subject
> tls.issuerdn
> tls.fingerprint
>
> Ref:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords
>
> These would open up a lot of power for scripting complex detections of
> TLS-related attacks and exploits.
Looks like the 3.0RC's have these already, see this commit for more detail:
https://github.com/inliniac/suricata/commit/371648a8c61e93b42f74263bcedb9d1b8b1af354
Looks like the documentation there may need to catch up.
Jason
More information about the Oisf-devel
mailing list