[Oisf-devel] Add custom field to a decoder event?
Adrian Falk
adrianfalk2 at gmail.com
Wed Jan 7 17:18:54 UTC 2015
True. May be cumbersome if device-ids are of a dynamic nature and not
always known ahead of time.
Thanks.
On Wed, Jan 7, 2015 at 4:35 AM, Victor Julien <victor at inliniac.net> wrote:
> On 12/12/2014 07:18 PM, Adrian Falk wrote:
> > I would like to pass back a uint32_t value that represents a value
> > extracted from the protocol packet.
> >
> > This uint32_t value is similar to a device-id; there exist many
> > device-ids for each flow and I'd like the Suricata alert to be able to
> > identify the offending device in the alert.
>
> An alternative approach would be to create a rule keyword for the
> device-ids and then create rules that have both the decoder-event
> keyword and the 'device-ids' keyword.
>
> Cheers,
> Victor
>
> > Thanks.
> >
> > On Fri, Dec 12, 2014 at 11:13 AM, Victor Julien <victor at inliniac.net
> > <mailto:victor at inliniac.net>> wrote:
> >
> > On 12/12/2014 04:37 PM, Adrian Falk wrote:
> > > From an app layer pre-processor , when
> > > AppLayerDecoderEventsSetEventRaw() is called, is it possible
> to add
> > > a custom field into the decoder event? An example of a custom
> field
> > > would be a field extracted from a packet that triggered the
> decoder
> > > event that I would like to have show up in a Suricata alert.
> >
> > No, it's just an id that the rule language uses to match an
> > app-layer-event against. No other info is made available currently.
> >
> > What would you need to pass back?
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Suricata IDS Devel mailing list:
> > oisf-devel at openinfosecfoundation.org
> > <mailto:oisf-devel at openinfosecfoundation.org>
> > Site: http://suricata-ids.org | Participate:
> > http://suricata-ids.org/participate/
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> > Redmine: https://redmine.openinfosecfoundation.org/
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20150107/38f0e6c2/attachment-0002.html>
More information about the Oisf-devel
mailing list