[Oisf-devel] Lua Buffer for IPv4 headers?

Victor Julien victor at inliniac.net
Thu May 19 07:28:18 UTC 2016 

On 17-05-16 06:24, Nasir Bilal wrote:
> Thanks for the confirmation of our fears! I have a couple of questions
> for you:
> 1) We did go ahead and submit an FR (#1783) as can be seen here:
> https://redmine.openinfosecfoundation.org/issues/1783
> My question is, is this request properly written? What can we do to help
> move this along as a non-dev?

Yes, it looks fine. Perhaps you could add some example scripts so that
it's easier to work on it.

> 2) I'd be interested in trying to decode the packet until a more elegant
> and official solution is implemented. In what format is the packet
> encoded? Are there any lua libraries that might be handy for decoding
> the packet and extracting the header fiedls, such as this one?
> https://nmap.org/nsedoc/lib/bin.html

I never tried this, but it's an interesting idea. If you try it please
let the group know how it works for you.

Cheers,
Victor


> 
> Thanks!
> Nasir
> 
> On Wed, May 11, 2016 at 12:00 PM,
> <oisf-devel-request at lists.openinfosecfoundation.org
> <mailto:oisf-devel-request at lists.openinfosecfoundation.org>> wrote:
> 
>     Send Oisf-devel mailing list submissions to
>             oisf-devel at lists.openinfosecfoundation.org
>     <mailto:oisf-devel at lists.openinfosecfoundation.org>
> 
>     To subscribe or unsubscribe via the World Wide Web, visit
>            
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>     or, via email, send a message with subject or body 'help' to
>             oisf-devel-request at lists.openinfosecfoundation.org
>     <mailto:oisf-devel-request at lists.openinfosecfoundation.org>
> 
>     You can reach the person managing the list at
>             oisf-devel-owner at lists.openinfosecfoundation.org
>     <mailto:oisf-devel-owner at lists.openinfosecfoundation.org>
> 
>     When replying, please edit your Subject line so it is more specific
>     than "Re: Contents of Oisf-devel digest..."
> 
> 
>     Today's Topics:
> 
>        1. Netflow data to Suricata (SiNA)
>        2. Re: Netflow data to Suricata (Victor Julien)
>        3. Re: Lua Buffer for IPv4 headers? (Victor Julien)
> 
> 
>     ----------------------------------------------------------------------
> 
>     Message: 1
>     Date: Tue, 10 May 2016 13:53:40 -0400
>     From: SiNA <sina.rabbani at gmail.com <mailto:sina.rabbani at gmail.com>>
>     To: oisf-devel at lists.openinfosecfoundation.org
>     <mailto:oisf-devel at lists.openinfosecfoundation.org>
>     Subject: [Oisf-devel] Netflow data to Suricata
>     Message-ID:
>            
>     <CABiB2OPO4tmYO-u9buVrE=KMU9tE=D9vUKiSF2cNkXetBR7UQg at mail.gmail.com
>     <mailto:D9vUKiSF2cNkXetBR7UQg at mail.gmail.com>>
>     Content-Type: text/plain; charset="utf-8"
> 
>     Hello!
> 
>     Is there any way to send Suricata netflow data and have them checked
>     against a reputation feed for example?
> 
>     All the best,
>     Sina
>     -------------- next part --------------
>     An HTML attachment was scrubbed...
>     URL:
>     <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20160510/f6728763/attachment-0001.html>
> 
>     ------------------------------
> 
>     Message: 2
>     Date: Tue, 10 May 2016 23:16:01 +0200
>     From: Victor Julien <victor at inliniac.net <mailto:victor at inliniac.net>>
>     To: oisf-devel at lists.openinfosecfoundation.org
>     <mailto:oisf-devel at lists.openinfosecfoundation.org>
>     Subject: Re: [Oisf-devel] Netflow data to Suricata
>     Message-ID: <57324F91.3060009 at inliniac.net
>     <mailto:57324F91.3060009 at inliniac.net>>
>     Content-Type: text/plain; charset=utf-8
> 
>     On 10-05-16 19:53, SiNA wrote:
>     > Is there any way to send Suricata netflow data and have them checked
>     > against a reputation feed for example?
> 
>     No, Suricata needs a copy of the actual traffic, not something like
>     netflow.
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
> 
> 
>     ------------------------------
> 
>     Message: 3
>     Date: Tue, 10 May 2016 23:17:38 +0200
>     From: Victor Julien <victor at inliniac.net <mailto:victor at inliniac.net>>
>     To: oisf-devel at lists.openinfosecfoundation.org
>     <mailto:oisf-devel at lists.openinfosecfoundation.org>
>     Subject: Re: [Oisf-devel] Lua Buffer for IPv4 headers?
>     Message-ID: <57324FF2.6040801 at inliniac.net
>     <mailto:57324FF2.6040801 at inliniac.net>>
>     Content-Type: text/plain; charset=utf-8
> 
>     On 10-05-16 01:46, Nasir Bilal wrote:
>     > Hey Devs!
>     >
>     > We are looking for a way to expose the contents of the layer-3/IP
>     > headers to our lua script. Based on this documentation
>     >
>     <https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting>,
>     > It seems that we can only get granular HTTP headers. Are there buffers
>     > available specific to the IP and TCP headers? For example, to get all
>     > the HTTP header info, we'd need an init function like so:
>     >
>     > function init (args)
>     >     local needs = {}
>     >     needs["payload"] = tostring(true)
>     >     return needs
>     > end
>     >
>     > So, would we build something like:
>     >
>     > function init (args)
>     >     local needs = {}
>     >     needs["protocol"] = "ip"
>     >     return needs
>     > end
>     >
>     > Or
>     >
>     > function init (args)
>     >     local needs = {}
>     >     needs["ip.something"] = tostring(true)
>     >     return needs
>     > end
>     >
>     > In other words, is there a more comprehensive list of the buffers
>     > available that includes ALL of those currently available in
>     Suricata 3.0.1?
>     >
> 
>     No, they are not. The closest thing is the 'packet' buffer, which gives
>     you the raw packet including the headers. You could decode the packet
>     yourself. Not ideal :)
> 
>     Feel free to open feature request tickets on the redmine site.
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
> 
> 
>     ------------------------------
> 
>     Subject: Digest Footer
> 
>     _______________________________________________
>     Oisf-devel mailing list
>     Oisf-devel at lists.openinfosecfoundation.org
>     <mailto:Oisf-devel at lists.openinfosecfoundation.org>
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> 
>     ------------------------------
> 
>     End of Oisf-devel Digest, Vol 77, Issue 8
>     *****************************************
> 
> 
> 
> 
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> Developer Training in Paris Sept 12-16: http://suricata-ids.org/training/
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list