[Oisf-devel] Custom ICAP parser to work with http signatures

Nick Price nick at spun.io
Sat Jan 5 00:14:24 UTC 2019

I started to write an app in Rust to take an ICAP feed and generate pcaps
that could be replayed for analysis over an interface.  Let me see if I
still have that code because it could definitely be used for this

On Fri, Jan 4, 2019, 19:09 Elena Bykovchenko <holgrain at protonmail.com wrote:

> Hello. I want to make Suricata work with ICAP in a way that will allow it
> to analyze traffic from ICAP content as if it was normal HTTP traffic (so
> HTTP signatures would work). Suppose I have a custom parser for ICAP. How
> do I notify the engine that the ICAP request body should be parsed by HTTP
> parser next? Is it possible? I couldn't find any code that I could use for
> it. Sorry, the code base is extensive, I might have missed
> something._______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20190104/df5bc804/attachment.html>

More information about the Oisf-devel mailing list