[Oisf-users] Suricata 1.4 clarification on lua scripting http buffers

Victor Julien lists at inliniac.net
Fri May 17 18:40:20 UTC 2013

On 05/17/2013 08:30 PM, Vincent Fang wrote:
> The list of variables that represent the http buffers in the lua
> scripting page, should I view it as the packet variable has everything
> that the other variables are suppose to represent.

No, the packet var gets your the raw packet, so including link layer(s)
like ethernet, transport layers like IP and TCP and the payload.

You just get the data and the length of the data, everything else is up
to you.

> Like packet would contain payload data and payload data would contain
> the http_uri or http.response_body?


> And is there any tcp data such as the source ip and port and destination
> ip and port stored in any of these lua variables that I can extract from
> or only http data is available?

No, not currently. I think it would make sense to add it though. Feel
free to open a ticket.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list