[Oisf-users] Suricata 1.4 clarification on lua scripting http buffers

Vincent Fang vincent.y.fang at gmail.com
Wed May 29 15:10:34 UTC 2013


One last clarification question. So I know you can only access one HTTP
data at a time, but it looks like the keywords packet and payload are the
exceptions where you can ask for both of those and it will be fine. Is it
intended that you can ask for packet and one of the http buffers at the
same time as well or that is not the case? In my lua script, I requested
for the packet data and the http body, but it seems to be erroring out in
the following script portion of the match function

local bytes = args["packet"]
file:write("\n length of bytes is .. " .. #bytes .. "\n")

with luajit saying that length of local bytes is a nil value.

Vince



On Fri, May 17, 2013 at 2:40 PM, Victor Julien <lists at inliniac.net> wrote:

> On 05/17/2013 08:30 PM, Vincent Fang wrote:
> > The list of variables that represent the http buffers in the lua
> > scripting page, should I view it as the packet variable has everything
> > that the other variables are suppose to represent.
>
> No, the packet var gets your the raw packet, so including link layer(s)
> like ethernet, transport layers like IP and TCP and the payload.
>
> You just get the data and the length of the data, everything else is up
> to you.
>
> > Like packet would contain payload data and payload data would contain
> > the http_uri or http.response_body?
>
> No.
>
> > And is there any tcp data such as the source ip and port and destination
> > ip and port stored in any of these lua variables that I can extract from
> > or only http data is available?
>
> No, not currently. I think it would make sense to add it though. Feel
> free to open a ticket.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130529/cef91bf6/attachment-0002.html>


More information about the Oisf-users mailing list