[Oisf-users] Suricata 1.4 clarification on lua scripting http buffers
Victor Julien
lists at inliniac.net
Wed May 29 16:44:29 UTC 2013
On 05/29/2013 05:10 PM, Vincent Fang wrote:
> One last clarification question. So I know you can only access one HTTP
> data at a time, but it looks like the keywords packet and payload are
> the exceptions where you can ask for both of those and it will be fine.
> Is it intended that you can ask for packet and one of the http buffers
> at the same time as well or that is not the case? In my lua script, I
> requested for the packet data and the http body, but it seems to be
> erroring out in the following script portion of the match function
No, the http buffers are different. So you can do only one at a time.
Cheers,
Victor
> local bytes = args["packet"]
> file:write("\n length of bytes is .. " .. #bytes .. "\n")
>
> with luajit saying that length of local bytes is a nil value.
>
> Vince
>
>
>
> On Fri, May 17, 2013 at 2:40 PM, Victor Julien <lists at inliniac.net
> <mailto:lists at inliniac.net>> wrote:
>
> On 05/17/2013 08:30 PM, Vincent Fang wrote:
> > The list of variables that represent the http buffers in the lua
> > scripting page, should I view it as the packet variable has everything
> > that the other variables are suppose to represent.
>
> No, the packet var gets your the raw packet, so including link layer(s)
> like ethernet, transport layers like IP and TCP and the payload.
>
> You just get the data and the length of the data, everything else is up
> to you.
>
> > Like packet would contain payload data and payload data would contain
> > the http_uri or http.response_body?
>
> No.
>
> > And is there any tcp data such as the source ip and port and
> destination
> > ip and port stored in any of these lua variables that I can
> extract from
> > or only http data is available?
>
> No, not currently. I think it would make sense to add it though. Feel
> free to open a ticket.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list