[Oisf-users] Suricata 1.4 clarification on lua scripting http buffers

Victor Julien lists at inliniac.net
Wed May 29 16:44:29 UTC 2013


On 05/29/2013 05:10 PM, Vincent Fang wrote:
> One last clarification question. So I know you can only access one HTTP
> data at a time, but it looks like the keywords packet and payload are
> the exceptions where you can ask for both of those and it will be fine.
> Is it intended that you can ask for packet and one of the http buffers
> at the same time as well or that is not the case? In my lua script, I
> requested for the packet data and the http body, but it seems to be
> erroring out in the following script portion of the match function

No, the http buffers are different. So you can do only one at a time.

Cheers,
Victor

> local bytes = args["packet"]
> file:write("\n length of bytes is .. " .. #bytes .. "\n")
> 
> with luajit saying that length of local bytes is a nil value.
> 
> Vince
> 
> 
> 
> On Fri, May 17, 2013 at 2:40 PM, Victor Julien <lists at inliniac.net
> <mailto:lists at inliniac.net>> wrote:
> 
>     On 05/17/2013 08:30 PM, Vincent Fang wrote:
>     > The list of variables that represent the http buffers in the lua
>     > scripting page, should I view it as the packet variable has everything
>     > that the other variables are suppose to represent.
> 
>     No, the packet var gets your the raw packet, so including link layer(s)
>     like ethernet, transport layers like IP and TCP and the payload.
> 
>     You just get the data and the length of the data, everything else is up
>     to you.
> 
>     > Like packet would contain payload data and payload data would contain
>     > the http_uri or http.response_body?
> 
>     No.
> 
>     > And is there any tcp data such as the source ip and port and
>     destination
>     > ip and port stored in any of these lua variables that I can
>     extract from
>     > or only http data is available?
> 
>     No, not currently. I think it would make sense to add it though. Feel
>     free to open a ticket.
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
>     _______________________________________________
>     Suricata IDS Users mailing list:
>     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Support:
>     http://suricata-ids.org/support/
>     List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     OISF: http://www.openinfosecfoundation.org/
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list