[Oisf-users] Suricata Lua http.request_line
Gofran, Paul
paul.gofran at lmco.com
Fri Sep 5 18:38:43 UTC 2014
Is anyone using http.request_line successfully?
When specifying in my init function:
needs["http.request_line"] = tostring(true)
And a match function that only performs a syslog to verify it's being called - I don't receive the message. But changing 'http.request_line' to any of the other buffers (ex: 'http.request_headers') then I do receive the syslog message. I don't get any errors either when using http.request_line. I found this odd since this is the example on the website: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting
I verified that it doesn't work in the dev-lua branch, as well as not working in 2.0.1 and 1.4.6. It doesn't appear to be a typo since that causes an error on startup if a bad buffer is specified. It also doesn't appear to be an issue with my syslog message since I get the syslog message when using a different buffer.
My rule if that matters:
alert tcp any any -> any any (msg:"HTTPRequestLine"; luajit:HTTP_Request_Line.lua; sid:312339;)
Am I missing something obvious? I'd be surprised if this was broken since 1.4.6 but I can submit a bug if that's the case.
Thanks,
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140905/4574f9af/attachment.html>
More information about the Oisf-users
mailing list