[Oisf-users] Suricata Lua http.request_line

Gofran, Paul paul.gofran at lmco.com
Fri Sep 5 18:38:43 UTC 2014

Is anyone using http.request_line successfully?

When specifying in my init function:
needs["http.request_line"] = tostring(true)

And a match function that only performs a syslog to verify it's being called - I don't receive the message.  But changing 'http.request_line' to any of the other buffers (ex: 'http.request_headers') then I do receive the syslog message.  I don't get any errors either when using http.request_line.  I found this odd since this is the example on the website: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting

I verified that it doesn't work in the dev-lua branch, as well as not working in 2.0.1 and 1.4.6.  It doesn't appear to be a typo since that causes an error on startup if a bad buffer is specified.  It also doesn't appear to be an issue with my syslog message since I get the syslog message when using a different buffer.

My rule if that matters:
alert tcp any any -> any any (msg:"HTTPRequestLine"; luajit:HTTP_Request_Line.lua; sid:312339;)

Am I missing something obvious?  I'd be surprised if this was broken since 1.4.6 but I can submit a bug if that's the case.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140905/4574f9af/attachment.html>

More information about the Oisf-users mailing list