[Oisf-users] Luajit access to entire reassembled payload?
Rasmor, Zachary R
zachary.r.rasmor at lmco.com
Wed Mar 30 18:27:50 UTC 2016
Hello,
I am wondering if there is support for accessing the entire reassembled
payload from a luajit script, similar to what you would find in the
'payload_printable' value within an alert in the eve.json (if the alert
fired against the stream). I would like to call a luajit script from an
'only_stream' rule and access the entire reassembled payload.
I originally thought this could be accomplished through 'needs['payload']',
but through testing and reviewing the documentation, I'm thinking this is
only valid for individual packet payloads .
Thanks for the clarification!
Zach
________________________
Zach Rasmor
Senior Software Engineer
Lockheed Martin CIRT
700 N Frederick Ave | Gaithersburg, MD 20879
Email: <mailto:zachary.r.rasmor at lmco.com> zachary.r.rasmor at lmco.com
Office: 301.240.6116
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160330/90921656/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7804 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160330/90921656/attachment-0001.bin>
More information about the Oisf-users
mailing list