[Oisf-users] Luajit access to entire reassembled payload?
Victor Julien
lists at inliniac.net
Thu Mar 31 14:53:00 UTC 2016
On 30-03-16 20:27, Rasmor, Zachary R wrote:
> I am wondering if there is support for accessing the entire reassembled
> payload from a luajit script, similar to what you would find in the
> ‘payload_printable’ value within an alert in the eve.json (if the alert
> fired against the stream). I would like to call a luajit script from an
> ‘only_stream’ rule and access the entire reassembled payload.
>
>
>
> I originally thought this could be accomplished through
> ‘needs[‘payload’]’, but through testing and reviewing the documentation,
> I’m thinking this is only valid for individual packet payloads .
Depends on the purpose. There is a logging only support for the
streaming data, both for tcp data and http body data (after
normalization):
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output#Streaming-Data
To get access to the stream data similar to the eve 'payload_printable'
from alert output, you'll have to add support for it in the code. I'd be
happy to take a PR for that :)
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list