[Oisf-users] EXTERNAL: Re: Luajit access to entire reassembled payload?
Rasmor, Zachary R
zachary.r.rasmor at lmco.com
Thu Mar 31 16:46:05 UTC 2016
I thought that might be the answer, just making sure! I'll familiarize myself with the code and hopefully open a PR soon!
________________________
Zach Rasmor
Email: zachary.r.rasmor at lmco.com
Office: 301.240.6116
-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Victor Julien
Sent: Thursday, March 31, 2016 10:53 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: EXTERNAL: Re: [Oisf-users] Luajit access to entire reassembled payload?
On 30-03-16 20:27, Rasmor, Zachary R wrote:
> I am wondering if there is support for accessing the entire
> reassembled payload from a luajit script, similar to what you would
> find in the ‘payload_printable’ value within an alert in the eve.json
> (if the alert fired against the stream). I would like to call a luajit
> script from an ‘only_stream’ rule and access the entire reassembled payload.
>
>
>
> I originally thought this could be accomplished through
> ‘needs[‘payload’]’, but through testing and reviewing the
> documentation, I’m thinking this is only valid for individual packet payloads .
Depends on the purpose. There is a logging only support for the streaming data, both for tcp data and http body data (after
normalization):
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output#Streaming-Data
To get access to the stream data similar to the eve 'payload_printable'
from alert output, you'll have to add support for it in the code. I'd be happy to take a PR for that :)
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7804 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160331/70f86314/attachment-0002.bin>
More information about the Oisf-users
mailing list