[Oisf-users] LUA Payload Size
Chris Wakelin
cwakelin at emergingthreats.net
Fri Nov 9 23:06:27 UTC 2018
I think that's easier (though it may be expensive to run Lua on every
packet).
I think you probably want something like
p = SCPacketPayload()
print("size is " .. #p)
See
https://suricata.readthedocs.io/en/latest/lua/lua-functions.html#scpacketpayload
Best Wishes,
Chris
On 09/11/2018 19:00, Clark Kent wrote:
> That is great, glad I wasn't over looking something in the documentation.
> Thank you share sharing the code piece.
>
> Is it possible to do something similar in the case where the protocol is
> not HTTP and just tcp? More specifically in a single stream over tcp.
>
> On Fri, Nov 9, 2018 at 1:09 PM Chris Wakelin <cwakelin at emergingthreats.net>
> wrote:
>
>> I usually end up doing something like
>>
>> D = HttpGetResponseBody()
>> d = ""
>> for i = 1, #D, 1 do
>> d = d .. D[i]
>> end
>>
>> then "#d" would be the response size. But there may be better ways
>> depending; e.g. you might be able to trust a value from a response
>> header, and of course you could just do
>>
>> d = 0
>> for i = 1, #D, 1 do
>> d = d + #D[i]
>> end
>>
>> if you just need the size.
>>
>> Best Wishes,
>> Chris
>>
>>
>> On 09/11/2018 13:07, Clark Kent wrote:
>>> I tried looking at the available features in the documentation. So I
>>> apologize if this is already answer there and I am just missing it.
>>>
>>> Is there a way to return the payload size when writing a LUA script?
>>>
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
More information about the Oisf-users
mailing list