Project

General

Profile

Actions

Feature #1783

open

Create Suricata buffers to expose L2, L3, and L4 headers to Lua scripts

Added by Nasir Bilal over 8 years ago. Updated almost 6 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
medium
Difficulty:
medium
Label:

Description

Currently, the entire packet data is available as an encoded binary of some kind via the "packet" buffer:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting

We'd like to see additional buffers created for the ethernet/L2, IP/L3, and TCP/UDP/L4 headers, maybe something like:
eth.type
eth.src_mac
eth.dst_mac
eth.flags
ip.ver
ip.src
ip.dst
udp.sport
udp.dport
tcp.flags
tcp.seq_num
tcp.ack_num
tcp.win_size
tcp.sport
tcp.dport

OR perhaps it would be more simpler to save buffers as large strings, similar to "payload":
packet.l2_header
packet.l3_header
packet.l4_header

Actions

Also available in: Atom PDF