[Snort-devel] SnortSP: Writing an analyzer in Lua

Tako Chanz tako_chanz at ...445...
Mon Jul 4 19:48:08 EDT 2011


Hi Martin,

Got sometime to draft some outline for me?? I really need your help to move forward.


Thanks,
Tako

Date: Tue, 28 Jun 2011 13:39:37 -0400
Subject: Re: [Snort-devel] SnortSP: Writing an analyzer in Lua
From: roesch at ...402...
To: tako_chanz at ...445...
CC: snort-devel at lists.sourceforge.net

Hi Tako,
I'm in meetings all day but I'll try to answer your question ASAP.

On Mon, Jun 27, 2011 at 8:33 PM, Tako Chanz <tako_chanz at ...445...> wrote:






Hi all,

Maybe I'm double posting but I saw two dev mailing list and I really need some guidance.

After studied the snort.lua and snort_funcs.lua, I'm still stuck on
how a packet passed to lua's callback function.

 
Is there any doc describing the params for the function: lua_analyzer
(buf, offset, proto, dport)?
 
It seems that the lua_analyzer is dealing packet above the IP layer.
Is it possible to inspect the link or network layer using Lua?

 
My goals:
 
- Using Lua to write an analyzer and inspect any layer(ether, IP, tcp/
udp).
- Drop packets base on some simple matching condition
 
I really need some directions or docs from you all.

 
 
Thanks in advance,
Tako 		 	   		  

------------------------------------------------------------------------------

All of the data generated in your IT infrastructure is seriously valuable.

Why? It contains a definitive record of application performance, security

threats, fraudulent activity, and more. Splunk takes this data and makes

sense of it. IT sense. And common sense.

http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________

Snort-devel mailing list

Snort-devel at lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/snort-devel




-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com

Snort: Open Source IDP - http://www.snort.org

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110704/5c7e6275/attachment.html>


More information about the Snort-devel mailing list