[Snort-devel] SnortSP: Writing an analyzer in Lua

Tako Chanz tako_chanz at ...445...
Mon Jul 4 19:48:08 EDT 2011

Hi Martin,

Got sometime to draft some outline for me?? I really need your help to move forward.


Date: Tue, 28 Jun 2011 13:39:37 -0400
Subject: Re: [Snort-devel] SnortSP: Writing an analyzer in Lua
From: roesch at ...402...
To: tako_chanz at ...445...
CC: snort-devel at lists.sourceforge.net

Hi Tako,
I'm in meetings all day but I'll try to answer your question ASAP.

On Mon, Jun 27, 2011 at 8:33 PM, Tako Chanz <tako_chanz at ...445...> wrote:

Hi all,

Maybe I'm double posting but I saw two dev mailing list and I really need some guidance.

After studied the snort.lua and snort_funcs.lua, I'm still stuck on
how a packet passed to lua's callback function.

Is there any doc describing the params for the function: lua_analyzer
(buf, offset, proto, dport)?
It seems that the lua_analyzer is dealing packet above the IP layer.
Is it possible to inspect the link or network layer using Lua?

My goals:
- Using Lua to write an analyzer and inspect any layer(ether, IP, tcp/
- Drop packets base on some simple matching condition
I really need some directions or docs from you all.

Thanks in advance,


All of the data generated in your IT infrastructure is seriously valuable.

Why? It contains a definitive record of application performance, security

threats, fraudulent activity, and more. Splunk takes this data and makes

sense of it. IT sense. And common sense.


Snort-devel mailing list

Snort-devel at lists.sourceforge.net


Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com

Snort: Open Source IDP - http://www.snort.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110704/5c7e6275/attachment.html>

More information about the Snort-devel mailing list