[Snort-devel] SnortSP: Writing an analyzer in Lua

Martin Roesch roesch at ...402...
Tue Jun 28 13:39:37 EDT 2011


Hi Tako,

I'm in meetings all day but I'll try to answer your question ASAP.


On Mon, Jun 27, 2011 at 8:33 PM, Tako Chanz <tako_chanz at ...445...> wrote:

>  Hi all,
>
> Maybe I'm double posting but I saw two dev mailing list and I really need
> some guidance.
>
>
> After studied the snort.lua and snort_funcs.lua, I'm still stuck on
> how a packet passed to lua's callback function.
>
> Is there any doc describing the params for the function: lua_analyzer
> (buf, offset, proto, dport)?
>
> It seems that the lua_analyzer is dealing packet above the IP layer.
> Is it possible to inspect the link or network layer using Lua?
>
> My goals:
>
> - Using Lua to write an analyzer and inspect any layer(ether, IP, tcp/
> udp).
> - Drop packets base on some simple matching condition
>
> I really need some directions or docs from you all.
>
>
> Thanks in advance,
> Tako
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>


-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110628/8bfed6c2/attachment.html>


More information about the Snort-devel mailing list