Specifying Detection Criteria in Advanced Detectors
Caution | Advanced custom detectors are complex and require outside knowledge to construct valid .lua files. Incorrectly configured detectors could have a negative impact on performance or detection capability. |
Caution | Do not upload .lua files from untrusted sources. |
Custom .lua files contain your custom application detector settings. Creating custom .lua files requires advanced knowledge of the lua programming language and experience with Cisco's C-lua API. Cisco strongly recommends you use the following to prepare .lua files:
-
third-party instruction and reference material for the lua programming language
-
The Open Source Detectors Developers Guide: https://www.snort.org/downloads
-
OpenAppID Snort community resources: http://blog.snort.org/search/label/openappid
Note | The system does not support .lua files that reference system calls or file I/O. |
Before you begin
-
Begin configuring your custom application protocol detector as described in Configuring Custom Application Detectors.
-
Prepare to create a valid .lua file by downloading and studying the .lua files for comparable detectors. For more information about downloading detector files, see Viewing or Downloading Detector Details.
-
Create a valid .lua file that contains your custom application detector settings.
Procedure
Step 1 | On the Create Detector page for an advanced custom application detector, in the Detection Criteria section, click Add. |
Step 2 | Click Browse... to navigate to the .lua file and upload it. |
Step 3 | Click OK. |
What to do next
-
Continue configuring your custom application protocol detector as described in Configuring Custom Application Detectors. You must save and activate the detector before the system can use it to analyze traffic.