<div dir="ltr">So in the init function I have this one key line for the flow var:<div><br></div><div>needs["flowvar"] = {"var"}<br></div><div><br></div><div style>and in the match function, the lines related to the flowvar are:</div>
<div style><br></div><div style>local var = ScFlowvarGet(0)<br></div><div style><div>if(var == nil) then</div><div> </div><div> io.write("\n var was nil \n")</div><div> var = "mew"</div>
<div> </div><div>end</div><div>ScFlowvarSet(0, var, #var)<br></div><div><br></div><div style>and the result I get is that message var was nil everytime as if the ScFlowvarSet doesn't do anything for a string.</div><div style>
<br></div><div style><br></div><div style>Vince</div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, May 17, 2013 at 2:37 PM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 05/17/2013 07:53 PM, Vincent Fang wrote:<br>
> Tested out this feature and was wondering if it's possible for it to<br>
> store a string into the flowvar? I attempted to test that out and kept<br>
> getting nil values from the ScFlowvarGet. The main goal is to find out<br>
> and keep track not only what portion of the flow the lua script is<br>
> examining but which flow it is for the administrator to see with that<br>
> unique string var.<br>
<br>
</div>That should be possible, ya. Can you share (part of) your script?<br>
<br>
Cheers,<br>
Victor<br>
<div class="im"><br>
> On Tue, Apr 23, 2013 at 6:07 AM, Victor Julien <<a href="mailto:victor@inliniac.net">victor@inliniac.net</a><br>
</div><div><div class="h5">> <mailto:<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>>> wrote:<br>
><br>
> On 04/22/2013 06:05 PM, Victor Julien wrote:<br>
> > On 04/18/2013 06:01 PM, Victor Julien wrote:<br>
> >> Funded by Emerging Threats, I've been working on giving the lua<br>
> scripts<br>
> >> access to flowvars.<br>
> >><br>
> >> Currently only "flowvars" are done, "flowints" will be next. Please<br>
> >> review the code at:<br>
> >> <a href="https://github.com/inliniac/suricata/tree/dev-lua-flowvar" target="_blank">https://github.com/inliniac/suricata/tree/dev-lua-flowvar</a><br>
> >><br>
> >> Pcre based flowvar capturing is done in a post-match fashion. If the<br>
> >> rule containing the "capture" matches, the var is stored in the flow.<br>
> >><br>
> >> For lua scripting, this wasn't what the rule writers wanted. In this<br>
> >> case, the flowvars are stored in the flow regardless of a rule match.<br>
> >><br>
> >> The way a script can start using flowvars is by first registering<br>
> which<br>
> >> one it needs access to:<br>
> >><br>
> >> function init (args)<br>
> >> local needs = {}<br>
> >> needs["http.request_headers.raw"] = tostring(true)<br>
> >> needs["flowvar"] = {"cnt"}<br>
> >> return needs<br>
> >> end<br>
> >><br>
> >> More than one can be registered, e.g.:<br>
> >><br>
> >> needs["flowvar"] = {"cnt", "somevar", "anothervar" }<br>
> >><br>
> >> The maximum is 15 per script. The order of the vars matters. As<br>
> Suricata<br>
> >> uses id's internally, to use the vars you have to use id's as<br>
> well. The<br>
> >> first registered var has id 0, 2nd 1 and so on:<br>
> >><br>
> >> function match(args)<br>
> >> a = ScFlowvarGet(0);<br>
> >> if a then<br>
> >> print ("We have an A: " .. (a))<br>
> >> a = tostring(tonumber(a)+1)<br>
> >> print ("A incremented to: " .. (a))<br>
> >> ScFlowvarSet(0, a, #a)<br>
> >> else<br>
> >> print "Init A to 1"<br>
> >> a = tostring(1)<br>
> >> ScFlowvarSet(0, a, #a)<br>
> >> end<br>
> >><br>
> >> print ("A is " .. (a))<br>
> >> if tonumber(a) == 23 then<br>
> >> print "Match!"<br>
> >> return 1<br>
> >> end<br>
> >><br>
> >> return 0<br>
> >> end<br>
> >><br>
> >> You can also use a var:<br>
> >><br>
> >> function init (args)<br>
> >> local needs = {}<br>
> >> needs["http.request_headers.raw"] = tostring(true)<br>
> >> needs["flowvar"] = {"blah", "cnt"}<br>
> >> return needs<br>
> >> end<br>
> >><br>
> >> local var_cnt = 1<br>
> >><br>
> >> function match(args)<br>
> >> a = ScFlowvarGet(var_cnt);<br>
> >> if a then<br>
> >> print ("We have an A: " .. (a))<br>
> >> a = tostring(tonumber(a)+1)<br>
> >> print ("A incremented to: " .. (a))<br>
> >> ScFlowvarSet(var_cnt, a, #a)<br>
> >> else<br>
> >> print "Init A to 1"<br>
> >> a = tostring(1)<br>
> >> ScFlowvarSet(var_cnt, a, #a)<br>
> >> end<br>
> >><br>
> >> print ("A is " .. (a))<br>
> >> if tonumber(a) == 23 then<br>
> >> print "Match!"<br>
> >> return 1<br>
> >> end<br>
> >><br>
> >> return 0<br>
> >> end<br>
> >><br>
> >> Flowvars are set at the end of the rule's inspection, so after the<br>
> >> script has run.<br>
> >><br>
> >> When multiple stores are done from the script and/or pcre, the last<br>
> >> match will win. So if order matters, rule priority can be used to<br>
> >> control inspection order.<br>
> >><br>
> >> Thoughts, comments, and code review highly welcomed.<br>
> >><br>
> ><br>
> > Updated branch:<br>
> > <a href="https://github.com/inliniac/suricata/tree/dev-lua-flowvar-v1.1" target="_blank">https://github.com/inliniac/suricata/tree/dev-lua-flowvar-v1.1</a><br>
> ><br>
> > - Adds flowint support:<br>
> ><br>
> > function init (args)<br>
> > local needs = {}<br>
> > needs["http.request_headers"] = tostring(true)<br>
> > needs["flowint"] = {"cnt"}<br>
> > return needs<br>
> > end<br>
> ><br>
> > function match(args)<br>
> > a = ScFlowintGet(0);<br>
> > if a then<br>
> > ScFlowintSet(0, a + 1)<br>
> > else<br>
> > ScFlowintSet(0, 1)<br>
> > end<br>
> ><br>
> > a = ScFlowintGet(0);<br>
> > if a == 23 then<br>
> > return 1<br>
> > end<br>
> ><br>
> > return 0<br>
> > end<br>
> ><br>
> > return 0<br>
> ><br>
> > Sets are real time, so are done regardless of script match or rule<br>
> match.<br>
> ><br>
> > - Converts flowvar sets to real time, to fix some var overwrite issues<br>
> > in HTTP header inspection.<br>
> ><br>
><br>
> <a href="https://github.com/inliniac/suricata/tree/dev-lua-flowvar-v1.2" target="_blank">https://github.com/inliniac/suricata/tree/dev-lua-flowvar-v1.2</a><br>
><br>
> Adds in ScFlowintIncr & ScFlowintDecr. From the commit:<br>
><br>
> "Add flowint lua functions for incrementing and decrementing flowints.<br>
><br>
> First use creates the var and inits to 0. So a call:<br>
><br>
> a = ScFlowintIncr(0)<br>
><br>
> Results in a == 1.<br>
><br>
> If the var reached UINT_MAX (2^32), it's not further incremented. If the<br>
> var reaches 0 it's not decremented further.<br>
><br>
> Calling ScFlowintDecr on a uninitialized var will init it to 0.<br>
><br>
> Example script:<br>
><br>
> function init (args)<br>
> local needs = {}<br>
> needs["http.request_headers"] = tostring(true)<br>
> needs["flowint"] = {"cnt_incr"}<br>
> return needs<br>
> end<br>
><br>
> function match(args)<br>
> a = ScFlowintIncr(0);<br>
> if a == 23 then<br>
> return 1<br>
> end<br>
><br>
> return 0<br>
> end<br>
> return 0<br>
><br>
> This script matches the 23rd time it's invoked on a flow."<br>
><br>
> --<br>
> ---------------------------------------------<br>
> Victor Julien<br>
> <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> ---------------------------------------------<br>
><br>
> _______________________________________________<br>
> Suricata IDS Devel mailing list:<br>
> <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a><br>
</div></div>> <mailto:<a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a>><br>
<div class="im HOEnZb">> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate:<br>
> <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a><br>
> List:<br>
> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
> Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>
><br>
><br>
<br>
<br>
</div><div class="HOEnZb"><div class="h5">--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
</div></div></blockquote></div><br></div>