[Oisf-devel] RFC: lua scripting flowvar access

Eric Leblond eric at regit.org
Fri Apr 19 14:40:14 UTC 2013 

Hi,

On Thu, 2013-04-18 at 18:01 +0200, Victor Julien wrote:
> Funded by Emerging Threats, I've been working on giving the lua scripts
> access to flowvars.

Excellent initiative. That's a promising feature :)

> Currently only "flowvars" are done, "flowints" will be next. Please
> review the code at:
> https://github.com/inliniac/suricata/tree/dev-lua-flowvar
> 
> Pcre based flowvar capturing is done in a post-match fashion. If the
> rule containing the "capture" matches, the var is stored in the flow.
> 
> For lua scripting, this wasn't what the rule writers wanted. In this
> case, the flowvars are stored in the flow regardless of a rule match.
> 
> The way a script can start using flowvars is by first registering which
> one it needs access to:
> 
> function init (args)
>     local needs = {}
>     needs["http.request_headers.raw"] = tostring(true)
>     needs["flowvar"] = {"cnt"}
>     return needs
> end
> 
> More than one can be registered, e.g.:
> 
>     needs["flowvar"] = {"cnt", "somevar", "anothervar" }
> 
> The maximum is 15 per script. The order of the vars matters. As Suricata
> uses id's internally, to use the vars you have to use id's as well.

Newbie mode: That's not very convenient, why can't we translate back to
key name the index value. Lua seems to support table
(http://www.lua.org/pil/2.5.html), so it should be possible to build a
associative array with "name"->idx inside lua ? 

> The
> first registered var has id 0, 2nd 1 and so on:
> 
> function match(args)
>     a = ScFlowvarGet(0);
>     if a then
>         print ("We have an A: " .. (a))
>         a = tostring(tonumber(a)+1)
>         print ("A incremented to: " .. (a))
>         ScFlowvarSet(0, a, #a)
>     else
>         print "Init A to 1"
>         a = tostring(1)
>         ScFlowvarSet(0, a, #a)
>     end
> 
>     print ("A is " .. (a))
>     if tonumber(a) == 23 then
>         print "Match!"
>         return 1
>     end
> 
>     return 0
> end
> 
> You can also use a var:

I don't understand the following example. Yes we use the var_cnt
variable but what does it change from first one ?

> function init (args)
>     local needs = {}
>     needs["http.request_headers.raw"] = tostring(true)
>     needs["flowvar"] = {"blah", "cnt"}
>     return needs
> end
> 
> local var_cnt = 1
> 
> function match(args)
>     a = ScFlowvarGet(var_cnt);
>     if a then
>         print ("We have an A: " .. (a))
>         a = tostring(tonumber(a)+1)
>         print ("A incremented to: " .. (a))
>         ScFlowvarSet(var_cnt, a, #a)
>     else
>         print "Init A to 1"
>         a = tostring(1)
>         ScFlowvarSet(var_cnt, a, #a)
>     end
> 
>     print ("A is " .. (a))
>     if tonumber(a) == 23 then
>         print "Match!"
>         return 1
>     end
> 
>     return 0
> end

BR,
-- 
Eric Leblond <eric at regit.org>
Blog: https://home.regit.org/

More information about the Oisf-devel mailing list