[Oisf-devel] RFC: lua scripting flowvar access

Victor Julien victor at inliniac.net
Fri Apr 19 14:55:07 UTC 2013 

On 04/19/2013 04:40 PM, Eric Leblond wrote:
>> The way a script can start using flowvars is by first registering which
>> > one it needs access to:
>> > 
>> > function init (args)
>> >     local needs = {}
>> >     needs["http.request_headers.raw"] = tostring(true)
>> >     needs["flowvar"] = {"cnt"}
>> >     return needs
>> > end
>> > 
>> > More than one can be registered, e.g.:
>> > 
>> >     needs["flowvar"] = {"cnt", "somevar", "anothervar" }
>> > 
>> > The maximum is 15 per script. The order of the vars matters. As Suricata
>> > uses id's internally, to use the vars you have to use id's as well.
> Newbie mode: That's not very convenient, why can't we translate back to
> key name the index value. Lua seems to support table
> (http://www.lua.org/pil/2.5.html), so it should be possible to build a
> associative array with "name"->idx inside lua ? 

We could just accept the name, but that would come at the cost of doing
the name->idx conversion for each invocation.

Not sure how we could pass back a table in a useful manner. Do you have
ideas on this?

>> > The
>> > first registered var has id 0, 2nd 1 and so on:
>> > 
>> > function match(args)
>> >     a = ScFlowvarGet(0);
>> >     if a then
>> >         print ("We have an A: " .. (a))
>> >         a = tostring(tonumber(a)+1)
>> >         print ("A incremented to: " .. (a))
>> >         ScFlowvarSet(0, a, #a)
>> >     else
>> >         print "Init A to 1"
>> >         a = tostring(1)
>> >         ScFlowvarSet(0, a, #a)
>> >     end
>> > 
>> >     print ("A is " .. (a))
>> >     if tonumber(a) == 23 then
>> >         print "Match!"
>> >         return 1
>> >     end
>> > 
>> >     return 0
>> > end
>> > 
>> > You can also use a var:
> I don't understand the following example. Yes we use the var_cnt
> variable but what does it change from first one ?

It's really only giving a name to the var id. So instead of "13" you use
"some_descriptive_var_name".

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list