[Oisf-users] EXTERNAL: Re: Playing with luajit and flowvars...

Gofran, Paul paul.gofran at lmco.com
Thu Jun 12 13:45:42 UTC 2014


E,

I believe you need to call ScFlowvarSet to set the flow variable, until then the getter will return nil.

ex:
local methodValue = "test"
ScFlowvarSet(0, methodValue, # methodValue)


-Paul



-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Edward Fjellskål
Sent: Wednesday, June 11, 2014 5:36 PM
To: oisf-users
Subject: EXTERNAL: Re: [Oisf-users] Playing with luajit and flowvars...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Could anyone confirm if Im doing it wrong, or if there is something wrong?

E

On 05/29/2014 11:37 PM, Edward Fjellskål wrote:
> --[[
> 
> Rule to trigger the script and hopefully setting the flowvar?
> 
> alert http any any -> any any (msg:"LUAJIT TEST (GET)"; 
> flow:established,to_server; content:"GET"; nocase; http_method;
> pcre:"/^(?P<flow_method>GET) /i"; luajit:luajit-test.lua; rev:1;
> sid:9900000;)
> 
> But all I see is: "We have no A :("
> 
> What Im I doing wrong?
> 
> ]]--
> 
> function init (args) local needs = {} needs["flowvar"] = {"method"} 
> return needs end
> 
> function match(args) local a = ScFlowvarGet(0); local l = 
> io.open("/tmp/luajit-test.log", "a")
> 
> if a then l:write("We have an A: " .. (a) .. "\n") else l:write("We 
> have no A :(\n") end l:close() return 0; end
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJTmMu8AAoJEAf3kNGaI009BM0H/Rvl7R9j4fqVfamKNWLFRs0D
t1m+PEdg/Ti7nWmyMQW6oEOITdXpopOqz3jcRBP+gUWlaqbR8JtsJWlq57Vx4Zc3
HpYql7rA0Bdo6ovHjxAE5jnrFcHjWIrOAB4xRQBzUBhoD0AsT+bD6jG4ENxpsRHN
B88Ls1RahkkfsktUKqmyr5MsDQfbmuluc9gnfJkQKiwlPisattMeAQ5hbKOjpHaO
sKoGP8gvt5zyntaRbutA/kjJ3Hz9VqG57vysPsmWl+igsSb9kUWPibPspEvBt+qD
7pDJUMPh/9WJ/gu8iAqcuwI6qB7XmbztThTOEJvJ8B5GxDBucqqugte3YTSGUyE=
=ozBp
-----END PGP SIGNATURE-----
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/



More information about the Oisf-users mailing list