[Oisf-users] EXTERNAL: Re: Playing with luajit and flowvars...
Gofran, Paul
paul.gofran at lmco.com
Thu Jun 12 13:45:42 UTC 2014
E,
I believe you need to call ScFlowvarSet to set the flow variable, until then the getter will return nil.
ex:
local methodValue = "test"
ScFlowvarSet(0, methodValue, # methodValue)
-Paul
-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Edward Fjellskål
Sent: Wednesday, June 11, 2014 5:36 PM
To: oisf-users
Subject: EXTERNAL: Re: [Oisf-users] Playing with luajit and flowvars...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Could anyone confirm if Im doing it wrong, or if there is something wrong?
E
On 05/29/2014 11:37 PM, Edward Fjellskål wrote:
> --[[
>
> Rule to trigger the script and hopefully setting the flowvar?
>
> alert http any any -> any any (msg:"LUAJIT TEST (GET)";
> flow:established,to_server; content:"GET"; nocase; http_method;
> pcre:"/^(?P<flow_method>GET) /i"; luajit:luajit-test.lua; rev:1;
> sid:9900000;)
>
> But all I see is: "We have no A :("
>
> What Im I doing wrong?
>
> ]]--
>
> function init (args) local needs = {} needs["flowvar"] = {"method"}
> return needs end
>
> function match(args) local a = ScFlowvarGet(0); local l =
> io.open("/tmp/luajit-test.log", "a")
>
> if a then l:write("We have an A: " .. (a) .. "\n") else l:write("We
> have no A :(\n") end l:close() return 0; end
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBAgAGBQJTmMu8AAoJEAf3kNGaI009BM0H/Rvl7R9j4fqVfamKNWLFRs0D
t1m+PEdg/Ti7nWmyMQW6oEOITdXpopOqz3jcRBP+gUWlaqbR8JtsJWlq57Vx4Zc3
HpYql7rA0Bdo6ovHjxAE5jnrFcHjWIrOAB4xRQBzUBhoD0AsT+bD6jG4ENxpsRHN
B88Ls1RahkkfsktUKqmyr5MsDQfbmuluc9gnfJkQKiwlPisattMeAQ5hbKOjpHaO
sKoGP8gvt5zyntaRbutA/kjJ3Hz9VqG57vysPsmWl+igsSb9kUWPibPspEvBt+qD
7pDJUMPh/9WJ/gu8iAqcuwI6qB7XmbztThTOEJvJ8B5GxDBucqqugte3YTSGUyE=
=ozBp
-----END PGP SIGNATURE-----
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
More information about the Oisf-users
mailing list