[Oisf-users] EXTERNAL: Re: Playing with luajit and flowvars...

Edward Fjellskål edwardfjellskaal at gmail.com
Thu Jun 12 19:42:58 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Isnt that what this does: pcre:"/^(?P<flow_method>GET) /i"; ?

...
needs["flowvar"] = {"method"}
...



On 06/12/2014 03:45 PM, Gofran, Paul wrote:
> E,
> 
> I believe you need to call ScFlowvarSet to set the flow variable,
> until then the getter will return nil.
> 
> ex: local methodValue = "test" ScFlowvarSet(0, methodValue, #
> methodValue)
> 
> 
> -Paul
> 
> 
> 
> -----Original Message----- From:
> oisf-users-bounces at lists.openinfosecfoundation.org
> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On
> Behalf Of Edward Fjellskål Sent: Wednesday, June 11, 2014 5:36 PM 
> To: oisf-users Subject: EXTERNAL: Re: [Oisf-users] Playing with
> luajit and flowvars...
> 
> Could anyone confirm if Im doing it wrong, or if there is something
> wrong?
> 
> E
> 
> On 05/29/2014 11:37 PM, Edward Fjellskål wrote:
>> --[[
> 
>> Rule to trigger the script and hopefully setting the flowvar?
> 
>> alert http any any -> any any (msg:"LUAJIT TEST (GET)"; 
>> flow:established,to_server; content:"GET"; nocase; http_method; 
>> pcre:"/^(?P<flow_method>GET) /i"; luajit:luajit-test.lua; rev:1; 
>> sid:9900000;)
> 
>> But all I see is: "We have no A :("
> 
>> What Im I doing wrong?
> 
>> ]]--
> 
>> function init (args) local needs = {} needs["flowvar"] =
>> {"method"} return needs end
> 
>> function match(args) local a = ScFlowvarGet(0); local l = 
>> io.open("/tmp/luajit-test.log", "a")
> 
>> if a then l:write("We have an A: " .. (a) .. "\n") else
>> l:write("We have no A :(\n") end l:close() return 0; end
> 
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support:
> http://suricata-ids.org/support/ List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> 
OISF: http://www.openinfosecfoundation.org/
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJTmgLAAAoJEAf3kNGaI009y9MH/RMMBnpMM6LJ4TZeySWdD5DM
+HdrnQfm3CPVuTQYMuBsQ1tyQnMlXEmFj8tdPmpw+qRBfV4VavHoEcNZUAv1MYp6
vk9FS8rYsF2KXZOPh1YiT6vW4uq/WjhmuyreTh2xdMRPPhaX6/Yui19lNiKsf7dD
jaewTp/ECSmi6YUle1VSkIPDvjz3k6Xx2LwujmnHwTfWx4FwfYE7x3dKVbyCCMUk
bZx4LgFIjhlGt4pQm9TJBG4JGySLLsG+YhLhVT++yBPgacwrLVHDwDTCaSp16vet
8sXMQgjQsel2s0Q/iRnj6wOooL/V/daILr76J9bX4j1jQpDZQvD196RBo+OyXOk=
=FiCi
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list