[Oisf-users] EXTERNAL: Re: Playing with luajit and flowvars...
Edward Fjellskål
edwardfjellskaal at gmail.com
Thu Jun 12 19:42:58 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Isnt that what this does: pcre:"/^(?P<flow_method>GET) /i"; ?
...
needs["flowvar"] = {"method"}
...
On 06/12/2014 03:45 PM, Gofran, Paul wrote:
> E,
>
> I believe you need to call ScFlowvarSet to set the flow variable,
> until then the getter will return nil.
>
> ex: local methodValue = "test" ScFlowvarSet(0, methodValue, #
> methodValue)
>
>
> -Paul
>
>
>
> -----Original Message----- From:
> oisf-users-bounces at lists.openinfosecfoundation.org
> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On
> Behalf Of Edward Fjellskål Sent: Wednesday, June 11, 2014 5:36 PM
> To: oisf-users Subject: EXTERNAL: Re: [Oisf-users] Playing with
> luajit and flowvars...
>
> Could anyone confirm if Im doing it wrong, or if there is something
> wrong?
>
> E
>
> On 05/29/2014 11:37 PM, Edward Fjellskål wrote:
>> --[[
>
>> Rule to trigger the script and hopefully setting the flowvar?
>
>> alert http any any -> any any (msg:"LUAJIT TEST (GET)";
>> flow:established,to_server; content:"GET"; nocase; http_method;
>> pcre:"/^(?P<flow_method>GET) /i"; luajit:luajit-test.lua; rev:1;
>> sid:9900000;)
>
>> But all I see is: "We have no A :("
>
>> What Im I doing wrong?
>
>> ]]--
>
>> function init (args) local needs = {} needs["flowvar"] =
>> {"method"} return needs end
>
>> function match(args) local a = ScFlowvarGet(0); local l =
>> io.open("/tmp/luajit-test.log", "a")
>
>> if a then l:write("We have an A: " .. (a) .. "\n") else
>> l:write("We have no A :(\n") end l:close() return 0; end
>
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support:
> http://suricata-ids.org/support/ List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
OISF: http://www.openinfosecfoundation.org/
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBAgAGBQJTmgLAAAoJEAf3kNGaI009y9MH/RMMBnpMM6LJ4TZeySWdD5DM
+HdrnQfm3CPVuTQYMuBsQ1tyQnMlXEmFj8tdPmpw+qRBfV4VavHoEcNZUAv1MYp6
vk9FS8rYsF2KXZOPh1YiT6vW4uq/WjhmuyreTh2xdMRPPhaX6/Yui19lNiKsf7dD
jaewTp/ECSmi6YUle1VSkIPDvjz3k6Xx2LwujmnHwTfWx4FwfYE7x3dKVbyCCMUk
bZx4LgFIjhlGt4pQm9TJBG4JGySLLsG+YhLhVT++yBPgacwrLVHDwDTCaSp16vet
8sXMQgjQsel2s0Q/iRnj6wOooL/V/daILr76J9bX4j1jQpDZQvD196RBo+OyXOk=
=FiCi
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list