[Oisf-users] Playing with luajit and flowvars...
Victor Julien
lists at inliniac.net
Fri Jun 13 08:32:15 UTC 2014
On 05/29/2014 11:37 PM, Edward Fjellskål wrote:
> --[[
>
> Rule to trigger the script and hopefully setting the flowvar?
>
> alert http any any -> any any (msg:"LUAJIT TEST (GET)";
> flow:established,to_server; content:"GET"; nocase; http_method;
> pcre:"/^(?P<flow_method>GET) /i"; luajit:luajit-test.lua; rev:1;
> sid:9900000;)
>
> But all I see is: "We have no A :("
>
> What Im I doing wrong?
>
> ]]--
>
> function init (args) local needs = {} needs["flowvar"] =
> {"method"} return needs end
You need to tell the script what it is inspecting I think, e.g.:
needs["http.response_body"] = tostring(true)
or
needs["http.request_headers"] = tostring(true)
In this case perhaps:
needs["payload"] = tostring(true)
The reason this is needed is that this tells Suricata where in the
detection process inject the script.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list