[Oisf-users] Question on Assigning flowvars in Signatures/PCRE
Rasmor, Zachary R
zachary.r.rasmor at lmco.com
Sat Feb 6 19:41:11 UTC 2016
Hi All,
I would like to know a little bit more about how to use 'flowvar' within
signatures. Based on Victor's blog post, I think it's clear to me how to
get/set flowvar values from Lua:
http://blog.inliniac.net/2013/04/18/suricata-lua-scripting-flowvar-access/
But I've seen very little documentation about using them within the
signatures themselves. The blog post seems to indicate that it is possible.
This is what I would like to do:
- In one signature, extract a string using pcre, and set the
extracted string to a flowvar - The syntax for doing this is not clear to me
- In a separate signature, invoke a luajit script to access the
flowvar and append it to some output - I think I am clear on this per
Victor's blog post
I realize I could accomplish the first item (extracting/setting the flowvar)
in a lua script, but I wanted to see if it was possible to do it in the
signature, and figured this would be a good opportunity to learn.
Also, I'm happy to update the wiki/documentation once I get this figured
out.
Thanks in advance!
Zach
________________________
Zach Rasmor
Senior Software Engineer
Lockheed Martin CIRT
700 N Frederick Ave | Gaithersburg, MD 20879
Email: <mailto:zachary.r.rasmor at lmco.com> zachary.r.rasmor at lmco.com
Office: 301.240.6116
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160206/080e9d39/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7804 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160206/080e9d39/attachment.bin>
More information about the Oisf-users
mailing list