[Oisf-users] Question on Assigning flowvars in Signatures/PCRE

Mon Mar 7 13:17:36 UTC 2016

Hi Zach,

On 06-02-16 20:41, Rasmor, Zachary R wrote:
> I would like to know a little bit more about how to use ‘flowvar’ within
> signatures. Based on Victor’s blog post, I think it’s clear to me how to
> get/set flowvar values from Lua:
> 
>  
> 
> http://blog.inliniac.net/2013/04/18/suricata-lua-scripting-flowvar-access/
> 
>  
> 
> But I’ve seen very little documentation about using them within the
> signatures themselves. The blog post seems to indicate that it is possible.
> 
>  
> 
> This is what I would like to do:
> 
> -          In one signature, extract a string using pcre, and set the
> extracted string to a flowvar – The syntax for doing this is not clear to me

This rule:

alert http any any -> any any (content:"User-Agent: "; http_header;
pcre:"/(?P<flow_ua>.*)\r\n/HR"; sid:1;)

will capture the content of the User-Agent header into a flow var called
'ua'. If you want to store something into a pkt var, then the pcre
portion would be: pcre:"/(?P<pkt_ua>.*)\r\n/HR";

flowvars remain part of the flow so that other packets can access them
too. pktvar is just valid in the context of a single packet.

> -          In a separate signature, invoke a luajit script to access the
> flowvar and append it to some output – I think I am clear on this per
> Victor’s blog post
> 
>  
> 
> I realize I could accomplish the first item (extracting/setting the
> flowvar) in a lua script, but I wanted to see if it was possible to do
> it in the signature, and figured this would be a good opportunity to learn.

Using pcre it's probably more efficient, but it might be worth doing
some tests to confirm that.

> Also, I’m happy to update the wiki/documentation once I get this figured
> out.

Appreciate that!

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------