[Oisf-users] LUA Signature Debugging
Peter Manev
petermanev at gmail.com
Thu Nov 22 17:07:36 UTC 2018
On Thu, Nov 22, 2018 at 5:31 PM Clark Kent <ctyk3322 at gmail.com> wrote:
>
> Hopefully this is the right forum for this. If not please feel free to point me in the right direction that is appropriate. I am looking for some guidance and suggestion on debugging LUA scripts for signature detection.
>
> Is there a way to print out variable/data values after replaying a PCAP to get a sense of what value is getting pulled or stored? If not is there a suggestion on how read in a PCAP to get the representative value like "p = SCPacketPayload()" or " a, o, e = HttpGetResponseBody();" as you would from Suricata? I know I could run LUA script as a standalone to troubleshoot syntax of the like, but I wasn't sure how to recreate the flows, http traffic, and traffic of the sort that Suricata does for you when you replay the traffic.
>
Something very crude that could be used for debugging (only :) ) in
terms of SCPacketPayload for example -
https://pastebin.com/NzutYtTd
You would need of course to hook it up to a rule.
Hope it helps.
> I am still fairly new to LUA scripting and writing LUA signatures, so it would be helpful to see if I am seeking and grabbing right XX bytes in the traffic.
>
> Thank you in advance for any guidance or suggestions.
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list