[Oisf-users] LUA Signature Debugging

Peter Manev petermanev at gmail.com
Thu Nov 22 17:07:36 UTC 2018

On Thu, Nov 22, 2018 at 5:31 PM Clark Kent <ctyk3322 at gmail.com> wrote:
> Hopefully this is the right forum for this. If not please feel free to point me in the right direction that is appropriate. I am looking for some guidance and suggestion on debugging LUA scripts for signature detection.
> Is there a way to print out variable/data values after replaying a PCAP to get a sense of what value is getting pulled or stored? If not is there a suggestion on how read in a PCAP to get the representative value like "p = SCPacketPayload()" or " a, o, e = HttpGetResponseBody();" as you would from Suricata? I know I could run LUA script as a standalone to troubleshoot syntax of the like, but I wasn't sure how to recreate the flows, http traffic, and traffic of the sort that Suricata does for you when you replay the traffic.

Something very crude that could be used for debugging (only :) ) in
terms of SCPacketPayload for example -
You would need of course to hook it up to a rule.
Hope it helps.

> I am still fairly new to LUA scripting and writing LUA signatures, so it would be helpful to see if I am seeking and grabbing right XX bytes in the traffic.
> Thank you in advance for any guidance or suggestions.

Peter Manev

More information about the Oisf-users mailing list