Project

General

Profile

Actions
Copy link

Bug #2094

open

luajit: SCFlowvarGet always returns null

Added by Chris Knott about 7 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

Scenario: I want to manipulate a flow variable that I've extracted with a PCRE with a Lua script. Whenever I call the SCFlowvarGet method in the Lua script it returns "null" and not the value of the flow variable as it should.

Attached you can find the files that I am using (PCAP, rules, lua).
I'm using the following Suricata call:
suricata -v -r /home/suricata/test.pcap -S /etc/suricata/rules/test.rules -k none

As you can see out of the resulting eve.json file (attached) the rule works and also the variable is extracted. Furthermore the lua script is triggered and executed as the print commands of the lua script are in the console output. Also you can see in the console output that the "testVar" is not set (in my opinion it should be set there). It this a bug or am I doing something wrong in the script?

Files

Download all files
test.pcap (1.74 KB) test.pcap PCAP file for the test Chris Knott, 04/12/2017 09:01 AM
test.lua (313 Bytes) test.lua lua script for the test Chris Knott, 04/12/2017 09:02 AM
test.rules (120 Bytes) test.rules rules file for the test Chris Knott, 04/12/2017 09:02 AM
eve.json (4.14 KB) eve.json resulting eve.json after the test run Chris Knott, 04/12/2017 09:05 AM
console_out.txt (2.06 KB) console_out.txt console output of suricata Chris Knott, 04/12/2017 09:08 AM
Actions
Copy link
 #1

Updated by Victor Julien about 7 years ago

  • Priority changed from High to Normal
Actions
Copy link
 #2

Updated by Andreas Herz almost 7 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions
Copy link
 #3

Updated by Eric Leblond about 5 years ago

  • Assignee changed from OISF Dev to Eric Leblond
Actions
Copy link
 #4

Updated by Andreas Herz over 4 years ago

Does one of our Lua gurus have an idea?

Actions
Copy link
 #5

Updated by Victor Julien over 4 years ago

Can someone create SV test out of this?

Actions
Copy link
 #6

Updated by Victor Julien about 4 years ago

  • Assignee changed from Eric Leblond to OISF Dev
Actions
Copy link
 #7

Updated by Philippe Antoine over 2 years ago

Chris, here is a setup that does what you expect I think :
https://github.com/OISF/suricata-verify/pull/566

The problem is that during detection, the steps happen in this order :
- pattern matching
- lua script execution
- setting flow variables as part of post match

So, a workaround is to have 2 rules :
- one that does the pattern matching and setting the flow var
- another second one that does the Lua script

Maybe you also want to use the flowvar keyword in the second rule, but you cannot just test if it is set, you need to find for a pattern in it like alert http any any -> any any (msg: "Test2"; lua:test.lua; flowvar: TestVar,zib; sid:6677001; rev:1;)
You may also want to use sticky buffers and pcrexform to get what you are looking for...

Actions
Copy link

Also available in: Atom PDF