https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022017-04-13T02:18:43ZOpen Information Security FoundationSuricata - Bug #2094: luajit: SCFlowvarGet always returns nullhttps://redmine.openinfosecfoundation.org/issues/2094?journal_id=80942017-04-13T02:18:43ZVictor Julienvictor@inliniac.net
<ul><li><strong>Priority</strong> changed from <i>High</i> to <i>Normal</i></li></ul> Suricata - Bug #2094: luajit: SCFlowvarGet always returns nullhttps://redmine.openinfosecfoundation.org/issues/2094?journal_id=81912017-05-03T16:15:43ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> set to <i>OISF Dev</i></li><li><strong>Target version</strong> set to <i>TBD</i></li></ul> Suricata - Bug #2094: luajit: SCFlowvarGet always returns nullhttps://redmine.openinfosecfoundation.org/issues/2094?journal_id=110932019-02-20T13:09:26ZEric Leblonderic@regit.org
<ul><li><strong>Assignee</strong> changed from <i>OISF Dev</i> to <i>Eric Leblond</i></li></ul> Suricata - Bug #2094: luajit: SCFlowvarGet always returns nullhttps://redmine.openinfosecfoundation.org/issues/2094?journal_id=131542019-07-27T22:46:32ZAndreas Herzoisf@herzandreas.de
<ul></ul><p>Does one of our Lua gurus have an idea?</p> Suricata - Bug #2094: luajit: SCFlowvarGet always returns nullhttps://redmine.openinfosecfoundation.org/issues/2094?journal_id=139912019-09-27T11:22:22ZVictor Julienvictor@inliniac.net
<ul></ul><p>Can someone create SV test out of this?</p> Suricata - Bug #2094: luajit: SCFlowvarGet always returns nullhttps://redmine.openinfosecfoundation.org/issues/2094?journal_id=154172020-02-25T11:08:32ZVictor Julienvictor@inliniac.net
<ul><li><strong>Assignee</strong> changed from <i>Eric Leblond</i> to <i>OISF Dev</i></li></ul> Suricata - Bug #2094: luajit: SCFlowvarGet always returns nullhttps://redmine.openinfosecfoundation.org/issues/2094?journal_id=210242021-10-21T12:09:12ZPhilippe Antoine
<ul></ul><p>Chris, here is a setup that does what you expect I think :<br /><a class="external" href="https://github.com/OISF/suricata-verify/pull/566">https://github.com/OISF/suricata-verify/pull/566</a></p>
<p>The problem is that during detection, the steps happen in this order :<br />- pattern matching<br />- lua script execution<br />- setting flow variables as part of post match</p>
<p>So, a workaround is to have 2 rules :<br />- one that does the pattern matching and setting the flow var<br />- another second one that does the Lua script</p>
<p>Maybe you also want to use the <code>flowvar</code> keyword in the second rule, but you cannot just test if it is set, you need to find for a pattern in it like <code>alert http any any -> any any (msg: "Test2"; lua:test.lua; flowvar: TestVar,zib; sid:6677001; rev:1;)</code><br />You may also want to use sticky buffers and pcrexform to get what you are looking for...</p>