+local flowvarlib = require("suricata.flowvar")
+
function init (args)
- local needs = {}
- return needs
+ flowvarlib.register("key")
+ return {}
+end
+
+function thread_init (args)
+ var = flowvarlib.get("key")
end
function match(args)
- SCFlowvarSet("key", 3, "value", 5)
+ var:set("value", 5)
return 1
end
--- /dev/null
+local flowvar = require("suricata.flowvar")
+
+function init (args)
+ return {}
+end
+
+function thread_init (args)
+ testvar = flowvar.get("TestVar")
+end
+
+function match(args)
+ print "Before loading Variable"
+ local value = testvar:value()
+ if value == nil then
+ print("TestVar has no value")
+ return 0
+ end
+
+ if value ~= "/zib100/zib100.json?origin=orf.at HTTP/1.1" then
+ print("TestVar has wrong value")
+ return 0
+ end
+
+ return 1
+end
--- /dev/null
+requires:
+ min-version: 8.0.0
+
+args:
+ - -k none
+ - --set security.lua.allow-rules=true
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ metadata.flowvars[0].TestVar: "/zib100/zib100.json?origin=orf.at HTTP/1.1"
--- /dev/null
+Test setting and getting a flowvar from Lua.
--- /dev/null
+local flowvarlib = require("suricata.flowvar")
+
+function init()
+ return {}
+end
+
+function thread_init()
+ flowvar = flowvarlib.get("test_var")
+end
+
+function match()
+ local value = flowvar:value()
+ if value == "foobar" then
+ return 1
+ else
+ print("flowvar does not have expected value")
+ return 0
+ end
+end
--- /dev/null
+local flowvarlib = require("suricata.flowvar")
+
+function init()
+ local flowvar = flowvarlib.register("test_var")
+ return {}
+end
+
+function thread_init()
+ flowvar = flowvarlib.get("test_var")
+end
+
+function match()
+ local value = flowvar:value()
+ if value ~= nil then
+ print("flowvar value should be nil")
+ return 0
+ end
+
+ local value = "foobar"
+ flowvar:set(value, string.len(value))
+
+ return 1
+end
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - flow
+ - http
--- /dev/null
+#alert http any any -> any any (msg: "Test"; http.request_line; pcre: "^/GET (.*)$/G, flow:TestVar"; flowbits: set, flowtestvar; noalert; sid:6677000; rev:1;)
+
+
+alert http any any -> any any (http.request_line; content: "GET"; lua: setflowvar.lua; sid:1;)
+alert http any any -> any any (http.response_header; content: "Apache"; lua: getflowvar.lua; sid:2;)
--- /dev/null
+requires:
+ min-version: 8.0.0
+
+args:
+ - -k none
+ - --set security.lua.allow-rules=true
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ metadata.flowvars[0].test_var: foobar
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ metadata.flowvars[0].test_var: foobar
--- /dev/null
+To test that SCFlowvarGet (lua) doesn't always return nil.
+
+The original issue emerged due to a lua detection script that used a single rule to set up
+a flow variable and match on it.
+
+The problem is that during detection, the steps happen in this order:
+- pattern matching
+- lua script execution
+- setting flow variables as part of post match
+
+So, a workaround is to have 2 rules:
+- one that does the pattern matching and setting the flow var
+- another second one that does the Lua script
+
+This test works based on that.
+
+Pcap provided by Chris Knott at https://redmine.openinfosecfoundation.org/issues/2094
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - flow
+
--- /dev/null
+alert http any any -> any any (msg: "Test"; http.request_line; pcre: "^/GET (.*)$/G, flow:TestVar"; flowbits: set, flowtestvar; noalert; sid:6677000; rev:1;)
+alert http any any -> any any (msg: "Test2"; flow: to_server; lua:test.lua; flowbits: isset, flowtestvar; sid:6677001; rev:1;)
requires:
min-version: 7.0.0
+ lt-version: 8
features:
- HAVE_LUA
projects / thirdparty / suricata-verify.git / commitdiff
