Setting flowvar - Lua Scripting

bsmith · December 2, 2021, 10:14pm

I’m playing around with Lua alerts and seeing what I can get from the Lua flow variables. I’ve got no issues with setting a variable with flowint and accessing that via SCFlowintGet. What I can’t seem to do is access the flowvar via SCFlowvarGet. Is the flowvar set when using flowbits or xbits? Is there something else that sets them? I tried both option but they don’t seem to work.

Ubuntu 21.04
Suricata 6.0.3

Thanks!

jufajardini · December 3, 2021, 10:55am

Hi Bryant!

Recently, when investigating a bug, we realized that Flowvar can be nil when one didn’t expect it to, due to the way Suri does the detection steps, which results in not being able to access it in the Lua script if you’ve used only one rule. The workaround was using two rules: one for setting the flowvar, the other for detecting.

The following suricata-verify test shows that. In it, we are using flowbits.

Hope that helps with your question!

bsmith · December 3, 2021, 1:50pm

Yeah this does help a bit but when I tested against my rules and script it didn’t work. I tested with the provided rules and scripts and it does work. I tried to make sure everything matched up from mine to the test scripts and it still didn’t work. The only difference was I didn’t use regex. I plugged in the regex that was used in the test and it started working.

Can you or someone explain the below regex? I understand most of it but what is the G modifier doing and what is happening after the modifier? Is this just a comment or does this affect the flow variables?

pcre: “^/GET (.*)$/G, flow:TestVar”;

jufajardini · December 3, 2021, 5:17pm

Hey,

while I’m not good with regular expressions, from Suricata documentation I understand that that $/G is meant to invert the expression greediness (see 6.7. Payload Keywords — Suricata 6.0.4 documentation).

bsmith · December 3, 2021, 8:15pm

Thanks I was looking further down in the documentation and forgot they had those are the beginning. Anyone know about the ‘, flow:TestVar";’ part though?

bsmith · December 6, 2021, 8:49pm

So it seems like the regex expression after the modifier does play a role in the setting the flow variable. Using the example in the link provided, if you change the wording of the flow in the pcre statement then it doesn’t work anymore. The flowbits in the two signatures still have to match but flow:TestVar needs to match against needs["flowvar"] = {"TestVar"}

Anyone know if this is supposed to work this way or if there’s some documentation on it?

bsmith · December 6, 2021, 9:41pm

It looks like it’s explain here!

Topic		Replies	Views
[Rules] How to check Flowvar in suricata rule? Rules suricata	0	321	December 2, 2022
How can I determine if the .lua scripting is being called by Suricata?	4	490	March 11, 2023
SC_ERR_INVALID_SIGNATURE with Lua Detection Help	2	2177	June 10, 2020
Lua rules + Lua output Rules	1	651	May 15, 2021
Luastate pool depleted - what's the limit? Help	1	464	September 30, 2020

Setting flowvar - Lua Scripting

Related Topics