A few days ago I wrote about my Emerging Threats sponsored work to support flowvars from Lua scripts in Suricata.
Today, I updated that support. Flowvar ‘sets’ are now real time. This was needed to fix some issues where a script was invoked multiple times in single rule, which can happen with some buffers, like HTTP headers.
Also, I implemented flowint support. Flowints in Suricata are integers stored in the flow context.
Example script:
function init (args)
local needs = {}
needs["http.request_headers"] = tostring(true)
needs["flowint"] = {"cnt"}
return needs
end
function match(args)
a = ScFlowintGet(0);
if a then
ScFlowintSet(0, a + 1)
else
ScFlowintSet(0, 1)
end
a = ScFlowintGet(0);
if a == 23 then
return 1
end
return 0
end
return 0
It does the same thing as this flowvar script:
function init (args)
local needs = {}
needs["http.request_headers"] = tostring(true)
needs["flowvar"] = {"cnt"}
return needs
end
function match(args)
a = ScFlowvarGet(0);
if a then
a = tostring(tonumber(a)+1)
ScFlowvarSet(0, a, #a)
else
a = tostring(1)
ScFlowvarSet(0, a, #a)
end
if tonumber(a) == 23 then
return 1
end
return 0
end
return 0
Only, at about half the cost:
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 1 1 1 0 2392221879 70.56 82249 795 834993 29085.12 6964.14 29301.02 2 2 1 0 998297994 29.44 82249 795 483810 12137.51 4019.44 12216.74
Inliniac 
Pingback: More on Suricata lua flowints | Inliniac