16.3.2. Bytevar

The suricata.bytevar module provides access to variables defined by byte_extract and byte_math keywords in Suricata rules.

It is only available in Suricata Lua rules, not output scripts.

16.3.2.1. Setup

local bytevars = require("suricata.bytevar")

16.3.2.2. Module Functions

bytevars.map(sig, varname)

Ensures that the bytevar exists and sets it up for further use in the script by mapping it into the Lua context. Must be called during init().

Parameters:

• sig -- The signature object passed to init()

• varname (string) -- Name of the variable as defined in the rule

Raises:

• error -- If the variable name is unknown

• error -- If too many byte variables are mapped

Example:

function init(sig)
    bytevars.map(sig, "var1")
    bytevars.map(sig, "var2")
    return {}
end

bytevars.get(name)

Returns a byte variable object for the given name. May be called during thread_init() to save a handle to the bytevar.

Parameters:

name (number) -- Name of the variable previously setup with map().

Raises:

error -- If variable name is not mapped with map().

Returns:

A byte variable object

Example:

function thread_init()
    bv_var1 = bytevars.get("var1")
    bv_var2 = bytevars.get("var2")
end

16.3.2.3. Byte Variable Object Methods

bytevar:value()

Returns the current value of the byte variable.

Returns:

The value of the byte variable.

Example:

function match(args)
    local var1 = bv_var1:value()
    if var1 then
        -- Use the value
    end
end