This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Can someone share below sample files for lua parser?

huanzhou1
Beginner
Beginner

‎2014-04-12 08:12 AM

Hi Guys,


I got the document but don't have samples files. If have can please share?

 

And anyone have documents on writing flex/lua parsers?

 

signature_style_parser.lua

A demonstration of a very simple lua parser: see a pattern, fire an alert (no moves, reads, finds, etc). This

should be the easiest parser to see what the parser is doing.

• simple.parser

A simple parser in flex. It doesn't parse anything real, it is only meant to be demonstrative and used in

conjunction with simple_parser.lua

• simple_parser.lua

Identical in functionality to simple.parser (flex). Demonstrating some basic equivalencies between flex and

lua, used in conjunction with simple.parser.

• demo_parser.lua

A simple but heavily commented parser in lua. Again, it doesn't parse anything real. The comments explain

in detail every aspect of the parser.

• flex_to_lua_quick_reference.txt

A condensed guide for flex to lua equivalencies.

• nw-api.lua

The definitive documentation

0 Likes
2 REPLIES 2

Anonymous
Not applicable

‎2014-07-28 02:38 PM

simple_flex_parser

 

<parsers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="parsers.xsd">

  <parser name="simple_parser" desc="simple parser in flex">

 

 

  <declaration>

 

  <token name="tokenFoo" value="FOO" options="linestart"/>

  <token name="tokenBar" value="&#x42;&#x41;&#x52;"/> <!-- "BAR" in hex -->

 

  <number name="parser_state" scope="session"/>

 

  <number name="num_temp" scope="stream"/>

  <string name="string_temp" scope="stream"/>

 

  <meta name="meta_action" key="action" format="text"/>

  <meta name="meta_alert" key="alert" format="text"/>

 

  </declaration>

 

  <match name="tokenFoo">

  <!-- move 4 bytes forward -->

  <move value="4">

  <!-- find the end of the line -->

  <find name="num_temp" value="&#x0d;&#x0a;" length="80">

  <!-- read up to the end of the line -->

  <read name="string_temp" length="$num_temp">

  <!-- register what was read as action meta -->

  <register name="meta_action" value="$string_temp"/>

  <!-- flag that we read something -->

  <assign name="parser_state" value="1"/>

  </read>

  </find>

  </move>

  </match>

 

  <match name="tokenBar">

  <!-- if we've already matched "FOO" and read something, register an alert now -->

  <if name="parser_state" equal="1">

  <register name="meta_alert" value="saw foo and bar"/>

  </if>

  </match>

 

  </parser>

</parsers>

 

 

simple parser lua

local simple = nw.createParser("simple_parser", "simple parser in lua")

 

 

-- declare the meta keys we'll be registering meta with

simple:setKeys({

  nwlanguagekey.create("action"),

  nwlanguagekey.create("alert"),

})

 

 

function simple:sessionBegin()

  -- reset parser_state for the new session

  self.parser_state = nil

end

 

 

function simple:tokenFoo(token, first, last)

  -- set position to byte after the token

  current_position = last + 1

  -- get the payload

  local payload = nw.getPayload()

  -- make sure we have bytes to move through

  if current_position + 4 <= payload:len() then

  -- move 4 bytes forward

  current_position = current_position + 4

  -- find the end of the line

  local num_temp = payload:find("\13\10", current_position, current_position + 80)

  -- if we found the end of the line

  if num_temp ~= nil then

  -- we don't want to read the \13

  num_temp = num_temp - 1

  -- read up to the end of the line

  local string_temp = payload:tostring(current_position, num_temp)

  -- make sure the read succeeded

  if string_temp ~= nil then

  -- register what was read as action meta

  nw.createMeta(self.keys.action, string_temp)

  -- flag that we read something

  self.parser_state = 1

  end

  end

  end

end

 

 

function simple:tokenBar(token, first, last)

  -- if we've already matched "FOO" and read something, register an alert now

  if self.parser_state == 1 then

  nw.createMeta(self.keys.alert, "saw foo and bar")

  end

end

 

 

-- declare what tokens and events we want to match

simple:setCallbacks({

  [nwevents.OnSessionBegin] = simple.sessionBegin,

  ["FOO"] = simple.tokenFoo,

  ["\66\65\82"] = simple.tokenBar, -- "BAR" in hex

})

0 Likes

RSAAdmin
Beginner
Beginner

‎2014-07-29 04:37 AM

Hi, can you share the document that you've got?

There are tons of info on custom log parsers and absolutely no info on custom lua parsers integration. As I understand flex parsers are depreciated.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.