This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to Define Language Keys in Lua Parsers

RSAAdmin
Beginner
Beginner

‎2013-02-15 05:12 AM

I just finished my first Lua parser (https://community.emc.com/docs/DOC-21579). The parser tackles NTLM over HTTP, i.e., extracts user and host information from proxy authorizations. I'm aware that this is not very useful to most of you, but since the availabe documentation on Lua-based parsers is still scarce I thought I share it anyway.

 

One thing I couldn't figure out is how to properly define language keys. The presentation "We’re Going to the Lua" uses the following notion:

local lkClient = nw:LanguageKey("client")

clientParser:setKeys({lkClient})

 

This didn't work for me and I had to use 

clientParser:setKeys(

  {nwlanguagekey.create('client', nwtypes.Text, "Client Application")}

)

 

What's the difference between the two?

0 Likes
2 REPLIES 2

RSAAdmin
Beginner
Beginner

‎2013-02-20 05:51 AM

I found the answer myself. Netwitness changed the Parser API. They replaced

     nw:LanguageKey()

with

     nwlanguagekey.create()

 

So for instance the example on slide 15 of the presentation becomes:

 

local callbacksTable = {    

    [nwlanguagekey.create("alert")]= myParser.onAlert  -- meta callback

}

 

Here's an incomplete list of other methods the API offers:


nwlanguagekey.create nwlanguagekey.getPathDefaults

 

nw.base64Decode nw.createMeta nw.createParser nw.getAppType nw.getNetworkProtocol nw.getPayload nw.getSessionAddresses nw.getSessionSource nw.getSessionDestination nw.getSessionPorts nw.getSessionStats nw.getStreamStats nw.getTransport nw.isRequestStream nw.isResponseStream nw.logDebug nw.logInfo nw.logWarning nw.logFailure nw.setAppType

 

nwpayload.equal nwpayload.find nwpayload.getNextPacketPayload nwpayload.getPacketPayload nwpayload.len nwpayload.pos nwpayload.byte nwpayload.int nwpayload.short nwpayload.sub nwpayload.tostring

 

Unsure: nwevents.OnReset nwevents.OnSessionBegin nwevents.OnSessionEnd nwevents.OnStreamBegin nwevents.OnStreamEnd nwevents.OnStart nwevents.OnStop

 

Unsure:

nwtypes.?

huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2013-12-19 09:08 AM

do you have any documents or samples to share? Thanks.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.