2019-12-10 10:32 AM
Is anyone else having issues finding expected meta from the HTTP_lua parser?
Particularly I'm concerned that the latest version of the parser may not be parsing out these pieces of meta <below> but there may be others:
http post no get
http suspicious 4 headers
http suspicious no cookie
I have the latest HTTP_lua parser deployed from Live, dated 2019-11-11 7:09 PM
Example:
For 'http post no get' testing I used this query <below> to identify sessions that match the scenario:
service = 80 && action = 'post' && ~(action='get')
However, when I look through those returned sessions I do not see expected meta for analysis.service='http post no get'
Help?
Thanks in advance,
David
2019-12-10 10:40 AM
Hey David,
That metadata and others get populated by turning on a function in the HTTP_lua_options.lua file located on the Decoder (Admin --> Services --> Decoder --> View --> Config):
There is a function called advanced in this file which defaults to false, you will want to set it to true and reload the parsers;
I would also make sure you have not subscribed to this file from RSA Live as it will overwrite changes.
Cheers,
Lee
2019-12-10 10:44 AM
Thanks Lee -- very helpful!
~David