Is anyone else having issues finding expected meta from the HTTP_lua parser?
Particularly I'm concerned that the latest version of the parser may not be parsing out these pieces of meta <below> but there may be others:
http post no gethttp suspicious 4 headershttp suspicious no cookie
I have the latest HTTP_lua parser deployed from Live, dated 2019-11-11 7:09 PM
For 'http post no get' testing I used this query <below> to identify sessions that match the scenario:
service = 80 && action = 'post' && ~(action='get')
However, when I look through those returned sessions I do not see expected meta for analysis.service='http post no get'
Thanks in advance,
That metadata and others get populated by turning on a function in the HTTP_lua_options.lua file located on the Decoder (Admin --> Services --> Decoder --> View --> Config):
There is a function called advanced in this file which defaults to false, you will want to set it to true and reload the parsers;
I would also make sure you have not subscribed to this file from RSA Live as it will overwrite changes.
Thanks Lee -- very helpful!