This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

OUI Identifier - LUA parser

JoeGumke
Beginner
Beginner

‎2017-08-22 10:53 AM

We have a need to strip out the OUI Identifier out of our DHCP logs, but running into issues with building a LUA passer (see attached). Does anyone have a prebuilt solution they could share? Or look into my LUA log parser? I cannot get the data to send into the findOUI function

 

-- attached working version, thanks to bill.

lua_ouiparser.lua.zip
0 Likes
6 REPLIES 6

WilliamMotley1
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2017-08-22 11:25 AM

Your log line for the eth.dst match is inside the "if deviceType == 1", so we don't know whether that callback is occurring or not.  I suspect either the deviceType callback isn't occurring, or "infobloxnios" isn't actually all lowercase.  In deviceType try something like,

 

if string.lower(dtype) == "infobloxnios" then

  nw.logInfo("infobloxnios seen")

  deviceType = 1

end

 

(Don't forget to reset deviceType at session begin.)

 

A different way to go could be not using two callbacks.  Instead, remove deviceType.  Replace findOUI with,

 

function lua_ouiParser:findOUI()
  local payload = nw.getPayload()
  local message = payload:tostring()
  local oui = string.match(message, "^.*dhcpd%[%d+%]: DHCPOFFER on [%d%.]+ to (%x%x:%x%x:%x%x):%x%x:%x%x:%x%x")
  if oui then
    nw.createMeta(self.keys["usb.eth.oui"], oui)
  end
end

0 Likes

JoeGumke
Beginner
Beginner
In response to WilliamMotley1

‎2017-08-22 11:50 AM

thanks bill. Sorry forgot to mention, but yes I did validate that the deviceType function is working, which is why i'm confused about why its not making it into the fundOUI function

0 Likes

WilliamMotley1
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to JoeGumke

‎2017-08-22 11:59 AM

Just noticed this:  change the eth.dst callback to,

 

[nwlanguagekey.create("eth.dst", nwtypes.MAC)] = lua_ouiparser.findOUI

                               ^^^^^^^^^^^^^

JoeGumke
Beginner
Beginner
In response to WilliamMotley1

‎2017-08-22 12:11 PM

thanks bill, that got it in the function.

NOW -- what type of regex does the lua engine support?

 

This doesnt work for chunking out the first 3 portions of the MAC

^[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}

0 Likes

WilliamMotley1
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to JoeGumke

‎2017-08-22 12:28 PM

Lua doesn't use regex.  It implements its own regex-like pattern matching.  You can do pretty much anything you can do in regex, just not necessarily in the same way or as easily.

 

This page details the character classes and modifiers:

 

  https://www.lua.org/pil/20.2.html

 

While it does support repetition modifiers such as * and +, it doesn't support counts ("{2}").  So something like:

 

local oui = string.match(ethdst, "^(%x%x:%x%x:%x%x):%x%x:%x%x:%x%x$")

if oui then

  ...

 

^ and $ mean begin and end of line just like regex.

%x means hexadecimal character.

The portion within the parentheses will be captured into the "oui" variable.  The rest is there just for validation.

JoeGumke
Beginner
Beginner
In response to WilliamMotley1

‎2017-08-22 12:52 PM

thanks for help bill! thanks works. i'll attach final version here shortly, hopefully it helps other customers as well.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.