2013-11-12 06:01 PM
Is there any matrix of the new lua parsers and the old parser(s) they replace? Some of them are obvious, others less so. Anybody have experience switching over?
2013-11-20 10:18 AM
Correct, if you have HTTP_lua enabled you shouldn't need NTLMSSP_lua as well.
- Bill
2013-11-25 04:13 PM
Great information! Is there an easy way to remove the old flex parsers, or is it a manual/scripted process?
2013-12-09 02:09 PM
In regards to the packers lua parser, you indicate it replaces the existing packers parser. Does this include all of the malware_packers_X parsers and javascript_packers?
2013-12-10 10:05 AM
> Great information! Is there an easy way to remove the old flex parsers, or is
> it a manual/scripted process?
Its a manual process for now unfortunately.
2013-12-10 10:11 AM
> In regards to the packers lua parser, you indicate it replaces the existing
> packers parser. Does this include all of the malware_packers_X parsers
> and javascript_packers?
The 'packers' flex parser file actually contains all of the individual malware_packers_X parsers. The 'packers' lua parser replaces all of them.
The 'javascript' flex parser file contains 'javascript_suspicious', 'javascript_packers', and 'javascript_shellcode' parsers. The 'fingerprint_javascript_lua' parser replaces all of them.
2013-12-19 08:56 AM
will it become a KB link?
2014-01-16 06:08 PM
Any word on the availability of some of these parsers unencrypted, for demonstration purposes? It would be useful for custom parser creation.
2014-05-22 12:41 AM
Is there any update to table? we're trying to apply the LUA parser but don't know which one to apply.
1. Can LUA parser and Flex parser be applied at same time?
2. Some Flex parsers don't have replacement LUA parser, like OS and browser parser, when will it be available?
Thank you.
2014-07-22 05:57 PM
Sorry for the late reply.
1. Yes, they can be enabled at the same time. But if a flex and a lua parser that parses the same thing are both enabled, then the decoder will be doing more work and registering duplicate meta.
2. Those two parsers really just tried to match bits of user-agent headers and make inferences based on that. Instead HTTP_lua simply registers the entire user-agent header.
2014-07-23 11:14 AM
if like this, can the system auto detect if both flex and lua pasers enabled for the same thing, it will disable one of them?