8.42. Lua Scripting for Detection
Note
Lua is disabled by default for use in rules, it must be
enabled in the configuration file. See the security.lua
section of suricata.yaml
and enable allow-rules
.
Syntax:
lua:[!]<scriptfilename>;
The script filename will be appended to your default rules location.
The script has 2 parts, an init function and a match function. First, the init.
8.42.1. Init function
function init (args)
local needs = {}
needs["http.request_line"] = tostring(true)
return needs
end
The init function registers the buffer(s) that need inspection. Currently the following are available:
packet -- entire packet, including headers
payload -- packet payload (not stream)
buffer -- the current sticky buffer
stream
dnp3
dns.request
dns.response
dns.rrname
ssh
smtp
tls
http.uri
http.uri.raw
http.request_line
http.request_headers
http.request_headers.raw
http.request_cookie
http.request_user_agent
http.request_body
http.response_headers
http.response_headers.raw
http.response_body
http.response_cookie
All the HTTP buffers have a limitation: only one can be inspected by a script at a time.
8.42.2. Match function
function match(args)
a = tostring(args["http.request_line"])
if #a > 0 then
if a:find("^POST%s+/.*%.php%s+HTTP/1.0$") then
return 1
end
end
return 0
end
The script can return 1 or 0. It should return 1 if the condition(s) it checks for match, 0 if not.
Entire script:
function init (args)
local needs = {}
needs["http.request_line"] = tostring(true)
return needs
end
function match(args)
a = tostring(args["http.request_line"])
if #a > 0 then
if a:find("^POST%s+/.*%.php%s+HTTP/1.0$") then
return 1
end
end
return 0
end
return 0
A comprehensive list of existing lua functions - with examples - can be found at Lua functions (some of them, however, work only for the lua-output functionality).