[Oisf-devel] lua (jit) script keyword

Will Metcalf william.metcalf at gmail.com
Wed Sep 5 20:28:52 UTC 2012 

> what is it that a Lua script gives you that you can not use a rule language
> for?

What we run into a lot of times when building rules is that we can use
normal keywords when building detection but then reach a point where
we need the ability to parse/iterate over complex structures,
match,store, check values, etc. These activities are often time very
difficult if not impossible using the existing rule lang even when
utilizing PCRE etc.  Additionally implementing full-blown
file-format/proto parsers would be overkill. This is no secret, and
one of the reasons snort has .so rules :). Basically this is
attractive to me as rule writer as I can implement complex logic in a
scripting lang that would otherwise require something like an .so
rule.

Regards,

Will

On Wed, Sep 5, 2012 at 11:07 AM, Peter Manev <petermanev at gmail.com> wrote:
> What is the advantage?
> Besides the fact of course that you can add your own script execution, in
> other words
> what is it that a Lua script gives you that you can not use a rule language
> for?
> is Lua pattern matching, better and faster than PCRE? - how much time/coding
> would it be needed, if so?
>
>
>
>
>
> On Wed, Sep 5, 2012 at 5:50 PM, Victor Julien <victor at inliniac.net> wrote:
>>
>> So Will started bugging me (again) on doing scripting from Suricata and
>> I gave in. Just committed extremely immature, incomplete, experimental
>> luajit scripting support.
>>
>> What it does is that it adds a new keyword, "luajit". There is one
>> argument, a script name. That script is then loaded from your rules
>> directory and ran against a packet. No flow, http or any of that right
>> now, just packets.
>>
>> Example rule:
>> alert tcp any any -> any any (msg:"LUAJIT test"; luajit:test.lua; sid:1;)
>>
>> This loads the script from /etc/suricata/rules/test.lua
>>
>> The script has a "match" function that will return either 1 or 0. 1 for
>> match, 0 for no match.
>>
>> Example script:
>>
>> -- match string HTTP in packet payload
>> function match(args)
>>     for k,v in pairs(args) do
>>        if tostring(k) == "payload" then
>>             a = tostring(v)
>>             if #a > 0 then
>>                 if a:find("HTTP") then
>>                     return 1
>>                 end
>>             end
>>         end
>>     end
>>
>>     return 0
>> end
>>
>> return 0
>> -- eof
>>
>> The fun thing is that it works, but the best joke is that on my box this
>> simple script makes no performance impact at all.
>>
>> Currently only "payload" and "packet" keys are available. More will
>> follow, or not. This is research stuff, and if we run into some major
>> obstacle we'll remove it or change it completely. Until then, let me
>> know how you feel about it :)
>>
>> Oh yeah, to enable add "--with-
>> libluajit-includes=/usr/include/luajit-2.0/
>> --with-libluajit-libraries=/usr/lib/x86_64-linux-gnu/" to your configure
>> line. Adapt for your distro.
>>
>> Happy scripting!
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
>
>
> --
> Regards,
> Peter Manev
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel

More information about the Oisf-devel mailing list