[Oisf-devel] lua (jit) script keyword

Peter Manev petermanev at gmail.com
Wed Sep 5 16:07:26 UTC 2012 

What is the advantage?
Besides the fact of course that you can add your own script execution, in
other words
what is it that a Lua script gives you that you can not use a rule
language  for?
is Lua pattern matching, better and faster than PCRE? - how much
time/coding would it be needed, if so?




On Wed, Sep 5, 2012 at 5:50 PM, Victor Julien <victor at inliniac.net> wrote:

> So Will started bugging me (again) on doing scripting from Suricata and
> I gave in. Just committed extremely immature, incomplete, experimental
> luajit scripting support.
>
> What it does is that it adds a new keyword, "luajit". There is one
> argument, a script name. That script is then loaded from your rules
> directory and ran against a packet. No flow, http or any of that right
> now, just packets.
>
> Example rule:
> alert tcp any any -> any any (msg:"LUAJIT test"; luajit:test.lua; sid:1;)
>
> This loads the script from /etc/suricata/rules/test.lua
>
> The script has a "match" function that will return either 1 or 0. 1 for
> match, 0 for no match.
>
> Example script:
>
> -- match string HTTP in packet payload
> function match(args)
>     for k,v in pairs(args) do
>        if tostring(k) == "payload" then
>             a = tostring(v)
>             if #a > 0 then
>                 if a:find("HTTP") then
>                     return 1
>                 end
>             end
>         end
>     end
>
>     return 0
> end
>
> return 0
> -- eof
>
> The fun thing is that it works, but the best joke is that on my box this
> simple script makes no performance impact at all.
>
> Currently only "payload" and "packet" keys are available. More will
> follow, or not. This is research stuff, and if we run into some major
> obstacle we'll remove it or change it completely. Until then, let me
> know how you feel about it :)
>
> Oh yeah, to enable add "--with-
> libluajit-includes=/usr/include/luajit-2.0/
> --with-libluajit-libraries=/usr/lib/x86_64-linux-gnu/" to your configure
> line. Adapt for your distro.
>
> Happy scripting!
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120905/e5abb106/attachment-0002.html>

More information about the Oisf-devel mailing list