[Oisf-devel] lua (jit) script keyword

I. Sanchez sanchezmartin.ji at gmail.com
Wed Sep 5 16:55:22 UTC 2012 

I think it is great addition and I would like to see it implemented for
HTTP streams.

There are a thousand things you could do with lua scripting in suricata.
For example, if we had lua for HTTP streams, you could write a lua script
to implement some basic machine learning algorithm over the useragents
found in the HTTP requests (and some other http headers) to detect malware
C&C communications.

Another possible use would be the creation of a lua script for the
monitoring of the parameters sent via GET or POST to your web applications,
with some machine learning to create a profile per parameter and URL, so
that it is able to understand that your id=xx (?id=4, ?id=7, id=188) is
always numeric, so it will trigger an alert if somebody attempts id=1 and
1=0.

You could do this for network security research or even as IDS/IPS for
production environments. Luajit was created with performance in mind, so it
should be fast enough to support such implementations.

IMHO triggering a lua script per packet could be too excessive for
production environments, but triggering a lua script per HTTP transaction
(and in the future, per SMTP transaction) should be feasible.

Regards,

  Ignacio Sanchez

On Wed, Sep 5, 2012 at 6:17 PM, Victor Julien <victor at inliniac.net> wrote:

> On 09/05/2012 06:07 PM, Peter Manev wrote:
> > What is the advantage?
> > Besides the fact of course that you can add your own script execution,
> > in other words
> > what is it that a Lua script gives you that you can not use a rule
> > language  for?
> > is Lua pattern matching, better and faster than PCRE? - how much
> > time/coding would it be needed, if so?
>
> It's a whole scripting language, so there will be much more flexibility
> when it comes to detection. We'll have to see how this will perform, so
> it's hard to say how useful it will be. But I think for starters we
> should threat it like pcre, in other words try to add prefilters like
> regular "content" matches.
>
> >
> >
> >
> >
> > On Wed, Sep 5, 2012 at 5:50 PM, Victor Julien <victor at inliniac.net
> > <mailto:victor at inliniac.net>> wrote:
> >
> >     So Will started bugging me (again) on doing scripting from Suricata
> and
> >     I gave in. Just committed extremely immature, incomplete,
> experimental
> >     luajit scripting support.
> >
> >     What it does is that it adds a new keyword, "luajit". There is one
> >     argument, a script name. That script is then loaded from your rules
> >     directory and ran against a packet. No flow, http or any of that
> right
> >     now, just packets.
> >
> >     Example rule:
> >     alert tcp any any -> any any (msg:"LUAJIT test"; luajit:test.lua;
> >     sid:1;)
> >
> >     This loads the script from /etc/suricata/rules/test.lua
> >
> >     The script has a "match" function that will return either 1 or 0. 1
> for
> >     match, 0 for no match.
> >
> >     Example script:
> >
> >     -- match string HTTP in packet payload
> >     function match(args)
> >         for k,v in pairs(args) do
> >            if tostring(k) == "payload" then
> >                 a = tostring(v)
> >                 if #a > 0 then
> >                     if a:find("HTTP") then
> >                         return 1
> >                     end
> >                 end
> >             end
> >         end
> >
> >         return 0
> >     end
> >
> >     return 0
> >     -- eof
> >
> >     The fun thing is that it works, but the best joke is that on my box
> this
> >     simple script makes no performance impact at all.
> >
> >     Currently only "payload" and "packet" keys are available. More will
> >     follow, or not. This is research stuff, and if we run into some major
> >     obstacle we'll remove it or change it completely. Until then, let me
> >     know how you feel about it :)
> >
> >     Oh yeah, to enable add "--with-
> >     libluajit-includes=/usr/include/luajit-2.0/
> >     --with-libluajit-libraries=/usr/lib/x86_64-linux-gnu/" to your
> configure
> >     line. Adapt for your distro.
> >
> >     Happy scripting!
> >
> >     --
> >     ---------------------------------------------
> >     Victor Julien
> >     http://www.inliniac.net/
> >     PGP: http://www.inliniac.net/victorjulien.asc
> >     ---------------------------------------------
> >
> >     _______________________________________________
> >     Oisf-devel mailing list
> >     Oisf-devel at openinfosecfoundation.org
> >     <mailto:Oisf-devel at openinfosecfoundation.org>
> >     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> >
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120905/e8806599/attachment-0002.html>

More information about the Oisf-devel mailing list