[Oisf-devel] lua (jit) script keyword

[Chris Wakelin]

I've had a quick look at this, but I've never done anything in Lua, so
it may take me a while to write a useful rule using it :)

One quick question though; a deficiency in using PCRE is coping with
randomly XOR-ed binaries. I'd quite like a rule that could spot them by
say XOR-ing every 5th byte for 2n bytes to spot the Zelix obfuscator as
used in Blackhole jars (though the zip compression may make this
infeasible) or every 2nd byte to spot 2-byte XOR-ers.

However, there aren't any bitwise operators in Lua 5.1, though there is
a "BitOp" extension (bitop.luajit.org). Would this work in Suricata?

Best Wishes,
Chris

On 05/09/12 16:50, Victor Julien wrote:
> So Will started bugging me (again) on doing scripting from Suricata and
> I gave in. Just committed extremely immature, incomplete, experimental
> luajit scripting support.
> 
> What it does is that it adds a new keyword, "luajit". There is one
> argument, a script name. That script is then loaded from your rules
> directory and ran against a packet. No flow, http or any of that right
> now, just packets.
> 
> Example rule:
> alert tcp any any -> any any (msg:"LUAJIT test"; luajit:test.lua; sid:1;)
> 
> This loads the script from /etc/suricata/rules/test.lua
> 
> The script has a "match" function that will return either 1 or 0. 1 for
> match, 0 for no match.
> 
> Example script:
> 
> -- match string HTTP in packet payload
> function match(args)
>     for k,v in pairs(args) do
>        if tostring(k) == "payload" then
>             a = tostring(v)
>             if #a > 0 then
>                 if a:find("HTTP") then
>                     return 1
>                 end
>             end
>         end
>     end
> 
>     return 0
> end
> 
> return 0
> -- eof
> 
> The fun thing is that it works, but the best joke is that on my box this
> simple script makes no performance impact at all.
> 
> Currently only "payload" and "packet" keys are available. More will
> follow, or not. This is research stuff, and if we run into some major
> obstacle we'll remove it or change it completely. Until then, let me
> know how you feel about it :)
> 
> Oh yeah, to enable add "--with-
> libluajit-includes=/usr/include/luajit-2.0/
> --with-libluajit-libraries=/usr/lib/x86_64-linux-gnu/" to your configure
> line. Adapt for your distro.
> 
> Happy scripting!
> 


-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094