<div dir="ltr"><p dir="ltr">Actually, after a bit more investigation, it's clear that this TLS/LUA script is not working. In actually getting redirected back to HTTP by most of my test sites, which then trigger my HTTP-based LUA script. Here is the simple LUA script that references the TLS buffers:</p><p dir="ltr"><b><i>function init (args)</i></b><br></p><p dir="ltr"><b><i> local needs = {}</i></b></p><p dir="ltr"><b><i> needs["tls.subject"] = tostring(true)</i></b></p><p dir="ltr"><b><i> return needs</i></b></p><p dir="ltr"><b><i>end</i></b></p><p dir="ltr"><b><i>function match(args)</i></b><br></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>local file = assert(io.open("blacklists/shopping/domains", "r"))</i></b></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>local current_url = tostring(args["tls.subject"])</i></b></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>if #current_url > 0 then</i></b></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>for line in file:lines() do</i></b></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>if current_url:find(line) then</i></b></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>return 1</i></b></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>end</i></b></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>end</i></b></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>end</i></b></p><p dir="ltr"><b><i>return 0</i></b></p><p dir="ltr"><b><i>end</i></b></p><div><div>and corresponding suricata rule:</div><div><div><b><i>reject tls $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTPS $$$ - DROPPED"; flow:established; luajit:bl_shopping_https.lua; sid:10001008; rev:1;)</i></b><br></div></div></div><div><br></div><div>I have tried referencing both "tls.subject" and "tls.sni" within my scripts (see below) but none gets matched by my script. <br></div><p dir="ltr"><br></p>
<p dir="ltr">Note that the equivalent HTTP-based LUA script works fine:</p><p dir="ltr"><b><i>function init (args)</i></b></p><p dir="ltr"><b><i> local needs = {}</i></b></p><p dir="ltr"><b><i> needs["http.request_headers"] = tostring(true)</i></b></p><p dir="ltr"><b><i> return needs</i></b></p><p dir="ltr"><b><i>end</i></b></p><p dir="ltr"><b><i>function match(args)</i></b><br></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>local file = assert(io.open("blacklists/shopping/domains", "r"))</i></b></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>local current_url = tostring(args["http.request_headers"])</i></b></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>if #current_url > 0 then</i></b></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>for line in file:lines() do</i></b></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>if current_url:find(line) then</i></b></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>return 1</i></b></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>end</i></b></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>end</i></b></p><p dir="ltr"><b><i><span class="Apple-tab-span" style="white-space:pre"> </span>end</i></b></p><p dir="ltr"><b><i>return 0</i></b></p><p dir="ltr"><b><i>end</i></b></p><div>and corresponding suricata rule:</div><div><div><b><i>reject tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"LUA DROP Shopping! OUTBOUND"; flow:established,to_server; content:"GET"; http_method; luajit:bl_shopping.lua; sid:10001007; rev:1;)<br></i></b></div></div><div><br></div><div><br></div>
<p dir="ltr">Also, a traditional, one-off TLS-based suricata rule also works fine:</p><p dir="ltr"><b><i>reject tls $EXTERNAL_NET any -> $HOME_NET any (msg:"WELLSFARGO TLS BLOCKED INBOUND"; flow:established; tls.subject:"CN=<a href="http://www.wellsfargo.com">www.wellsfargo.com</a>"; sid:10001002; rev:1;)</i></b></p><p dir="ltr">Any ideas? What's a good way to debug the LUA script calls in Suricata? Perhaps I could place some debug (print) statements into the script and write them all to a file?<br>
</p><p dir="ltr">Thanks everybody!<br></p><p>-Nasir</p>
<div> Sent using <a href="https://cloudmagic.com/k/d/mailapp?ct=pa&cv=8.0.91&pv=6.0.1&source=email_footer_2" target="_blank">CloudMagic Email</a> </div><div style="color:#787878">On Wed, Dec 30, 2015 at 3:53 AM, Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>> wrote:</div><br><div style="background:rgb(255,255,255)"><blockquote><p dir="ltr"> On Tue, 2015-12-29 at 20:28 +0000, Nasir Bilal wrote:
<br>
> Great. BTW the new TLS buffers work great! Here's an example of a
<br>
> working sample Lua script used to test the new functionality:
<br>
>
<br>
>
<br>
> Suricata Rule:
<br>
> ##############
<br>
>
<br>
> reject tls $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTPS SPORTS -
<br>
> DROPPED"; flow:established; luajit:bl_sports_https.lua; sid:10001008;
<br>
> rev:1;)
<br>
>
<br>
> ##############
<br>
>
<br>
> Lua Script: (bl_sports_https.lua)
<br>
> ##############
<br>
> function init (args)
<br>
> local needs = {}
<br>
> needs["tls.subject"] = tostring(true)
<br>
> return needs
<br>
> end
<br>
>
<br>
>
<br>
> function match(args)
<br>
> file = assert(io.open("blacklists/sports/domains", "r"))
<br>
> current_url = tostring(args["tls.subject"])
<br>
> if #current_url > 0 then
<br>
> for line in file:lines() do
<br>
> if current_url:find(line) then
<br>
> return 1
<br>
> end
<br>
> end
<br>
> end
<br>
> return 0
<br>
> end
<br>
> ##############
<br>
>
<br>
>
<br>
> NOTE: the "blacklists/sports/domains" file is just a flat text file
<br>
> containing all the pages we wish to block in this test.
<br>
>
<br>
>
<br>
> Regards,
<br>
> Nasir
<br>
>
<br>
> On Tue, Dec 29, 2015 at 12:40 PM Jason Ish <<a href="mailto:lists@unx.ca" target="_blank">lists@unx.ca</a>> wrote:
<br>
>
<br>
> On Tue, Dec 29, 2015 at 10:58 AM, Nasir Bilal
<br>
> <<a href="mailto:bilalbox@gmail.com" target="_blank">bilalbox@gmail.com</a>> wrote:
<br>
> > Jason,
<br>
> >
<br>
> > Thanks, that's great! Yes, we should update the
<br>
> documentation. Is that
<br>
> > something anybody can do?
<br>
<br>
FYI (not sure if you have seen it) - There is some documentation here
<br>
-
<br>
<a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output#TLS" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output#TLS</a>
<br>
<br>
<br>
>
<br>
> Yes, I believe you just need an account on Redmine. The docs
<br>
> are
<br>
> migrating to Sphinx and updates will be handled with pull
<br>
> requests at
<br>
> some point in the hopefully near future. But for now I have a
<br>
> "watch"
<br>
> on the Wiki to migrate changes made by others.
<br>
>
<br>
> Jason
<br>
> _______________________________________________
<br>
> Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org" target="_blank">oisf-devel@openinfosecfoundation.org</a>
<br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a>
<br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a>
<br>
> Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a>
<br>
> Developer Training in Copenhagen Sept 14-18: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a>
<br>
<br>
<br>
</p>
</blockquote></div></div>