<div dir="ltr"><div>I am experimenting with LUA scripting, more specifically the streaming API. I have tried to follow examples in documentation, but get an error when I do so.</div><div><br></div><div>For instance, if I define the following in my LUA script (as per documentation at URL <a href="https://suricata.readthedocs.io/en/suricata-4.1.6/lua/lua-functions.html#streaming-data">https://suricata.readthedocs.io/en/suricata-4.1.6/lua/lua-functions.html#streaming-data</a>):</div><div><pre><span class="gmail-n">function</span> <span class="gmail-n">init</span> <span class="gmail-p">(</span><span class="gmail-n">args</span><span class="gmail-p">)</span>
<span class="gmail-n">local</span> <span class="gmail-n">needs</span> <span class="gmail-o">=</span> <span class="gmail-p">{}</span>
<span class="gmail-n">needs</span><span class="gmail-p">[</span><span class="gmail-s2">"type"</span><span class="gmail-p">]</span> <span class="gmail-o">=</span> <span class="gmail-s2">"streaming"</span>
<span class="gmail-n">needs</span><span class="gmail-p">[</span><span class="gmail-s2">"protocol"</span><span class="gmail-p">]</span> <span class="gmail-o">=</span> <span class="gmail-s2">"http"</span>
<span class="gmail-k">return</span> <span class="gmail-n">needs</span>
<span class="gmail-n">end</span>
</pre></div><div>I get the following error:</div><div>17/3/2020 -- 10:38:08 - <Notice> - This is Suricata version 4.1.6 RELEASE<br>17/3/2020 -- 10:38:08 - <Error> - [ERRCODE: SC_ERR_LUA_ERROR(212)] - unsupported data type protocol<br>17/3/2020 -- 10:38:08 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg:"match http body lua";content:"GET"; http_method; luajit:scripts/http-body-content-detection.lua;sid:204; rev:1;)" from file /var/lib/suricata/rules/http-test.rules at line 17</div><div><br></div><div>I looked at the source code, and it does not seem to be possible to match on the protocol key. And for http, it seems like we need to specify the exact fields, like http.response_body. However, we cannot specify both streaming and http.xxx keys as it looks like the engine can only support one buffer when http traffic is processed.</div><div><br></div><div>Now, knowing that, if I change the init function to be:</div><div><pre><span class="gmail-n">function</span> <span class="gmail-n">init</span> <span class="gmail-p">(</span><span class="gmail-n">args</span><span class="gmail-p">)</span>
<span class="gmail-n">local</span> <span class="gmail-n">needs</span> <span class="gmail-o">=</span> <span class="gmail-p">{}</span>
<span class="gmail-n">needs</span><span class="gmail-p">[</span><span class="gmail-s2">"type"</span><span class="gmail-p">]</span> <span class="gmail-o">=</span> <span class="gmail-s2">"streaming"</span>
<span class="gmail-k">return</span> <span class="gmail-n">needs</span>
<span class="gmail-n">end</span>
</pre></div><div>I get the following error:</div><div>17/3/2020 -- 10:46:01 - <Error> - [ERRCODE: SC_ERR_LUA_ERROR(212)] - unsupported data type type<br>17/3/2020 -- 10:46:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg:"match http body lua";content:"GET"; http_method; luajit:scripts/http-body-content-detection.lua;sid:204; rev:1;)" from file /var/lib/suricata/rules/http-test.rules at line 17</div><div><br></div><div>Looking at source code, it looks like it is not so much the type key that needs to be used, but the stream key. Here is what it should look like:</div><div><pre><span class="gmail-n">function</span> <span class="gmail-n">init</span> <span class="gmail-p">(</span><span class="gmail-n">args</span><span class="gmail-p">)</span>
<span class="gmail-n">local</span> <span class="gmail-n">needs</span> <span class="gmail-o">=</span> <span class="gmail-p">{}</span>
<span class="gmail-n">needs</span><span class="gmail-p">[</span><span class="gmail-s2">"stream"</span><span class="gmail-p">]</span> <span class="gmail-o">=</span> <span class="gmail-s2">tostring(true)</span>
<span class="gmail-k">return</span> <span class="gmail-n">needs</span>
<span class="gmail-n">end</span>
</pre></div><div>I think there are a couple of places in the doc that should need to be fixed to comply with the actual source code. First, in the <a href="https://suricata.readthedocs.io/en/suricata-4.1.6/lua/lua-functions.html#streaming-data">https://suricata.readthedocs.io/en/suricata-4.1.6/lua/lua-functions.html#streaming-data</a> section. And also in the HTTP section, we should stop making reference to the protocol key, as this key is not recognized. We should instead make reference to the specific http keys, like http.response_body in the examples.</div><div><br></div><div>While researching this problem, I also encountered a mail on this mailing list that reported that the statement needs["protocol"] = "tls" encountered similar problem and documentation was supposed to be updated with needs["tls"] = tostring(true). However, when I test this statement in a LUA script, I get the following error:</div><div>17/3/2020 -- 10:57:23 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg:"match http body lua";content:"GET"; http_method; luajit:scripts/http-body-content-detection.lua;sid:204; rev:1;)" from file /var/lib/suricata/rules/http-test.rules at line 17<br>17/3/2020 -- 10:57:23 - <Error> - [ERRCODE: SC_ERR_LUA_ERROR(212)] - couldn't load file: cannot open : No such file or directory<br>17/3/2020 -- 10:57:23 - <Error> - [ERRCODE: SC_ERR_DETECT_PREPARE(173)] - setting up thread local detect ctx for keyword "lua" failed<br>17/3/2020 -- 10:57:23 - <Error> - [ERRCODE: SC_ERR_LUA_ERROR(212)] - couldn't load file: cannot open : No such file or directory<br>17/3/2020 -- 10:57:23 - <Error> - [ERRCODE: SC_ERR_DETECT_PREPARE(173)] - setting up thread local detect ctx for keyword "lua" failed<br></div><div><br></div><div>I can't really explain this error. Is TLS support in LUA broken in 4.1.6?</div><div><br></div><div>Martin<br></div><div><br></div></div>