<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On 14 December 2015 at 12:05, Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">On 14-12-15 12:50, Marius wrote:<br>
> Hey,<br>
><br>
> I completed the LuaJIT script so that it<br>
> works: <a href="https://gist.github.com/norandom/f3d5006b858c77810e63" rel="noreferrer" target="_blank">https://gist.github.com/norandom/f3d5006b858c77810e63</a><br>
<br>
</span>That doesn't seem to be a good approach.<br>
<br>
I would suggest having a look at<br>
<a href="https://github.com/EmergingThreats/et-luajit-scripts/blob/master/suri-styx-url.lua" rel="noreferrer" target="_blank">https://github.com/EmergingThreats/et-luajit-scripts/blob/master/suri-styx-url.lua</a><br>
<br>
It shows how you can get just the URI.<br>
<span class=""><br></span></blockquote><div><br></div><div>I am aware of this, but I want the UR_L_. That is the point of this. URI matching can be done much easier.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">
><br>
> Some of the exported functions to the Lua API have been removed over<br>
> time. So if you google for scripts, the ones which have functions which<br>
> are not documented here, do not work any more:<br>
> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting</a><br>
<br>
</span>I don't think we've removed anything. Keep in mind that we support much<br>
more in our dev code (3.0dev).<br></blockquote><div><br></div><div>Most functions from here are gone: <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output</a> </div><div><pre style="font-family:Consolas,Menlo,'Liberation Mono',Courier,monospace;margin:1em 1em 1em 1.6em;padding:8px;border:1px solid rgb(226,226,226);border-radius:3px;width:auto;color:rgb(51,51,51);font-size:12px;background-color:rgb(250,250,250)"> SCLogInfo()</pre></div><div><pre style="font-family:Consolas,Menlo,'Liberation Mono',Courier,monospace;margin:1em 1em 1em 1.6em;padding:8px;border:1px solid rgb(226,226,226);border-radius:3px;width:auto;color:rgb(51,51,51);font-size:12px;background-color:rgb(250,250,250)">HttpGetRequestUriRaw()</pre></div><div>For example.</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
The example script above show work with 2.0.x though.<br>
<br>
Cheers,<br>
Victor<br>
<span class="im"><br>
<br>
><br>
> * I don't think that a awk -F " " {'print $2$4'} http.log | grep -f<br>
> bad_urls.txt is a good alerting workflow, because I want this to be<br>
> handled by an IDS engine. Sure you can pipe matches into syslog and<br>
> configure an event trigger, but this is an additional process. It needs<br>
> to be reliable and report matches in real time and so on. Suri's Lua<br>
> scripting should cover this in a better way.<br>
><br>
> * On a related note I did not have success with this script and the http<br>
> keyword in the Suricata rule instead of TCP. For an odd reason I do<br>
> _not_ see outgoing requests when I used "tcp" on my test machine. This<br>
> is the reason why I do the protocol detection in Lua for HTTP and that<br>
> is why I use the "tcp" keyword. This is probably a bug in the payload<br>
> buffer access.<br>
><br>
> * I would also like to get access to multiple http buffers at a time, so<br>
> be able to use the http functions instead of payload.<br>
> * I am also looking for a good way to debug these Lua scripts, without<br>
> file output and try & error.<br>
><br>
> Best,<br>
> Marius<br>
><br>
><br>
> On 10 December 2015 at 19:49, Cooper F. Nelson <<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a><br>
</span><span class="im">> <mailto:<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a>>> wrote:<br>
><br>
> Easiest/fasted way as mentioned would be to use the http logging and<br>
> fgrep, as mentioned.<br>
><br>
> If you want live alerts, I would write a script to generate to http<br>
> signatures from a file. I did something like this recently using a<br>
> simple loop and a template like this:<br>
><br>
>> alert http any any -> any any (msg:"LOCAL known bad uri $URI";<br>
> flow:to_server,established; content:"$URI"; http_uri;<br>
> classtype:trojan-activity; sid:$SID;)<br>
><br>
</span><span class="im">> -Coop<br>
><br>
> On 12/10/2015 8:56 AM, Marius wrote:<br>
>> Hi,<br>
><br>
>> I am working on a way for URL matching using Suri (2.0.8, but I can<br>
>> upgrade)<br>
><br>
>> I think the easiest way is using LuaJIT in a rule. The use case is<br>
>> matching "bad URLs" - which are from dynamic Malware analysis.<br>
><br>
><br>
><br>
><br>
><br>
><br>
</span><span class="im">> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
><br>
<br>
</span><span class=""><font color="#888888">--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
</font></span><div class=""><div class="h5"><br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a></div></div></blockquote></div><br></div></div>