<div dir="ltr">Hey, <div><br></div><div>I completed the LuaJIT script so that it works: <a href="https://gist.github.com/norandom/f3d5006b858c77810e63">https://gist.github.com/norandom/f3d5006b858c77810e63</a> </div><div><br></div><div>Some of the exported functions to the Lua API have been removed over time. So if you google for scripts, the ones which have functions which are not documented here, do not work any more: </div><div><a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting</a> <br></div><div><br></div><div><br></div><div>* I don't think that a awk -F " " {'print $2$4'} http.log | grep -f bad_urls.txt is a good alerting workflow, because I want this to be handled by an IDS engine. Sure you can pipe matches into syslog and configure an event trigger, but this is an additional process. It needs to be reliable and report matches in real time and so on. Suri's Lua scripting should cover this in a better way.<br></div><div><br></div><div>* On a related note I did not have success with this script and the http keyword in the Suricata rule instead of TCP. For an odd reason I do _not_ see outgoing requests when I used "tcp" on my test machine. This is the reason why I do the protocol detection in Lua for HTTP and that is why I use the "tcp" keyword. This is probably a bug in the payload buffer access. </div><div><br></div><div>* I would also like to get access to multiple http buffers at a time, so be able to use the http functions instead of payload.</div><div>* I am also looking for a good way to debug these Lua scripts, without file output and try & error.</div><div><br></div><div>Best,</div><div>Marius</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 10 December 2015 at 19:49, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Easiest/fasted way as mentioned would be to use the http logging and<br>
fgrep, as mentioned.<br>
<br>
If you want live alerts, I would write a script to generate to http<br>
signatures from a file. I did something like this recently using a<br>
simple loop and a template like this:<br>
<br>
> alert http any any -> any any (msg:"LOCAL known bad uri $URI"; flow:to_server,established; content:"$URI"; http_uri; classtype:trojan-activity; sid:$SID;)<br>
<br>
- -Coop<br>
<span class=""><br>
On 12/10/2015 8:56 AM, Marius wrote:<br>
> Hi,<br>
><br>
> I am working on a way for URL matching using Suri (2.0.8, but I can<br>
> upgrade)<br>
><br>
> I think the easiest way is using LuaJIT in a rule. The use case is<br>
> matching "bad URLs" - which are from dynamic Malware analysis.<br>
<br>
<br>
</span>- --<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ACT Security Team<br>
<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.17 (MingW32)<br>
<br>
iQEcBAEBAgAGBQJWadcsAAoJEKIFRYQsa8FW7DYH/2pfXjgEjke4HGNZW3Qjny4R<br>
fwaSLbtzTF0MrTRQ75OrP0ZEBJToujCWv5VQjoq0DNgGRpqeatPTR6jEWlr+EByz<br>
tsJ72kNWTkVSTEHrepp5HyiTv+z8YkkSYSTcpgJcji8grpNc8JGVdh8sGW0wqJZ5<br>
b2ZFv25eIW008e5YCT0Ye0N36CfwpMKXZfI67Vndzs03hONA2aWxyAg6WSUx22Nt<br>
CP9LxQWUXIEYaTXg4aKoFLkSapF98FXz81KrLePNQ96LiYtLEIXanrpoyJvHXQrm<br>
rXTmKB5c2Fwnd6X8ky3ZE2VfS3tyLUGwx8o/ZvaVBYT3T0Bcs1JWZeM6SOWYGco=<br>
=h0xG<br>
-----END PGP SIGNATURE-----<br>
</blockquote></div><br></div>