[Oisf-devel] lua (jit) script keyword
Victor Julien
victor at inliniac.net
Wed Sep 5 15:50:39 UTC 2012
So Will started bugging me (again) on doing scripting from Suricata and
I gave in. Just committed extremely immature, incomplete, experimental
luajit scripting support.
What it does is that it adds a new keyword, "luajit". There is one
argument, a script name. That script is then loaded from your rules
directory and ran against a packet. No flow, http or any of that right
now, just packets.
Example rule:
alert tcp any any -> any any (msg:"LUAJIT test"; luajit:test.lua; sid:1;)
This loads the script from /etc/suricata/rules/test.lua
The script has a "match" function that will return either 1 or 0. 1 for
match, 0 for no match.
Example script:
-- match string HTTP in packet payload
function match(args)
for k,v in pairs(args) do
if tostring(k) == "payload" then
a = tostring(v)
if #a > 0 then
if a:find("HTTP") then
return 1
end
end
end
end
return 0
end
return 0
-- eof
The fun thing is that it works, but the best joke is that on my box this
simple script makes no performance impact at all.
Currently only "payload" and "packet" keys are available. More will
follow, or not. This is research stuff, and if we run into some major
obstacle we'll remove it or change it completely. Until then, let me
know how you feel about it :)
Oh yeah, to enable add "--with-
libluajit-includes=/usr/include/luajit-2.0/
--with-libluajit-libraries=/usr/lib/x86_64-linux-gnu/" to your configure
line. Adapt for your distro.
Happy scripting!
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list