[Oisf-devel] lua (jit) script keyword
Victor Julien
victor at inliniac.net
Wed Sep 5 17:04:27 UTC 2012
On 09/05/2012 06:55 PM, I. Sanchez wrote:
> I think it is great addition and I would like to see it implemented for
> HTTP streams.
>
> There are a thousand things you could do with lua scripting in suricata.
> For example, if we had lua for HTTP streams, you could write a lua
> script to implement some basic machine learning algorithm over the
> useragents found in the HTTP requests (and some other http headers) to
> detect malware C&C communications.
>
> Another possible use would be the creation of a lua script for the
> monitoring of the parameters sent via GET or POST to your web
> applications, with some machine learning to create a profile per
> parameter and URL, so that it is able to understand that your id=xx
> (?id=4, ?id=7, id=188) is always numeric, so it will trigger an alert if
> somebody attempts id=1 and 1=0.
>
> You could do this for network security research or even as IDS/IPS for
> production environments. Luajit was created with performance in mind, so
> it should be fast enough to support such implementations.
>
> IMHO triggering a lua script per packet could be too excessive for
> production environments, but triggering a lua script per HTTP
> transaction (and in the future, per SMTP transaction) should be feasible.
Thank Ignacio, this is exactly the type of innovative thinking we hope
to trigger by adding such a feature. Now the big question is how to make
it technically good enough to support use cases like what you describe
above.
So let's start testing :)
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list