[Oisf-devel] lua (jit) script keyword

Victor Julien victor at inliniac.net
Wed Sep 5 17:29:29 UTC 2012

On 09/05/2012 07:21 PM, Martin Holste wrote:
> I think there's a lot that can be done, and I like where Ignacio is
> headed, but it's going to be tough to get very far until the HTTP data
> is available, so I'm thinking that we can't do a whole lot with it
> until then.
> Here's a basic Lua question:  In this scenario, what kind of storage
> does Lua have access while remaining fast?  Can it store info in
> tables, and if so, are these available between threads?

No, at this point there is no state (I guess a disk state would be
possible but probably horrible performance wise).

We could investigate if storing data in the flow would be feasible,
maybe we can expose the flowint, flowvars and flowbits features to it

I'll probably add access to the HTTP fields and stream payload later
this week or soon after.

> On Wed, Sep 5, 2012 at 12:04 PM, Victor Julien <victor at inliniac.net> wrote:
>> On 09/05/2012 06:55 PM, I. Sanchez wrote:
>>> I think it is great addition and I would like to see it implemented for
>>> HTTP streams.
>>> There are a thousand things you could do with lua scripting in suricata.
>>> For example, if we had lua for HTTP streams, you could write a lua
>>> script to implement some basic machine learning algorithm over the
>>> useragents found in the HTTP requests (and some other http headers) to
>>> detect malware C&C communications.
>>> Another possible use would be the creation of a lua script for the
>>> monitoring of the parameters sent via GET or POST to your web
>>> applications, with some machine learning to create a profile per
>>> parameter and URL, so that it is able to understand that your id=xx
>>> (?id=4, ?id=7, id=188) is always numeric, so it will trigger an alert if
>>> somebody attempts id=1 and 1=0.
>>> You could do this for network security research or even as IDS/IPS for
>>> production environments. Luajit was created with performance in mind, so
>>> it should be fast enough to support such implementations.
>>> IMHO triggering a lua script per packet could be too excessive for
>>> production environments, but triggering a lua script per HTTP
>>> transaction (and in the future, per SMTP transaction) should be feasible.
>> Thank Ignacio, this is exactly the type of innovative thinking we hope
>> to trigger by adding such a feature. Now the big question is how to make
>> it technically good enough to support use cases like what you describe
>> above.
>> So let's start testing :)
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list