[Oisf-devel] lua (jit) script keyword

Victor Julien victor at inliniac.net
Fri Sep 7 17:39:57 UTC 2012 

On 09/07/2012 06:52 PM, Chris Wakelin wrote:
> I've had a quick look at this, but I've never done anything in Lua, so
> it may take me a while to write a useful rule using it :)
> 
> One quick question though; a deficiency in using PCRE is coping with
> randomly XOR-ed binaries. I'd quite like a rule that could spot them by
> say XOR-ing every 5th byte for 2n bytes to spot the Zelix obfuscator as
> used in Blackhole jars (though the zip compression may make this
> infeasible) or every 2nd byte to spot 2-byte XOR-ers.
> 
> However, there aren't any bitwise operators in Lua 5.1, though there is
> a "BitOp" extension (bitop.luajit.org). Would this work in Suricata?

Appears so, ya :) The below does nothing useful, but it does appear to
actually right shift as instructed.

function init (args)
    local needs = {}
    needs["packet"] = tostring(true)
    return needs
end


-- return match via table
function match(args)
    local result = {}
    local bit = require("bit")
    local rshift, rol = bit.rshift, bit.rol

    for k,v in pairs(args) do
        print (tostring(k))
        if tostring(k) == "packet" then
            a = tostring(v)
            for i=1, #a, 1 do
                local jx = rshift(a:byte(i),5);
                print (jx, a:byte(i));
            end
        end
    end

    result["retval"] = tostring(1)
    return result
end

return 0



> Best Wishes,
> Chris
> 
> On 05/09/12 16:50, Victor Julien wrote:
>> So Will started bugging me (again) on doing scripting from Suricata and
>> I gave in. Just committed extremely immature, incomplete, experimental
>> luajit scripting support.
>>
>> What it does is that it adds a new keyword, "luajit". There is one
>> argument, a script name. That script is then loaded from your rules
>> directory and ran against a packet. No flow, http or any of that right
>> now, just packets.
>>
>> Example rule:
>> alert tcp any any -> any any (msg:"LUAJIT test"; luajit:test.lua; sid:1;)
>>
>> This loads the script from /etc/suricata/rules/test.lua
>>
>> The script has a "match" function that will return either 1 or 0. 1 for
>> match, 0 for no match.
>>
>> Example script:
>>
>> -- match string HTTP in packet payload
>> function match(args)
>>     for k,v in pairs(args) do
>>        if tostring(k) == "payload" then
>>             a = tostring(v)
>>             if #a > 0 then
>>                 if a:find("HTTP") then
>>                     return 1
>>                 end
>>             end
>>         end
>>     end
>>
>>     return 0
>> end
>>
>> return 0
>> -- eof
>>
>> The fun thing is that it works, but the best joke is that on my box this
>> simple script makes no performance impact at all.
>>
>> Currently only "payload" and "packet" keys are available. More will
>> follow, or not. This is research stuff, and if we run into some major
>> obstacle we'll remove it or change it completely. Until then, let me
>> know how you feel about it :)
>>
>> Oh yeah, to enable add "--with-
>> libluajit-includes=/usr/include/luajit-2.0/
>> --with-libluajit-libraries=/usr/lib/x86_64-linux-gnu/" to your configure
>> line. Adapt for your distro.
>>
>> Happy scripting!
>>
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list