[Oisf-devel] lua (jit) script keyword

Victor Julien victor at inliniac.net
Fri Sep 7 17:55:04 UTC 2012

On 09/07/2012 07:39 PM, Victor Julien wrote:
> On 09/07/2012 06:52 PM, Chris Wakelin wrote:
>> I've had a quick look at this, but I've never done anything in Lua, so
>> it may take me a while to write a useful rule using it :)
>> One quick question though; a deficiency in using PCRE is coping with
>> randomly XOR-ed binaries. I'd quite like a rule that could spot them by
>> say XOR-ing every 5th byte for 2n bytes to spot the Zelix obfuscator as
>> used in Blackhole jars (though the zip compression may make this
>> infeasible) or every 2nd byte to spot 2-byte XOR-ers.
>> However, there aren't any bitwise operators in Lua 5.1, though there is
>> a "BitOp" extension (bitop.luajit.org). Would this work in Suricata?
> Appears so, ya :) The below does nothing useful, but it does appear to
> actually right shift as instructed.

Somewhat more useful example. In packets with ethernet bytes 13 and 14
will be 0x08 0x00 and then the IPv4 header's first byte contains the ip
ver. In C we have macro:

#define IPV4_GET_RAW_VER(ip4h)            (((ip4h)->ip_verhl & 0xf0) >> 4)

So a bitwise and followed by a rshift.

In lua:

function init (args)
    local needs = {}
    needs["packet"] = tostring(true)
    return needs

-- return match via table
function match(args)
    local result = {}
    local bit = require("bit")
    local rshift, rol = bit.rshift, bit.rol

    for k,v in pairs(args) do
        if tostring(k) == "packet" then
            a = tostring(v)

            if #a >= 15 and a:byte(13) == 0x08 and a:byte(14) == 0x00 then
                if (rshift(bit.band(a:byte(15), 0xf0), 4) == 4) then
                    result["retval"] = tostring(1)

    return result

return 0

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list