[Oisf-devel] lua (jit) script keyword

Martin Holste mcholste at gmail.com
Fri Sep 7 20:07:17 UTC 2012


That is awesome, great idea!

On Fri, Sep 7, 2012 at 12:55 PM, Victor Julien <victor at inliniac.net> wrote:
> On 09/07/2012 07:39 PM, Victor Julien wrote:
>> On 09/07/2012 06:52 PM, Chris Wakelin wrote:
>>> I've had a quick look at this, but I've never done anything in Lua, so
>>> it may take me a while to write a useful rule using it :)
>>>
>>> One quick question though; a deficiency in using PCRE is coping with
>>> randomly XOR-ed binaries. I'd quite like a rule that could spot them by
>>> say XOR-ing every 5th byte for 2n bytes to spot the Zelix obfuscator as
>>> used in Blackhole jars (though the zip compression may make this
>>> infeasible) or every 2nd byte to spot 2-byte XOR-ers.
>>>
>>> However, there aren't any bitwise operators in Lua 5.1, though there is
>>> a "BitOp" extension (bitop.luajit.org). Would this work in Suricata?
>>
>> Appears so, ya :) The below does nothing useful, but it does appear to
>> actually right shift as instructed.
>
> Somewhat more useful example. In packets with ethernet bytes 13 and 14
> will be 0x08 0x00 and then the IPv4 header's first byte contains the ip
> ver. In C we have macro:
>
> #define IPV4_GET_RAW_VER(ip4h)            (((ip4h)->ip_verhl & 0xf0) >> 4)
>
> So a bitwise and followed by a rshift.
>
> In lua:
>
> function init (args)
>     local needs = {}
>     needs["packet"] = tostring(true)
>     return needs
> end
>
>
> -- return match via table
> function match(args)
>     local result = {}
>     local bit = require("bit")
>     local rshift, rol = bit.rshift, bit.rol
>
>     for k,v in pairs(args) do
>         if tostring(k) == "packet" then
>             a = tostring(v)
>
>             if #a >= 15 and a:byte(13) == 0x08 and a:byte(14) == 0x00 then
>                 if (rshift(bit.band(a:byte(15), 0xf0), 4) == 4) then
>                     result["retval"] = tostring(1)
>                 end
>             end
>         end
>     end
>
>     return result
> end
>
> return 0
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel



More information about the Oisf-devel mailing list