[Oisf-devel] lua (jit) script keyword

Victor Julien victor at inliniac.net
Fri Sep 7 20:35:57 UTC 2012 

On 09/07/2012 10:07 PM, Martin Holste wrote:
> That is awesome, great idea!

What, you mean you get excited by the idea of generating alerts (from a
script) for each IPv4 packet? :-P

> On Fri, Sep 7, 2012 at 12:55 PM, Victor Julien <victor at inliniac.net> wrote:
>> On 09/07/2012 07:39 PM, Victor Julien wrote:
>>> On 09/07/2012 06:52 PM, Chris Wakelin wrote:
>>>> I've had a quick look at this, but I've never done anything in Lua, so
>>>> it may take me a while to write a useful rule using it :)
>>>>
>>>> One quick question though; a deficiency in using PCRE is coping with
>>>> randomly XOR-ed binaries. I'd quite like a rule that could spot them by
>>>> say XOR-ing every 5th byte for 2n bytes to spot the Zelix obfuscator as
>>>> used in Blackhole jars (though the zip compression may make this
>>>> infeasible) or every 2nd byte to spot 2-byte XOR-ers.
>>>>
>>>> However, there aren't any bitwise operators in Lua 5.1, though there is
>>>> a "BitOp" extension (bitop.luajit.org). Would this work in Suricata?
>>>
>>> Appears so, ya :) The below does nothing useful, but it does appear to
>>> actually right shift as instructed.
>>
>> Somewhat more useful example. In packets with ethernet bytes 13 and 14
>> will be 0x08 0x00 and then the IPv4 header's first byte contains the ip
>> ver. In C we have macro:
>>
>> #define IPV4_GET_RAW_VER(ip4h)            (((ip4h)->ip_verhl & 0xf0) >> 4)
>>
>> So a bitwise and followed by a rshift.
>>
>> In lua:
>>
>> function init (args)
>>     local needs = {}
>>     needs["packet"] = tostring(true)
>>     return needs
>> end
>>
>>
>> -- return match via table
>> function match(args)
>>     local result = {}
>>     local bit = require("bit")
>>     local rshift, rol = bit.rshift, bit.rol
>>
>>     for k,v in pairs(args) do
>>         if tostring(k) == "packet" then
>>             a = tostring(v)
>>
>>             if #a >= 15 and a:byte(13) == 0x08 and a:byte(14) == 0x00 then
>>                 if (rshift(bit.band(a:byte(15), 0xf0), 4) == 4) then
>>                     result["retval"] = tostring(1)
>>                 end
>>             end
>>         end
>>     end
>>
>>     return result
>> end
>>
>> return 0
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list