[Oisf-devel] lua (jit) script keyword
Victor Julien
victor at inliniac.net
Sat Sep 8 09:07:34 UTC 2012
First impressions of how it may perform look very encouraging:
http://blog.inliniac.net/2012/09/08/first-impressions-of-luajit-performance-in-suricata/
On 09/07/2012 10:35 PM, Victor Julien wrote:
> On 09/07/2012 10:07 PM, Martin Holste wrote:
>> That is awesome, great idea!
>
> What, you mean you get excited by the idea of generating alerts (from a
> script) for each IPv4 packet? :-P
>
>> On Fri, Sep 7, 2012 at 12:55 PM, Victor Julien <victor at inliniac.net> wrote:
>>> On 09/07/2012 07:39 PM, Victor Julien wrote:
>>>> On 09/07/2012 06:52 PM, Chris Wakelin wrote:
>>>>> I've had a quick look at this, but I've never done anything in Lua, so
>>>>> it may take me a while to write a useful rule using it :)
>>>>>
>>>>> One quick question though; a deficiency in using PCRE is coping with
>>>>> randomly XOR-ed binaries. I'd quite like a rule that could spot them by
>>>>> say XOR-ing every 5th byte for 2n bytes to spot the Zelix obfuscator as
>>>>> used in Blackhole jars (though the zip compression may make this
>>>>> infeasible) or every 2nd byte to spot 2-byte XOR-ers.
>>>>>
>>>>> However, there aren't any bitwise operators in Lua 5.1, though there is
>>>>> a "BitOp" extension (bitop.luajit.org). Would this work in Suricata?
>>>>
>>>> Appears so, ya :) The below does nothing useful, but it does appear to
>>>> actually right shift as instructed.
>>>
>>> Somewhat more useful example. In packets with ethernet bytes 13 and 14
>>> will be 0x08 0x00 and then the IPv4 header's first byte contains the ip
>>> ver. In C we have macro:
>>>
>>> #define IPV4_GET_RAW_VER(ip4h) (((ip4h)->ip_verhl & 0xf0) >> 4)
>>>
>>> So a bitwise and followed by a rshift.
>>>
>>> In lua:
>>>
>>> function init (args)
>>> local needs = {}
>>> needs["packet"] = tostring(true)
>>> return needs
>>> end
>>>
>>>
>>> -- return match via table
>>> function match(args)
>>> local result = {}
>>> local bit = require("bit")
>>> local rshift, rol = bit.rshift, bit.rol
>>>
>>> for k,v in pairs(args) do
>>> if tostring(k) == "packet" then
>>> a = tostring(v)
>>>
>>> if #a >= 15 and a:byte(13) == 0x08 and a:byte(14) == 0x00 then
>>> if (rshift(bit.band(a:byte(15), 0xf0), 4) == 4) then
>>> result["retval"] = tostring(1)
>>> end
>>> end
>>> end
>>> end
>>>
>>> return result
>>> end
>>>
>>> return 0
>>>
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list