[Oisf-devel] TLS Buffers for LUA Scripting?

[Nasir Bilal]

Great. BTW the new TLS buffers work great! Here's an example of a working
sample Lua script used to test the new functionality:

Suricata Rule:
##############
reject tls $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTPS SPORTS -
DROPPED"; flow:established; luajit:bl_sports_https.lua; sid:10001008;
rev:1;)
##############
Lua Script: (bl_sports_https.lua)
##############
function init (args)
    local needs = {}
    needs["tls.subject"] = tostring(true)
    return needs
end

function match(args)
        file = assert(io.open("blacklists/sports/domains", "r"))
        current_url = tostring(args["tls.subject"])
        if #current_url > 0 then
                for line in file:lines() do
                        if current_url:find(line) then
                                return 1
                        end
                end
        end
return 0
end
##############

NOTE: the "blacklists/sports/domains" file is just a flat text file
containing all the pages we wish to block in this test.

Regards,
Nasir

On Tue, Dec 29, 2015 at 12:40 PM Jason Ish <lists at unx.ca> wrote:

> On Tue, Dec 29, 2015 at 10:58 AM, Nasir Bilal <bilalbox at gmail.com> wrote:
> > Jason,
> >
> > Thanks, that's great! Yes, we should update the documentation. Is that
> > something anybody can do?
>
> Yes, I believe you just need an account on Redmine.  The docs are
> migrating to Sphinx and updates will be handled with pull requests at
> some point in the hopefully near future. But for now I have a "watch"
> on the Wiki to migrate changes made by others.
>
> Jason
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20151229/12aae44c/attachment-0002.html>