[Oisf-devel] TLS Buffers for LUA Scripting?

Nasir Bilal bilalbox at gmail.com
Wed Dec 30 12:28:03 UTC 2015


No, I hadn't seen it. Thanks!

Sent using CloudMagic Email
[https://cloudmagic.com/k/d/mailapp?ct=pa&cv=8.0.90&pv=6.0.1&source=email_footer_2] 
On Wed, Dec 30, 2015 at 3:53 AM, Peter Manev < petermanev at gmail.com 
[petermanev at gmail.com] > wrote:
On Tue, 2015-12-29 at 20:28 +0000, Nasir Bilal wrote:
 > Great. BTW the new TLS buffers work great! Here's an example of a
 > working sample Lua script used to test the new functionality:
 >
 >
 > Suricata Rule:
 > ##############
 >
 > reject tls $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTPS SPORTS -
 > DROPPED"; flow:established; luajit:bl_sports_https.lua; sid:10001008;
 > rev:1;)
 >
 > ##############
 >
 > Lua Script: (bl_sports_https.lua)
 > ##############
 > function init (args)
 > local needs = {}
 > needs["tls.subject"] = tostring(true)
 > return needs
 > end
 >
 >
 > function match(args)
 > file = assert(io.open("blacklists/sports/domains", "r"))
 > current_url = tostring(args["tls.subject"])
 > if #current_url > 0 then
 > for line in file:lines() do
 > if current_url:find(line) then
 > return 1
 > end
 > end
 > end
 > return 0
 > end
 > ##############
 >
 >
 > NOTE: the "blacklists/sports/domains" file is just a flat text file
 > containing all the pages we wish to block in this test.
 >
 >
 > Regards,
 > Nasir
 >
 > On Tue, Dec 29, 2015 at 12:40 PM Jason Ish <lists at unx.ca> wrote:
 >
 > On Tue, Dec 29, 2015 at 10:58 AM, Nasir Bilal
 > <bilalbox at gmail.com> wrote:
 > > Jason,
 > >
 > > Thanks, that's great! Yes, we should update the
 > documentation. Is that
 > > something anybody can do?

FYI (not sure if you have seen it) - There is some documentation here
-
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output#TLS


 >
 > Yes, I believe you just need an account on Redmine. The docs
 > are
 > migrating to Sphinx and updates will be handled with pull
 > requests at
 > some point in the hopefully near future. But for now I have a
 > "watch"
 > on the Wiki to migrate changes made by others.
 >
 > Jason
 > _______________________________________________
 > Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
 > Site: http://suricata-ids.org | Participate:
http://suricata-ids.org/participate/
 > List: 
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
 > Redmine: https://redmine.openinfosecfoundation.org/
 > Developer Training in Copenhagen Sept 14-18: 
http://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20151230/616f55ab/attachment-0002.html>


More information about the Oisf-devel mailing list