[Oisf-devel] TLS Buffers for LUA Scripting?
Nasir Bilal
bilalbox at gmail.com
Wed Dec 30 12:28:03 UTC 2015
No, I hadn't seen it. Thanks!
Sent using CloudMagic Email
[https://cloudmagic.com/k/d/mailapp?ct=pa&cv=8.0.90&pv=6.0.1&source=email_footer_2]
On Wed, Dec 30, 2015 at 3:53 AM, Peter Manev < petermanev at gmail.com
[petermanev at gmail.com] > wrote:
On Tue, 2015-12-29 at 20:28 +0000, Nasir Bilal wrote:
> Great. BTW the new TLS buffers work great! Here's an example of a
> working sample Lua script used to test the new functionality:
>
>
> Suricata Rule:
> ##############
>
> reject tls $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTPS SPORTS -
> DROPPED"; flow:established; luajit:bl_sports_https.lua; sid:10001008;
> rev:1;)
>
> ##############
>
> Lua Script: (bl_sports_https.lua)
> ##############
> function init (args)
> local needs = {}
> needs["tls.subject"] = tostring(true)
> return needs
> end
>
>
> function match(args)
> file = assert(io.open("blacklists/sports/domains", "r"))
> current_url = tostring(args["tls.subject"])
> if #current_url > 0 then
> for line in file:lines() do
> if current_url:find(line) then
> return 1
> end
> end
> end
> return 0
> end
> ##############
>
>
> NOTE: the "blacklists/sports/domains" file is just a flat text file
> containing all the pages we wish to block in this test.
>
>
> Regards,
> Nasir
>
> On Tue, Dec 29, 2015 at 12:40 PM Jason Ish <lists at unx.ca> wrote:
>
> On Tue, Dec 29, 2015 at 10:58 AM, Nasir Bilal
> <bilalbox at gmail.com> wrote:
> > Jason,
> >
> > Thanks, that's great! Yes, we should update the
> documentation. Is that
> > something anybody can do?
FYI (not sure if you have seen it) - There is some documentation here
-
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output#TLS
>
> Yes, I believe you just need an account on Redmine. The docs
> are
> migrating to Sphinx and updates will be handled with pull
> requests at
> some point in the hopefully near future. But for now I have a
> "watch"
> on the Wiki to migrate changes made by others.
>
> Jason
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
http://suricata-ids.org/participate/
> List:
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> Developer Training in Copenhagen Sept 14-18:
http://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20151230/616f55ab/attachment-0002.html>
More information about the Oisf-devel
mailing list