[Oisf-devel] TLS Buffers for LUA Scripting?

Nasir Bilal bilalbox at gmail.com
Fri Jan 15 13:08:20 UTC 2016 

Actually, after a bit more investigation, it's clear that this TLS/LUA
script is not working. In actually getting redirected back to HTTP by most
of my test sites, which then trigger my HTTP-based LUA script. Here is the
simple LUA script that references the TLS buffers:

*function init (args)*

*    local needs = {}*

*    needs["tls.subject"] = tostring(true)*

*    return needs*

*end*

*function match(args)*

* local file = assert(io.open("blacklists/shopping/domains", "r"))*

* local current_url = tostring(args["tls.subject"])*

* if #current_url > 0 then*

* for line in file:lines() do*

* if current_url:find(line) then*

* return 1*

* end*

* end*

* end*

*return 0*

*end*
and corresponding suricata rule:
*reject tls $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTPS $$$ - DROPPED";
flow:established; luajit:bl_shopping_https.lua; sid:10001008; rev:1;)*

I have tried referencing both "tls.subject" and "tls.sni" within my scripts
(see below) but none gets matched by my script.


Note that the equivalent HTTP-based LUA script works fine:

*function init (args)*

*    local needs = {}*

*    needs["http.request_headers"] = tostring(true)*

*    return needs*

*end*

*function match(args)*

* local file = assert(io.open("blacklists/shopping/domains", "r"))*

* local current_url = tostring(args["http.request_headers"])*

* if #current_url > 0 then*

* for line in file:lines() do*

* if current_url:find(line) then*

* return 1*

* end*

* end*

* end*

*return 0*

*end*
and corresponding suricata rule:

*reject tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"LUA DROP Shopping!
OUTBOUND"; flow:established,to_server; content:"GET"; http_method;
luajit:bl_shopping.lua; sid:10001007; rev:1;)*


Also, a traditional, one-off TLS-based suricata rule also works fine:

*reject tls $EXTERNAL_NET any -> $HOME_NET any (msg:"WELLSFARGO TLS BLOCKED
INBOUND"; flow:established; tls.subject:"CN=www.wellsfargo.com
<http://www.wellsfargo.com>"; sid:10001002; rev:1;)*

Any ideas? What's a good way to debug the LUA script calls in Suricata?
Perhaps I could place some debug (print) statements into the script and
write them all to a file?

Thanks everybody!

-Nasir
Sent using CloudMagic Email
<https://cloudmagic.com/k/d/mailapp?ct=pa&cv=8.0.91&pv=6.0.1&source=email_footer_2>
On Wed, Dec 30, 2015 at 3:53 AM, Peter Manev <petermanev at gmail.com> wrote:

On Tue, 2015-12-29 at 20:28 +0000, Nasir Bilal wrote:
> Great. BTW the new TLS buffers work great! Here's an example of a
> working sample Lua script used to test the new functionality:
>
>
> Suricata Rule:
> ##############
>
> reject tls $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTPS SPORTS -
> DROPPED"; flow:established; luajit:bl_sports_https.lua; sid:10001008;
> rev:1;)
>
> ##############
>
> Lua Script: (bl_sports_https.lua)
> ##############
> function init (args)
>     local needs = {}
>     needs["tls.subject"] = tostring(true)
>     return needs
> end
>
>
> function match(args)
>         file = assert(io.open("blacklists/sports/domains", "r"))
>         current_url = tostring(args["tls.subject"])
>         if #current_url > 0 then
>                 for line in file:lines() do
>                         if current_url:find(line) then
>                                 return 1
>                         end
>                 end
>         end
> return 0
> end
> ##############
>
>
> NOTE: the "blacklists/sports/domains" file is just a flat text file
> containing all the pages we wish to block in this test.
>
>
> Regards,
> Nasir
>
> On Tue, Dec 29, 2015 at 12:40 PM Jason Ish <lists at unx.ca> wrote:
>
>         On Tue, Dec 29, 2015 at 10:58 AM, Nasir Bilal
>         <bilalbox at gmail.com> wrote:
>         > Jason,
>         >
>         > Thanks, that's great! Yes, we should update the
>         documentation. Is that
>         > something anybody can do?

FYI (not sure if you have seen it) - There is some documentation here
-
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output#TLS


>
>         Yes, I believe you just need an account on Redmine.  The docs
>         are
>         migrating to Sphinx and updates will be handled with pull
>         requests at
>         some point in the hopefully near future. But for now I have a
>         "watch"
>         on the Wiki to migrate changes made by others.
>
>         Jason
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> Developer Training in Copenhagen Sept 14-18:
http://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20160115/332f373b/attachment.html>

More information about the Oisf-devel mailing list