[Oisf-devel] TLS Buffers for LUA Scripting?

Nasir Bilal bilalbox at gmail.com
Sat Jan 16 05:37:08 UTC 2016

After perusing the documentation and commit history more carefully, it
looks like my syntax was just extremely messed up. However, there are two
different sets of verbage used: that in the documentation, and that in the
actually committed code:

Documentation states that in order to be able to use TLS keywords in LUA
scripts we need to use the following init statement:
*function init (args)*
*    local needs = {}*
*    needs["protocol"] = "tls"*
*    return needs*

However, when I attempt to load a rulebase that includes rules referencing
a LUA script with the '*needs["protocol"]*' line in it, I get the follow
error when running suricata 3.0RC3:
*qnadmin at qn1:/etc/suricata/rules$ sudo suricata -c
/etc/suricata/suricata.yaml -q 0 --init-errors-fatal*
*16/1/2016 -- 00:14:06 - <Notice> - This is Suricata version 3.0RC3 RELEASE*
*16/1/2016 -- 00:14:06 - <Error> - [ERRCODE: SC_ERR_LUA_ERROR(212)] -
unsupported data type protocol*
*16/1/2016 -- 00:14:06 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "reject tls $EXTERNAL_NET any -> $HOME_NET any
(msg:"HTTPS $$$ - DROPPED"; flow:established,to_client;
luajit:bl_shopping_https.lua; sid:10001008; rev:1;)" from file
/etc/suricata/rules/drop.rules at line 37*
*16/1/2016 -- 00:14:06 - <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] -
Loading signatures failed.*

However, in the commit history I find a different syntax required for the
init function (which works):

lua: TLS support

Support TLS in Lua detection scripts.

function init (args)
    local needs = {}
    needs["tls"] = tostring(true)
    return needs

I know that the "procotol" keyword should be active in 3.0RC3 per the
documentation, so is this a temporary issue? Or should I go in and update
the documentation?

Thanks again all for your support!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20160116/e16b9b72/attachment-0002.html>

More information about the Oisf-devel mailing list