[Oisf-devel] TLS Buffers for LUA Scripting?

Peter Manev petermanev at gmail.com
Tue Jan 19 10:45:09 UTC 2016 

On Sat, Jan 16, 2016 at 6:37 AM, Nasir Bilal <bilalbox at gmail.com> wrote:
> After perusing the documentation and commit history more carefully, it looks
> like my syntax was just extremely messed up. However, there are two
> different sets of verbage used: that in the documentation, and that in the
> actually committed code:
>
> Documentation states that in order to be able to use TLS keywords in LUA
> scripts we need to use the following init statement:
> function init (args)
>     local needs = {}
>     needs["protocol"] = "tls"
>     return needs
> end
>
> However, when I attempt to load a rulebase that includes rules referencing a
> LUA script with the 'needs["protocol"]' line in it, I get the follow error
> when running suricata 3.0RC3:
> qnadmin at qn1:/etc/suricata/rules$ sudo suricata -c
> /etc/suricata/suricata.yaml -q 0 --init-errors-fatal
> 16/1/2016 -- 00:14:06 - <Notice> - This is Suricata version 3.0RC3 RELEASE
> 16/1/2016 -- 00:14:06 - <Error> - [ERRCODE: SC_ERR_LUA_ERROR(212)] -
> unsupported data type protocol
> 16/1/2016 -- 00:14:06 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> error parsing signature "reject tls $EXTERNAL_NET any -> $HOME_NET any
> (msg:"HTTPS $$$ - DROPPED"; flow:established,to_client;
> luajit:bl_shopping_https.lua; sid:10001008; rev:1;)" from file
> /etc/suricata/rules/drop.rules at line 37
> 16/1/2016 -- 00:14:06 - <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] -
> Loading signatures failed.
>
> However, in the commit history I find a different syntax required for the
> init function (which works):
>
> lua: TLS support
>
> Support TLS in Lua detection scripts.
>
> function init (args)
>     local needs = {}
>     needs["tls"] = tostring(true)
>     return needs
> end
>
>
> I know that the "procotol" keyword should be active in 3.0RC3 per the
> documentation, so is this a temporary issue? Or should I go in and update
> the documentation?

Yes -  i can confirm that. The init function's correct statement is "
needs["tls"] = tostring(true) "
Do you mind updating that part of the wiki docs?


>
> Thanks again all for your support!
> Nasir



-- 
Regards,
Peter Manev

More information about the Oisf-devel mailing list