[Oisf-devel] TLS Buffers for LUA Scripting?

Nasir Bilal bilalbox at gmail.com
Tue Jan 19 12:53:20 UTC 2016


Hey Peter,

I'd love to, but it looks like that page is migrated and no longer editable:
"*Do not edit. This page has been migrated.
See Converting_Wiki_Documentation_to_Sphinx
<https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Converting_Wiki_Documentation_to_Sphinx>."*
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output

I see how to convert the wiki documents at that link, but how do you edit
them after that?

Thanks,
Nasir

On Tue, Jan 19, 2016 at 5:45 AM Peter Manev <petermanev at gmail.com> wrote:

> On Sat, Jan 16, 2016 at 6:37 AM, Nasir Bilal <bilalbox at gmail.com> wrote:
> > After perusing the documentation and commit history more carefully, it
> looks
> > like my syntax was just extremely messed up. However, there are two
> > different sets of verbage used: that in the documentation, and that in
> the
> > actually committed code:
> >
> > Documentation states that in order to be able to use TLS keywords in LUA
> > scripts we need to use the following init statement:
> > function init (args)
> >     local needs = {}
> >     needs["protocol"] = "tls"
> >     return needs
> > end
> >
> > However, when I attempt to load a rulebase that includes rules
> referencing a
> > LUA script with the 'needs["protocol"]' line in it, I get the follow
> error
> > when running suricata 3.0RC3:
> > qnadmin at qn1:/etc/suricata/rules$ sudo suricata -c
> > /etc/suricata/suricata.yaml -q 0 --init-errors-fatal
> > 16/1/2016 -- 00:14:06 - <Notice> - This is Suricata version 3.0RC3
> RELEASE
> > 16/1/2016 -- 00:14:06 - <Error> - [ERRCODE: SC_ERR_LUA_ERROR(212)] -
> > unsupported data type protocol
> > 16/1/2016 -- 00:14:06 - <Error> - [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] -
> > error parsing signature "reject tls $EXTERNAL_NET any -> $HOME_NET any
> > (msg:"HTTPS $$$ - DROPPED"; flow:established,to_client;
> > luajit:bl_shopping_https.lua; sid:10001008; rev:1;)" from file
> > /etc/suricata/rules/drop.rules at line 37
> > 16/1/2016 -- 00:14:06 - <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] -
> > Loading signatures failed.
> >
> > However, in the commit history I find a different syntax required for the
> > init function (which works):
> >
> > lua: TLS support
> >
> > Support TLS in Lua detection scripts.
> >
> > function init (args)
> >     local needs = {}
> >     needs["tls"] = tostring(true)
> >     return needs
> > end
> >
> >
> > I know that the "procotol" keyword should be active in 3.0RC3 per the
> > documentation, so is this a temporary issue? Or should I go in and update
> > the documentation?
>
> Yes -  i can confirm that. The init function's correct statement is "
> needs["tls"] = tostring(true) "
> Do you mind updating that part of the wiki docs?
>
>
> >
> > Thanks again all for your support!
> > Nasir
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20160119/fde6766f/attachment-0002.html>


More information about the Oisf-devel mailing list