[Oisf-devel] TLS Buffers for LUA Scripting?

Tue Jan 19 13:11:28 UTC 2016

Hi Nasir,

I've unlocked the wiki page, please keep your edits minimal so I can
merge them into the new doc.

At some point, doc updates like this will be a pull request.  A bit
more work than a wiki edit, but will keep the docs versioned along
with Suricata.

Thanks,
Jason

On Tue, Jan 19, 2016 at 6:53 AM, Nasir Bilal <bilalbox at gmail.com> wrote:
> Hey Peter,
>
> I'd love to, but it looks like that page is migrated and no longer editable:
> "Do not edit. This page has been migrated. See
> Converting_Wiki_Documentation_to_Sphinx."
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output
>
> I see how to convert the wiki documents at that link, but how do you edit
> them after that?
>
> Thanks,
> Nasir
>
> On Tue, Jan 19, 2016 at 5:45 AM Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Sat, Jan 16, 2016 at 6:37 AM, Nasir Bilal <bilalbox at gmail.com> wrote:
>> > After perusing the documentation and commit history more carefully, it
>> > looks
>> > like my syntax was just extremely messed up. However, there are two
>> > different sets of verbage used: that in the documentation, and that in
>> > the
>> > actually committed code:
>> >
>> > Documentation states that in order to be able to use TLS keywords in LUA
>> > scripts we need to use the following init statement:
>> > function init (args)
>> >     local needs = {}
>> >     needs["protocol"] = "tls"
>> >     return needs
>> > end
>> >
>> > However, when I attempt to load a rulebase that includes rules
>> > referencing a
>> > LUA script with the 'needs["protocol"]' line in it, I get the follow
>> > error
>> > when running suricata 3.0RC3:
>> > qnadmin at qn1:/etc/suricata/rules$ sudo suricata -c
>> > /etc/suricata/suricata.yaml -q 0 --init-errors-fatal
>> > 16/1/2016 -- 00:14:06 - <Notice> - This is Suricata version 3.0RC3
>> > RELEASE
>> > 16/1/2016 -- 00:14:06 - <Error> - [ERRCODE: SC_ERR_LUA_ERROR(212)] -
>> > unsupported data type protocol
>> > 16/1/2016 -- 00:14:06 - <Error> - [ERRCODE:
>> > SC_ERR_INVALID_SIGNATURE(39)] -
>> > error parsing signature "reject tls $EXTERNAL_NET any -> $HOME_NET any
>> > (msg:"HTTPS $$$ - DROPPED"; flow:established,to_client;
>> > luajit:bl_shopping_https.lua; sid:10001008; rev:1;)" from file
>> > /etc/suricata/rules/drop.rules at line 37
>> > 16/1/2016 -- 00:14:06 - <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)]
>> > -
>> > Loading signatures failed.
>> >
>> > However, in the commit history I find a different syntax required for
>> > the
>> > init function (which works):
>> >
>> > lua: TLS support
>> >
>> > Support TLS in Lua detection scripts.
>> >
>> > function init (args)
>> >     local needs = {}
>> >     needs["tls"] = tostring(true)
>> >     return needs
>> > end
>> >
>> >
>> > I know that the "procotol" keyword should be active in 3.0RC3 per the
>> > documentation, so is this a temporary issue? Or should I go in and
>> > update
>> > the documentation?
>>
>> Yes -  i can confirm that. The init function's correct statement is "
>> needs["tls"] = tostring(true) "
>> Do you mind updating that part of the wiki docs?
>>
>>
>> >
>> > Thanks again all for your support!
>> > Nasir
>>
>>
>>
>> --
>> Regards,
>> Peter Manev