[Oisf-devel] TLS Buffers for LUA Scripting?

Nasir Bilal bilalbox at gmail.com
Tue Jan 19 13:49:32 UTC 2016


OK, editing is complete. It was quite minimal, as the only change was to
that init function syntax.

Regards,
Nasir

On Tue, Jan 19, 2016 at 8:11 AM Jason Ish <lists at unx.ca> wrote:

> Hi Nasir,
>
> I've unlocked the wiki page, please keep your edits minimal so I can
> merge them into the new doc.
>
> At some point, doc updates like this will be a pull request.  A bit
> more work than a wiki edit, but will keep the docs versioned along
> with Suricata.
>
> Thanks,
> Jason
>
>
> On Tue, Jan 19, 2016 at 6:53 AM, Nasir Bilal <bilalbox at gmail.com> wrote:
> > Hey Peter,
> >
> > I'd love to, but it looks like that page is migrated and no longer
> editable:
> > "Do not edit. This page has been migrated. See
> > Converting_Wiki_Documentation_to_Sphinx."
> >
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output
> >
> > I see how to convert the wiki documents at that link, but how do you edit
> > them after that?
> >
> > Thanks,
> > Nasir
> >
> > On Tue, Jan 19, 2016 at 5:45 AM Peter Manev <petermanev at gmail.com>
> wrote:
> >>
> >> On Sat, Jan 16, 2016 at 6:37 AM, Nasir Bilal <bilalbox at gmail.com>
> wrote:
> >> > After perusing the documentation and commit history more carefully, it
> >> > looks
> >> > like my syntax was just extremely messed up. However, there are two
> >> > different sets of verbage used: that in the documentation, and that in
> >> > the
> >> > actually committed code:
> >> >
> >> > Documentation states that in order to be able to use TLS keywords in
> LUA
> >> > scripts we need to use the following init statement:
> >> > function init (args)
> >> >     local needs = {}
> >> >     needs["protocol"] = "tls"
> >> >     return needs
> >> > end
> >> >
> >> > However, when I attempt to load a rulebase that includes rules
> >> > referencing a
> >> > LUA script with the 'needs["protocol"]' line in it, I get the follow
> >> > error
> >> > when running suricata 3.0RC3:
> >> > qnadmin at qn1:/etc/suricata/rules$ sudo suricata -c
> >> > /etc/suricata/suricata.yaml -q 0 --init-errors-fatal
> >> > 16/1/2016 -- 00:14:06 - <Notice> - This is Suricata version 3.0RC3
> >> > RELEASE
> >> > 16/1/2016 -- 00:14:06 - <Error> - [ERRCODE: SC_ERR_LUA_ERROR(212)] -
> >> > unsupported data type protocol
> >> > 16/1/2016 -- 00:14:06 - <Error> - [ERRCODE:
> >> > SC_ERR_INVALID_SIGNATURE(39)] -
> >> > error parsing signature "reject tls $EXTERNAL_NET any -> $HOME_NET any
> >> > (msg:"HTTPS $$$ - DROPPED"; flow:established,to_client;
> >> > luajit:bl_shopping_https.lua; sid:10001008; rev:1;)" from file
> >> > /etc/suricata/rules/drop.rules at line 37
> >> > 16/1/2016 -- 00:14:06 - <Error> - [ERRCODE:
> SC_ERR_NO_RULES_LOADED(43)]
> >> > -
> >> > Loading signatures failed.
> >> >
> >> > However, in the commit history I find a different syntax required for
> >> > the
> >> > init function (which works):
> >> >
> >> > lua: TLS support
> >> >
> >> > Support TLS in Lua detection scripts.
> >> >
> >> > function init (args)
> >> >     local needs = {}
> >> >     needs["tls"] = tostring(true)
> >> >     return needs
> >> > end
> >> >
> >> >
> >> > I know that the "procotol" keyword should be active in 3.0RC3 per the
> >> > documentation, so is this a temporary issue? Or should I go in and
> >> > update
> >> > the documentation?
> >>
> >> Yes -  i can confirm that. The init function's correct statement is "
> >> needs["tls"] = tostring(true) "
> >> Do you mind updating that part of the wiki docs?
> >>
> >>
> >> >
> >> > Thanks again all for your support!
> >> > Nasir
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20160119/357cb819/attachment-0002.html>


More information about the Oisf-devel mailing list