[Oisf-devel] TLS Buffers for LUA Scripting?

Peter Manev petermanev at gmail.com
Tue Jan 19 14:01:30 UTC 2016


On Tue, Jan 19, 2016 at 2:49 PM, Nasir Bilal <bilalbox at gmail.com> wrote:
> OK, editing is complete. It was quite minimal, as the only change was to
> that init function syntax.

Thank you both!

>
> Regards,
> Nasir
>
> On Tue, Jan 19, 2016 at 8:11 AM Jason Ish <lists at unx.ca> wrote:
>>
>> Hi Nasir,
>>
>> I've unlocked the wiki page, please keep your edits minimal so I can
>> merge them into the new doc.
>>
>> At some point, doc updates like this will be a pull request.  A bit
>> more work than a wiki edit, but will keep the docs versioned along
>> with Suricata.
>>
>> Thanks,
>> Jason
>>
>>
>> On Tue, Jan 19, 2016 at 6:53 AM, Nasir Bilal <bilalbox at gmail.com> wrote:
>> > Hey Peter,
>> >
>> > I'd love to, but it looks like that page is migrated and no longer
>> > editable:
>> > "Do not edit. This page has been migrated. See
>> > Converting_Wiki_Documentation_to_Sphinx."
>> >
>> > https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output
>> >
>> > I see how to convert the wiki documents at that link, but how do you
>> > edit
>> > them after that?
>> >
>> > Thanks,
>> > Nasir
>> >
>> > On Tue, Jan 19, 2016 at 5:45 AM Peter Manev <petermanev at gmail.com>
>> > wrote:
>> >>
>> >> On Sat, Jan 16, 2016 at 6:37 AM, Nasir Bilal <bilalbox at gmail.com>
>> >> wrote:
>> >> > After perusing the documentation and commit history more carefully,
>> >> > it
>> >> > looks
>> >> > like my syntax was just extremely messed up. However, there are two
>> >> > different sets of verbage used: that in the documentation, and that
>> >> > in
>> >> > the
>> >> > actually committed code:
>> >> >
>> >> > Documentation states that in order to be able to use TLS keywords in
>> >> > LUA
>> >> > scripts we need to use the following init statement:
>> >> > function init (args)
>> >> >     local needs = {}
>> >> >     needs["protocol"] = "tls"
>> >> >     return needs
>> >> > end
>> >> >
>> >> > However, when I attempt to load a rulebase that includes rules
>> >> > referencing a
>> >> > LUA script with the 'needs["protocol"]' line in it, I get the follow
>> >> > error
>> >> > when running suricata 3.0RC3:
>> >> > qnadmin at qn1:/etc/suricata/rules$ sudo suricata -c
>> >> > /etc/suricata/suricata.yaml -q 0 --init-errors-fatal
>> >> > 16/1/2016 -- 00:14:06 - <Notice> - This is Suricata version 3.0RC3
>> >> > RELEASE
>> >> > 16/1/2016 -- 00:14:06 - <Error> - [ERRCODE: SC_ERR_LUA_ERROR(212)] -
>> >> > unsupported data type protocol
>> >> > 16/1/2016 -- 00:14:06 - <Error> - [ERRCODE:
>> >> > SC_ERR_INVALID_SIGNATURE(39)] -
>> >> > error parsing signature "reject tls $EXTERNAL_NET any -> $HOME_NET
>> >> > any
>> >> > (msg:"HTTPS $$$ - DROPPED"; flow:established,to_client;
>> >> > luajit:bl_shopping_https.lua; sid:10001008; rev:1;)" from file
>> >> > /etc/suricata/rules/drop.rules at line 37
>> >> > 16/1/2016 -- 00:14:06 - <Error> - [ERRCODE:
>> >> > SC_ERR_NO_RULES_LOADED(43)]
>> >> > -
>> >> > Loading signatures failed.
>> >> >
>> >> > However, in the commit history I find a different syntax required for
>> >> > the
>> >> > init function (which works):
>> >> >
>> >> > lua: TLS support
>> >> >
>> >> > Support TLS in Lua detection scripts.
>> >> >
>> >> > function init (args)
>> >> >     local needs = {}
>> >> >     needs["tls"] = tostring(true)
>> >> >     return needs
>> >> > end
>> >> >
>> >> >
>> >> > I know that the "procotol" keyword should be active in 3.0RC3 per the
>> >> > documentation, so is this a temporary issue? Or should I go in and
>> >> > update
>> >> > the documentation?
>> >>
>> >> Yes -  i can confirm that. The init function's correct statement is "
>> >> needs["tls"] = tostring(true) "
>> >> Do you mind updating that part of the wiki docs?
>> >>
>> >>
>> >> >
>> >> > Thanks again all for your support!
>> >> > Nasir
>> >>
>> >>
>> >>
>> >> --
>> >> Regards,
>> >> Peter Manev



-- 
Regards,
Peter Manev



More information about the Oisf-devel mailing list