[Oisf-users] Luajit test rules

[Chris Wakelin]

Here's a couple of Luajit rules I've been trying:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"LUAJIT test - match
XORed binary"; flowbits:isset,ET.http.javaclient.vulnerable;
flowbits:isnotset,ET.http.binary; luajit:xor-binary-detect4.lua;
sid:379000001; rev:4;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"LUAJIT zip test -
match Blackhole 2.x Jar"; flowbits:isset,ET.http.javaclient;
content:"|0D 0A 0D 0A|PK"; luajit:suri-bh2-jar.lua; sid:379000002; rev:1;)

The latter needs the luazip library installed of course (liblua5.1-zip0
on Ubuntu 12.04), and they rely on emerging-policy.rules from the
Emerging Threats ruleset.

The first rule is quite expensive on my system (not entirely sure why)
but the second should be OK. It relies on creating a temporary file via
os.tmpname() for the zip (/tmp/lua_<something> on my system), and it's
possible it doesn't always clean up after itself so needs to be used
with care.

As it happens the Blackhole 2.x Jar files have had constant class file
names all week, so a normal signature could work. Still this is proof of
concept :)

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xor-binary-detect4.lua
Type: text/x-lua
Size: 5697 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120928/300ebd31/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suri-bh2-jar.lua
Type: text/x-lua
Size: 753 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120928/300ebd31/attachment-0001.bin>