[Oisf-users] Luajit test rules

Victor Julien victor at inliniac.net
Sat Sep 29 10:31:18 UTC 2012

Nice work Chris,

On 09/28/2012 10:18 PM, Chris Wakelin wrote:
> Here's a couple of Luajit rules I've been trying:
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"LUAJIT test - match
> XORed binary"; flowbits:isset,ET.http.javaclient.vulnerable;
> flowbits:isnotset,ET.http.binary; luajit:xor-binary-detect4.lua;
> sid:379000001; rev:4;)
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"LUAJIT zip test -
> match Blackhole 2.x Jar"; flowbits:isset,ET.http.javaclient;
> content:"|0D 0A 0D 0A|PK"; luajit:suri-bh2-jar.lua; sid:379000002; rev:1;)

Have you tried "file_data; content:"PK"; depth:2; Then sig and script
work on the same buffer.

> The latter needs the luazip library installed of course (liblua5.1-zip0
> on Ubuntu 12.04), and they rely on emerging-policy.rules from the
> Emerging Threats ruleset.
> The first rule is quite expensive on my system (not entirely sure why)
> but the second should be OK. It relies on creating a temporary file via
> os.tmpname() for the zip (/tmp/lua_<something> on my system), and it's
> possible it doesn't always clean up after itself so needs to be used
> with care.

Too bad the lib doesn't support working on mem buffers. Adding file io
to the mix is ehhh... sub optimal :)

> As it happens the Blackhole 2.x Jar files have had constant class file
> names all week, so a normal signature could work. Still this is proof of
> concept :)

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list