[Oisf-users] Full url matching & luajit

Paul Apostolescu apbogdan at gmail.com
Wed Dec 17 01:06:54 UTC 2014

  I'm trying to implement a solution to efficiently integrate a blacklist
with thousands of elements in Suricata, blacklist which will contain full
URLs - <domain>/<context>/<page>.
   Since I do not want to have one rule per link (because of the sheer
size) an alternative solution would be to have a single rule using lua to
do the heavy lifting - but the problem with lua backed rules is: 1) they
can match on only one buffer and 2) there is no access to the host

   To fix this I have now two rules which communicate with each other using
flowvars, one sets the uri and one puts that together w. the host by
parsing it out from the request headers.

Two questions:
1) is there a better solution to achieve what I'm looking for (which is
full url matching at scale)
2) if there is not what is the order in which luajit rules are run and is
there a way to set the order ?

>From the tests is looks like always (regardless of the position in the
rule) the rule matching on uri runs first, follow by the one on request

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141216/c8e8391a/attachment.html>

More information about the Oisf-users mailing list