[Oisf-users] Full url matching & luajit

Victor Julien lists at inliniac.net
Wed Dec 17 08:26:32 UTC 2014

On 12/17/2014 02:06 AM, Paul Apostolescu wrote:
>   I'm trying to implement a solution to efficiently integrate a
> blacklist with thousands of elements in Suricata, blacklist which will
> contain full URLs - <domain>/<context>/<page>.
>    Since I do not want to have one rule per link (because of the sheer
> size) an alternative solution would be to have a single rule using lua
> to do the heavy lifting - but the problem with lua backed rules is: 1)
> they can match on only one buffer and 2) there is no access to the host
>    To fix this I have now two rules which communicate with each other
> using flowvars, one sets the uri and one puts that together w. the host
> by parsing it out from the request headers.
> Two questions:
> 1) is there a better solution to achieve what I'm looking for (which is
> full url matching at scale)
> 2) if there is not what is the order in which luajit rules are run and
> is there a way to set the order ? 
> From the tests is looks like always (regardless of the position in the
> rule) the rule matching on uri runs first, follow by the one on request
> headers.

If you're willing to run our beta/git master code, you can get access to
the host.

In your match() function, the host should be available through:

host = HttpGetRequestHost()

Some more callbacks:

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list