[Oisf-users] Full url matching & luajit
Victor Julien
lists at inliniac.net
Wed Dec 17 08:26:32 UTC 2014
On 12/17/2014 02:06 AM, Paul Apostolescu wrote:
> I'm trying to implement a solution to efficiently integrate a
> blacklist with thousands of elements in Suricata, blacklist which will
> contain full URLs - <domain>/<context>/<page>.
> Since I do not want to have one rule per link (because of the sheer
> size) an alternative solution would be to have a single rule using lua
> to do the heavy lifting - but the problem with lua backed rules is: 1)
> they can match on only one buffer and 2) there is no access to the host
>
> To fix this I have now two rules which communicate with each other
> using flowvars, one sets the uri and one puts that together w. the host
> by parsing it out from the request headers.
>
> Two questions:
> 1) is there a better solution to achieve what I'm looking for (which is
> full url matching at scale)
> 2) if there is not what is the order in which luajit rules are run and
> is there a way to set the order ?
>
> From the tests is looks like always (regardless of the position in the
> rule) the rule matching on uri runs first, follow by the one on request
> headers.
>
If you're willing to run our beta/git master code, you can get access to
the host.
In your match() function, the host should be available through:
host = HttpGetRequestHost()
Some more callbacks:
https://github.com/inliniac/suricata/blob/master/src/util-lua-http.c#L318
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list