[Oisf-users] Full url matching & luajit

Paul Apostolescu apbogdan at gmail.com
Wed Dec 17 16:47:43 UTC 2014


Thanks, I'll give it a try.

On Wed, Dec 17, 2014 at 3:26 AM, Victor Julien <lists at inliniac.net> wrote:
>
> On 12/17/2014 02:06 AM, Paul Apostolescu wrote:
> >   I'm trying to implement a solution to efficiently integrate a
> > blacklist with thousands of elements in Suricata, blacklist which will
> > contain full URLs - <domain>/<context>/<page>.
> >    Since I do not want to have one rule per link (because of the sheer
> > size) an alternative solution would be to have a single rule using lua
> > to do the heavy lifting - but the problem with lua backed rules is: 1)
> > they can match on only one buffer and 2) there is no access to the host
> >
> >    To fix this I have now two rules which communicate with each other
> > using flowvars, one sets the uri and one puts that together w. the host
> > by parsing it out from the request headers.
> >
> > Two questions:
> > 1) is there a better solution to achieve what I'm looking for (which is
> > full url matching at scale)
> > 2) if there is not what is the order in which luajit rules are run and
> > is there a way to set the order ?
> >
> > From the tests is looks like always (regardless of the position in the
> > rule) the rule matching on uri runs first, follow by the one on request
> > headers.
> >
>
> If you're willing to run our beta/git master code, you can get access to
> the host.
>
> In your match() function, the host should be available through:
>
> host = HttpGetRequestHost()
>
> Some more callbacks:
> https://github.com/inliniac/suricata/blob/master/src/util-lua-http.c#L318
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141217/b84e017e/attachment-0002.html>


More information about the Oisf-users mailing list