[Oisf-users] Suricata Lua API (stack overflow)

Shell_Xu xuh881026 at gmail.com
Fri Oct 4 04:55:59 UTC 2019 

Yes, I am running in real traffic.
I need to record a custom HTTP request header. (Since I don't want to log
all HTTP headers, I didn't enable the dump-all-headers option.)
I uploaded my Suricata.yaml file and lua script.

*http_audit_demo.lua*
*suricata_5.0_rc1_60G_36C.yaml*


Peter Manev <petermanev at gmail.com> 于2019年10月3日周四 下午1:48写道:

> On Fri, Sep 27, 2019 at 7:45 AM Shell_Xu <xuh881026 at gmail.com> wrote:
> >
> > HI, Suricata Team:
> >
> >     I tried to use Lua scripts to audit all HTTP traffic, but after the
> script runs for about 30 seconds, the program automatically exits and
> outputs the following message: PANIC: unprotected error in call to Lua API
> (stack overflow).Since I don't want to log all HTTP headers, I didn't
> enable the dump-all-headers option.Lua scripts were used to implement my
> needs.But obviously, I have a problem now, can anyone help me?
> > Is this problem caused by Lua scripts unable to withstand HTTP traffic?
> >
> > Traffic 1.5Gbpps
> > CPU: 1 CPU 36 core
> > Memory: 60G
> > Suricata 5.0.0-rc1
> >
> > My lua script code is in the attachment, please correct me my mistake,
> any help makes sense to me.
> >
>
>
> Hi,
>
> You are running it on live traffic right?
> Is it possible to share your conf and a pcap for that as well?
> (after  a short glance)
> What is the purpose of the script - you want to log each http
> transaction substituting true client ip for src wherever available ?
>
> Thank you
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191004/06d6bc0f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: http_audit_demo.lua
Type: application/octet-stream
Size: 5692 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191004/06d6bc0f/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata_5.0_rc1_60G_36C.yaml
Type: application/octet-stream
Size: 69451 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191004/06d6bc0f/attachment-0003.obj>

More information about the Oisf-users mailing list