projects / people / ms / suricata.git / blame
| Commit | Line | Data |
|---|---|---|
| 4256c1cc | 1 | .. _lua-detection: |
| 0c4bf2d3 | 2 | |
| 4256c1cc JF |
3 | Lua Scripting for Detection |
| 4 | =========================== | |
| 1e6df87e | 5 | |
| 1e6df87e JI |
6 | Syntax: |
| 7 | ||
| 8 | :: | |
| 9 | ||
| 73b355e2 | 10 | lua:[!]<scriptfilename>; |
| 1e6df87e JI |
11 | |
| 12 | The script filename will be appended to your default rules location. | |
| 13 | ||
| 14 | The script has 2 parts, an init function and a match function. First, the init. | |
| 15 | ||
| 16 | Init function | |
| 17 | ------------- | |
| 18 | ||
| 1e6df87e JI |
19 | .. code-block:: lua |
| 20 | ||
| 21 | function init (args) | |
| 22 | local needs = {} | |
| 23 | needs["http.request_line"] = tostring(true) | |
| 24 | return needs | |
| 25 | end | |
| 26 | ||
| 27 | The init function registers the buffer(s) that need | |
| 28 | inspection. Currently the following are available: | |
| 29 | ||
| 30 | * packet -- entire packet, including headers | |
| 31 | * payload -- packet payload (not stream) | |
| 360a6ace | 32 | * buffer -- the current sticky buffer |
| 59e5a21f JF |
33 | * stream |
| 34 | * dnp3 | |
| 35 | * dns.request | |
| 36 | * dns.response | |
| 37 | * dns.rrname | |
| 38 | * ssh | |
| 39 | * smtp | |
| 40 | * tls | |
| 1e6df87e JI |
41 | * http.uri |
| 42 | * http.uri.raw | |
| 43 | * http.request_line | |
| 44 | * http.request_headers | |
| 45 | * http.request_headers.raw | |
| 46 | * http.request_cookie | |
| 47 | * http.request_user_agent | |
| 48 | * http.request_body | |
| 49 | * http.response_headers | |
| 50 | * http.response_headers.raw | |
| 51 | * http.response_body | |
| 52 | * http.response_cookie | |
| 53 | ||
| 54 | All the HTTP buffers have a limitation: only one can be inspected by a | |
| 55 | script at a time. | |
| 56 | ||
| 57 | Match function | |
| 58 | -------------- | |
| 59 | ||
| 60 | .. code-block:: lua | |
| 61 | ||
| 62 | function match(args) | |
| 63 | a = tostring(args["http.request_line"]) | |
| 64 | if #a > 0 then | |
| 65 | if a:find("^POST%s+/.*%.php%s+HTTP/1.0$") then | |
| 66 | return 1 | |
| 67 | end | |
| 68 | end | |
| 69 | ||
| 70 | return 0 | |
| 71 | end | |
| 72 | ||
| 73 | The script can return 1 or 0. It should return 1 if the condition(s) | |
| 74 | it checks for match, 0 if not. | |
| 75 | ||
| 76 | Entire script: | |
| 77 | ||
| 78 | .. code-block:: lua | |
| 79 | ||
| 80 | function init (args) | |
| 81 | local needs = {} | |
| 82 | needs["http.request_line"] = tostring(true) | |
| 83 | return needs | |
| 84 | end | |
| 85 | ||
| 86 | function match(args) | |
| 87 | a = tostring(args["http.request_line"]) | |
| 88 | if #a > 0 then | |
| 89 | if a:find("^POST%s+/.*%.php%s+HTTP/1.0$") then | |
| 90 | return 1 | |
| 91 | end | |
| 92 | end | |
| 93 | ||
| 94 | return 0 | |
| 95 | end | |
| 96 | ||
| 97 | return 0 | |
| e7f1736f JF |
98 | |
| 99 | A comprehensive list of existing lua functions - with examples - can be found at :ref:`lua-functions` (some of them, however, | |
| 100 | work only for the lua-output functionality). |