projects / people / ms / suricata.git / blame
| Commit | Line | Data |
|---|---|---|
| 0c4bf2d3 EL |
1 | .. _lua-scripting: |
| 2 | ||
| 3366571e | 3 | Lua Scripting |
| 1e6df87e JI |
4 | ============= |
| 5 | ||
| 1e6df87e JI |
6 | Syntax: |
| 7 | ||
| 8 | :: | |
| 9 | ||
| 73b355e2 | 10 | lua:[!]<scriptfilename>; |
| 1e6df87e JI |
11 | |
| 12 | The script filename will be appended to your default rules location. | |
| 13 | ||
| 14 | The script has 2 parts, an init function and a match function. First, the init. | |
| 15 | ||
| 16 | Init function | |
| 17 | ------------- | |
| 18 | ||
| 1e6df87e JI |
19 | .. code-block:: lua |
| 20 | ||
| 21 | function init (args) | |
| 22 | local needs = {} | |
| 23 | needs["http.request_line"] = tostring(true) | |
| 24 | return needs | |
| 25 | end | |
| 26 | ||
| 27 | The init function registers the buffer(s) that need | |
| 28 | inspection. Currently the following are available: | |
| 29 | ||
| 30 | * packet -- entire packet, including headers | |
| 31 | * payload -- packet payload (not stream) | |
| 360a6ace | 32 | * buffer -- the current sticky buffer |
| 1e6df87e JI |
33 | * http.uri |
| 34 | * http.uri.raw | |
| 35 | * http.request_line | |
| 36 | * http.request_headers | |
| 37 | * http.request_headers.raw | |
| 38 | * http.request_cookie | |
| 39 | * http.request_user_agent | |
| 40 | * http.request_body | |
| 41 | * http.response_headers | |
| 42 | * http.response_headers.raw | |
| 43 | * http.response_body | |
| 44 | * http.response_cookie | |
| 45 | ||
| 46 | All the HTTP buffers have a limitation: only one can be inspected by a | |
| 47 | script at a time. | |
| 48 | ||
| 49 | Match function | |
| 50 | -------------- | |
| 51 | ||
| 52 | .. code-block:: lua | |
| 53 | ||
| 54 | function match(args) | |
| 55 | a = tostring(args["http.request_line"]) | |
| 56 | if #a > 0 then | |
| 57 | if a:find("^POST%s+/.*%.php%s+HTTP/1.0$") then | |
| 58 | return 1 | |
| 59 | end | |
| 60 | end | |
| 61 | ||
| 62 | return 0 | |
| 63 | end | |
| 64 | ||
| 65 | The script can return 1 or 0. It should return 1 if the condition(s) | |
| 66 | it checks for match, 0 if not. | |
| 67 | ||
| 68 | Entire script: | |
| 69 | ||
| 70 | .. code-block:: lua | |
| 71 | ||
| 72 | function init (args) | |
| 73 | local needs = {} | |
| 74 | needs["http.request_line"] = tostring(true) | |
| 75 | return needs | |
| 76 | end | |
| 77 | ||
| 78 | function match(args) | |
| 79 | a = tostring(args["http.request_line"]) | |
| 80 | if #a > 0 then | |
| 81 | if a:find("^POST%s+/.*%.php%s+HTTP/1.0$") then | |
| 82 | return 1 | |
| 83 | end | |
| 84 | end | |
| 85 | ||
| 86 | return 0 | |
| 87 | end | |
| 88 | ||
| 89 | return 0 | |
| e7f1736f JF |
90 | |
| 91 | A comprehensive list of existing lua functions - with examples - can be found at :ref:`lua-functions` (some of them, however, | |
| 92 | work only for the lua-output functionality). |