--- /dev/null
+Tests Lua's accessing variables from byte_extract and byte_math in lua match scripts.
--- /dev/null
+function init(args)
+ local needs = {}
+ needs["bytevar"] = {"var1", "var2"}
+ return needs
+end
+
+function match(args)
+ local var1 = SCByteVarGet(0)
+ local var2 = SCByteVarGet(1)
+
+ if var1 and var2 then
+ if var1 == 0x48545450 and var2 == 0x2f312e31 then
+ return 1
+ end
+ end
+ return 0
+end
--- /dev/null
+function init(args)
+ local needs = {}
+ needs["bytevar"] = {"var2"}
+ return needs
+end
+
+function match(args)
+ local var2 = SCByteVarGet(0)
+
+ if var2 and var2 == 0x48545450 then
+ return 1
+ end
+
+ return 0
+end
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; byte_extract:4,0,var1; byte_extract:4,4,var2; lua:lua-byte-extract.lua; sid:1; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; byte_math: bytes 4, offset 0, oper +, rvalue 0, result var2; lua:lua-byte-math.lua; sid:2; rev:7;)
--- /dev/null
+pcap: ../flowbit-oring/input.pcap
+
+requires:
+ min-version: 7
+ lt-version: 8
+
+ features:
+ - HAVE_LUA
+
+args:
+ - --set default-rule-path=${TEST_DIR}
+ - --set security.lua.allow-rules=true
+
+checks:
+ - filter:
+ count: 1
+ match:
+ alert.signature_id: 1
+ - filter:
+ count: 1
+ match:
+ alert.signature_id: 2
-function init(args)
- local needs = {}
- needs["bytevar"] = {"var1", "var2"}
- return needs
+local bytevars = require("suricata.bytevar")
+
+function init(sig)
+ bytevars.map(sig, "var1")
+ bytevars.map(sig, "var2")
+ return {}
+end
+
+function thread_init()
+ bv0 = bytevars.get("var1")
+ bv1 = bytevars.get("var2")
end
function match(args)
- local var1 = SCByteVarGet(0)
- local var2 = SCByteVarGet(1)
+ local var1 = bv0:value()
+ local var2 = bv1:value()
if var1 and var2 then
if var1 == 0x48545450 and var2 == 0x2f312e31 then
-function init(args)
- local needs = {}
- needs["bytevar"] = {"var2"}
- return needs
+local bytevars = require("suricata.bytevar")
+
+function init(sig)
+ bytevars.map(sig, "var2")
+ return {}
+end
+
+function thread_init()
+ bv2 = bytevars.get("var2")
end
function match(args)
- local var2 = SCByteVarGet(0)
+ local var2 = bv2:value()
if var2 and var2 == 0x48545450 then
return 1
pcap: ../flowbit-oring/input.pcap
requires:
- min-version: 7
-
- features:
- - HAVE_LUA
+ min-version: 8
args:
- --set default-rule-path=${TEST_DIR}
projects / thirdparty / suricata-verify.git / commitdiff
