+local rule = require("suricata.rule")
+
function init(args)
local needs = {}
return needs
end
function match(args)
- action = SCRuleAction()
+ local sig = rule.get_rule()
+ local action = sig:action()
if action == "alert" then
return 1
+local rule = require("suricata.rule")
+
function init(args)
local needs = {}
return needs
end
function match(args)
- msg, prio = SCRuleClass()
+ local sig = rule.get_rule()
+
+ local class_description = sig:class_description()
+ if class_description ~= "Potentially Bad Traffic" then
+ return 0
+ end
- if msg == "Potentially Bad Traffic" and prio == 2 then
- return 1
- else
- return 0
+ local priority = sig:priority()
+ if priority ~= 2 then
+ return 0
end
+
+ return 1
end
+local rule = require("suricata.rule")
+
function init(args)
local needs = {}
return needs
end
function match(args)
- sid, rev, gid = SCRuleIds()
+ local sig = rule.get_rule()
+ local sid = sig:sid()
+ local rev = sig:rev()
+ local gid = sig:gid()
if sid == 1 and rev == 7 and gid == 1 then
return 1
+local rule = require("suricata.rule")
+
function init(args)
local needs = {}
return needs
end
function match(args)
- msg = SCRuleMsg()
+ local sig = rule.get_rule()
+ local msg = sig:msg()
if msg == "FOO" then
return 1
pcap: ../flowbit-oring/input.pcap
requires:
- min-version: 7
+ min-version: 8
features:
- HAVE_LUA
-- lua_pushinteger output test for SCRuleIds and ...
local packet = require "suricata.packet"
+local rule = require "suricata.rule"
+
name = "lua-scrule-ids.log"
function init(args)
- local needs = {}
- needs["type"] = "packet"
- needs["filter"] = "alerts"
- return needs
+ return {
+ type = "packet",
+ filter = "alerts",
+ }
end
function setup(args)
function log(args)
p = packet.get()
timestring = p:timestring_legacy()
- sid, rev, gid = SCRuleIds()
+ local sig = rule.get_rule()
+ local sid = sig:sid()
+ local rev = sig:rev()
+ local gid = sig:gid()
file:write ("[**] " .. timestring .. "\nSCRuleIds is\n[**]\nSignature id: " .. sid .. "\nrevision: " .. rev .. "\nGroup id: " .. gid .. "[**]")
file:flush()
--- /dev/null
+Tests Lua's SCRule functions for match scripts.
--- /dev/null
+function init(args)
+ local needs = {}
+ return needs
+end
+
+function match(args)
+ action = SCRuleAction()
+
+ if action == "alert" then
+ return 1
+ else
+ return 0
+ end
+end
--- /dev/null
+function init(args)
+ local needs = {}
+ return needs
+end
+
+function match(args)
+ msg, prio = SCRuleClass()
+
+ if msg == "Potentially Bad Traffic" and prio == 2 then
+ return 1
+ else
+ return 0
+ end
+end
--- /dev/null
+function init(args)
+ local needs = {}
+ return needs
+end
+
+function match(args)
+ sid, rev, gid = SCRuleIds()
+
+ if sid == 1 and rev == 7 and gid == 1 then
+ return 1
+ else
+ return 0
+ end
+end
--- /dev/null
+function init(args)
+ local needs = {}
+ return needs
+end
+
+function match(args)
+ msg = SCRuleMsg()
+
+ if msg == "FOO" then
+ return 1
+ else
+ return 0
+ end
+end
--- /dev/null
+%YAML 1.1
+---
+
+include: ../../../etc/suricata-4.0.3.yaml
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-ids.lua; sid:1; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-ids.lua; sid:2; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-action.lua; sid:3; rev:7;)
+drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-action.lua; sid:4; rev:7;)
+alert ip any any -> any any (msg:"FOO"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-msg.lua; sid:5; rev:7;)
+alert ip any any -> any any (msg:"BAR"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-msg.lua; sid:6; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-class.lua; sid:7; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:not-suspicious; lua:lua-scrule-class.lua; sid:8; rev:7;)
--- /dev/null
+pcap: ../../flowbit-oring/input.pcap
+
+requires:
+ min-version: 7
+ lt-version: 8
+ features:
+ - HAVE_LUA
+
+args:
+ - --set security.lua.allow-rules=true
+
+checks:
+ - filter:
+ count: 1
+ match:
+ alert.signature_id: 1
+ - filter:
+ count: 0
+ match:
+ alert.signature_id: 2
+ - filter:
+ count: 1
+ match:
+ alert.signature_id: 3
+ - filter:
+ count: 0
+ match:
+ alert.signature_id: 4
+ - filter:
+ count: 1
+ match:
+ alert.signature_id: 5
+ - filter:
+ count: 0
+ match:
+ alert.signature_id: 6
+ - filter:
+ count: 1
+ match:
+ alert.signature_id: 7
+ - filter:
+ count: 0
+ match:
+ alert.signature_id: 8
projects / thirdparty / suricata-verify.git / commitdiff
