From: Jason Ish <jason.ish@oisf.net>
Date: Mon, 12 Jun 2023 17:42:59 +0000 (-0600)
Subject: doc/userguide: notes about Lua rules being disabled by default
X-Git-Tag: suricata-6.0.13~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ea3a470eb90f776510c6a4bd36c0c01fd3681389;p=thirdparty%2Fsuricata.git

doc/userguide: notes about Lua rules being disabled by default
---

diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst
index 91c0ca0985..13f9a8c74c 100644
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@@ -2480,3 +2480,21 @@ detect thread. For each output script, a single state is used. Keep in
 mind that a rule reload temporary doubles the states requirement.
 
 .. _deprecation policy: https://suricata.io/our-story/deprecation-policy/
+
+.. _suricata-yaml-config-hardening:
+
+Configuration hardening
+-----------------------
+
+Lua
+~~~
+
+Suricata 6.0.13 disables Lua rules by default. Lua rules can be
+enabled in the ``security.lua`` section of the configuration file:
+
+::
+
+   security:
+     lua:
+       # Allow Lua rules. Disabled by default.
+       #allow-rules: false
diff --git a/doc/userguide/rules/rule-lua-scripting.rst b/doc/userguide/rules/rule-lua-scripting.rst
index 53eddb7c58..f2909f36e0 100644
--- a/doc/userguide/rules/rule-lua-scripting.rst
+++ b/doc/userguide/rules/rule-lua-scripting.rst
@@ -3,6 +3,10 @@
 Lua Scripting
 =============
 
+.. note:: Lua is disabled by default for use in rules, it must be
+          enabled in the configuration file. See the ``security.lua``
+          section of ``suricata.yaml`` and enable ``allow-rules``.
+
 Syntax:
 
 ::
diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst
index b7ee28ac22..c93ba03d7c 100644
--- a/doc/userguide/upgrade.rst
+++ b/doc/userguide/upgrade.rst
@@ -30,6 +30,11 @@ by the ones Suricata supplies.
 Major updates include new features, new default settings and often also
 remove features.
 
+Upgrading to 6.0.13
+-------------------
+- Lua rules have been disabled. To enable them see
+  :ref:`suricata-yaml-config-hardening`.
+
 Upgrading from 6.0.4 to 6.0.5
 -----------------------------
 - FTP has been updated with a maximum command request and response line length of 4096 bytes. To change the default see :ref:`suricata-yaml-configure-ftp`.