Suricata lua (jit) script keyword

Posted on Sep 5, 2012

So Will started bugging me (again) on doing scripting from Suricata and I gave in. Just committed extremely immature, incomplete, experimental luajit scripting support.

What it does is that it adds a new keyword, “luajit”. There is one argument, a script name. That script is then loaded from your rules directory and ran against a packet. No flow, http or any of that right now, just packets.

Example rule: alert tcp any any -> any any (msg:"LUAJIT test"; luajit:test.lua; sid:1;)

This loads the script from /etc/suricata/rules/test.lua

The script has a “match” function that will return either 1 or 0. 1 for match, 0 for no match.

Example script:

[sourcecode] -- match string HTTP in packet payload function match(args) for k,v in pairs(args) do if tostring(k) == “payload” then a = tostring(v) if #a > 0 then if a:find(“HTTP”) then return 1 end end end end

return 0 end

return 0 -- eof [/sourcecode]

The fun thing is that it works, but the best joke is that on my box this simple script makes no performance impact at all.

Currently only “payload” and “packet” keys are available. More will follow, or not. This is research stuff, and if we run into some major obstacle we’ll remove it or change it completely. Until then, let me know how you feel about it :)

Oh yeah, to enable add: --with-libluajit-includes=/usr/include/luajit-2.0/ --with-libluajit-libraries=/usr/lib/x86_64-linux-gnu/ To your ./configure line. Adapt for your distro.

Happy scripting! :)