Suricata luajit update

Posted on Sep 21, 2012

After an exciting week of meeting and working with the team around the RAID conference, time for another lua update.

The keyword supports an interesting set of buffers now:

packet payload

http.uri http.uri.raw http.request_line http.request_headers http.request_headers.raw http.request_cookie http.request_user_agent http.request_body

http.response_headers http.response_headers.raw http.response_body http.response_cookie

The http keywords are now integrated into their respective inspection engines. This led to one important limitation for now: you can only inspect one such buffer per script.

We pass the inspection offset to the script as well for these. In the lua script you can access it as follows:

[sourcecode] function match(args) a = tostring(args[“http.request_headers.raw”]) o = args[“offset”]

s = a:sub(o) print (s)

return 0 end [/sourcecode]

In a buffer “Mozilla/5.0” and a signature “content:Mozilla;”, “s” in the script will contain “/5.0”. At this moment there is no way yet to pass back an offset from the script to the inspection engine.

On the performance side things are looking good as well. At RAID Will Metcalf converted a set of 6 ETpro sigs to a single lua script. It resulted in better detection accuracy and better performance. That work is still private, but we’ll get some real world scripts public soon! :)

Update 10/4: this code is now available for testing in the new Suricata 1.4beta2 release!