6.42. Lua Scripting for Detection¶
Syntax:
lua:[!]<scriptfilename>;
The script filename will be appended to your default rules location.
The script has 2 parts, an init function and a match function. First, the init.
6.42.1. Init function¶
function init (args)
local needs = {}
needs["http.request_line"] = tostring(true)
return needs
end
The init function registers the buffer(s) that need inspection. Currently the following are available:
- packet -- entire packet, including headers
- payload -- packet payload (not stream)
- buffer -- the current sticky buffer
- stream
- dnp3
- dns.request
- dns.response
- dns.rrname
- ssh
- smtp
- tls
- http.uri
- http.uri.raw
- http.request_line
- http.request_headers
- http.request_headers.raw
- http.request_cookie
- http.request_user_agent
- http.request_body
- http.response_headers
- http.response_headers.raw
- http.response_body
- http.response_cookie
All the HTTP buffers have a limitation: only one can be inspected by a script at a time.
6.42.2. Match function¶
function match(args)
a = tostring(args["http.request_line"])
if #a > 0 then
if a:find("^POST%s+/.*%.php%s+HTTP/1.0$") then
return 1
end
end
return 0
end
The script can return 1 or 0. It should return 1 if the condition(s) it checks for match, 0 if not.
Entire script:
function init (args)
local needs = {}
needs["http.request_line"] = tostring(true)
return needs
end
function match(args)
a = tostring(args["http.request_line"])
if #a > 0 then
if a:find("^POST%s+/.*%.php%s+HTTP/1.0$") then
return 1
end
end
return 0
end
return 0
A comprehensive list of existing lua functions - with examples - can be found at Lua functions (some of them, however, work only for the lua-output functionality).