7.35. Lua Scripting

Note

Lua is disabled by default for use in rules, it must be enabled in the configuration file. See the security.lua section of suricata.yaml and enable allow-rules.

Syntax:

lua:[!]<scriptfilename>;

The script filename will be appended to your default rules location.

The script has 2 parts, an init function and a match function. First, the init.

7.35.1. Init function

function init (args)
    local needs = {}
    needs["http.request_line"] = tostring(true)
    return needs
end

The init function registers the buffer(s) that need inspection. Currently the following are available:

  • packet -- entire packet, including headers

  • payload -- packet payload (not stream)

  • buffer -- the current sticky buffer

  • http.uri

  • http.uri.raw

  • http.request_line

  • http.request_headers

  • http.request_headers.raw

  • http.request_cookie

  • http.request_user_agent

  • http.request_body

  • http.response_headers

  • http.response_headers.raw

  • http.response_body

  • http.response_cookie

All the HTTP buffers have a limitation: only one can be inspected by a script at a time.

7.35.2. Match function

function match(args)
    a = tostring(args["http.request_line"])
    if #a > 0 then
        if a:find("^POST%s+/.*%.php%s+HTTP/1.0$") then
            return 1
        end
    end

    return 0
end

The script can return 1 or 0. It should return 1 if the condition(s) it checks for match, 0 if not.

Entire script:

function init (args)
    local needs = {}
    needs["http.request_line"] = tostring(true)
    return needs
end

function match(args)
    a = tostring(args["http.request_line"])
    if #a > 0 then
        if a:find("^POST%s+/.*%.php%s+HTTP/1.0$") then
            return 1
        end
    end

    return 0
end

return 0