suricata/doc/userguide/rules/lua-detection.rst

.. _lua-detection:

Lua Scripting for Detection
===========================

.. note:: Lua is disabled by default for use in rules, it must be
          enabled in the configuration file. See the ``security.lua``
          section of ``suricata.yaml`` and enable ``allow-rules``.

Syntax:

::

  lua:[!]<scriptfilename>;

The script filename will be appended to your default rules location.

The script has 2 parts, an init function and a match function. First, the init.  
Additionally, the script will run in a limited sandbox by default.

Init function
-------------

.. code-block:: lua

  function init (args)
      local needs = {}
      needs["http.request_line"] = tostring(true)
      return needs
  end

The init function registers the buffer(s) that need
inspection. Currently the following are available:

* packet -- entire packet, including headers
* payload -- packet payload (not stream)
* buffer -- the current sticky buffer
* stream
* dnp3
* dns.request
* dns.response
* dns.rrname
* ssh
* smtp
* tls
* http.uri
* http.uri.raw
* http.request_line
* http.request_headers
* http.request_headers.raw
* http.request_cookie
* http.request_user_agent
* http.request_body
* http.response_headers
* http.response_headers.raw
* http.response_body
* http.response_cookie

All the HTTP buffers have a limitation: only one can be inspected by a
script at a time.

Match function
--------------

.. code-block:: lua

  function match(args)
      a = tostring(args["http.request_line"])
      if #a > 0 then
          if a:find("^POST%s+/.*%.php%s+HTTP/1.0$") then
              return 1
          end
      end

      return 0
  end

The script can return 1 or 0. It should return 1 if the condition(s)
it checks for match, 0 if not.

Entire script:

.. code-block:: lua

  function init (args)
      local needs = {}
      needs["http.request_line"] = tostring(true)
      return needs
  end

  function match(args)
      a = tostring(args["http.request_line"])
      if #a > 0 then
          if a:find("^POST%s+/.*%.php%s+HTTP/1.0$") then
              return 1
          end
      end

      return 0
  end

  return 0

Sandbox and Available functions
-------------------------------

By default, the maximum memory and lua instruction count per execution of a detection rule will be limited.  Additionally,
The following libraries and functions are blocked:
* package
* coroutine
* io
* os
* collectgarbage
* dofile
* getmetatable
* loadfile
* load
* pcall
* setmetatable
* xpcall
* string.rep

This behavior can be modified via the ``security.lua`` section of :ref:`suricata-yaml-lua-config`

.. note:: Suricata 8.0 has moved to Lua 5.4 and has builtin support for bitwise and utf8 operations now.

A comprehensive list of existing lua functions -  with examples - can be found at :ref:`lua-functions` (some of them, however,
work only for the lua-output functionality).
userguide: rename pg Lua Scripting->Lua Detection Since we can have scripts for output _or_ detection, it seems more clear to rename this page to add more meaning 4 years ago			`.. _lua-detection:`
doc: add a lua support top level section Both output and signature are using lua. So lua functions should be displayed in a single section. 8 years ago
userguide: rename pg Lua Scripting->Lua Detection Since we can have scripts for output _or_ detection, it seems more clear to rename this page to add more meaning 4 years ago			`Lua Scripting for Detection`
			`===========================`
doc: rule lua scripting 10 years ago
doc/userguide: notes about Lua rules being disabled by default 2 years ago			`.. note:: Lua is disabled by default for use in rules, it must be`
			enabled in the configuration file. See the ``security.lua``
			section of ``suricata.yaml`` and enable ``allow-rules``.

doc: rule lua scripting 10 years ago			`Syntax:`

			`::`

doc: fix lua keyword name 9 years ago			`lua:[!]<scriptfilename>;`
doc: rule lua scripting 10 years ago
			`The script filename will be appended to your default rules location.`

doc: Initial doc for lua sandbox 1 year ago			`The script has 2 parts, an init function and a match function. First, the init.`
			`Additionally, the script will run in a limited sandbox by default.`
doc: rule lua scripting 10 years ago
			`Init function`
			`-------------`

			`.. code-block:: lua`

			`function init (args)`
			`local needs = {}`
			`needs["http.request_line"] = tostring(true)`
			`return needs`
			`end`

			`The init function registers the buffer(s) that need`
			`inspection. Currently the following are available:`

			`* packet -- entire packet, including headers`
			`* payload -- packet payload (not stream)`
doc: add info about buffer usage in lua 6 years ago			`* buffer -- the current sticky buffer`
userguide: update buffers list for lua-scripting 4 years ago			`* stream`
			`* dnp3`
			`* dns.request`
			`* dns.response`
			`* dns.rrname`
			`* ssh`
			`* smtp`
			`* tls`
doc: rule lua scripting 10 years ago			`* http.uri`
			`* http.uri.raw`
			`* http.request_line`
			`* http.request_headers`
			`* http.request_headers.raw`
			`* http.request_cookie`
			`* http.request_user_agent`
			`* http.request_body`
			`* http.response_headers`
			`* http.response_headers.raw`
			`* http.response_body`
			`* http.response_cookie`

			`All the HTTP buffers have a limitation: only one can be inspected by a`
			`script at a time.`

			`Match function`
			`--------------`

			`.. code-block:: lua`

			`function match(args)`
			`a = tostring(args["http.request_line"])`
			`if #a > 0 then`
			`if a:find("^POST%s+/.*%.php%s+HTTP/1.0$") then`
			`return 1`
			`end`
			`end`

			`return 0`
			`end`

			`The script can return 1 or 0. It should return 1 if the condition(s)`
			`it checks for match, 0 if not.`

			`Entire script:`

			`.. code-block:: lua`

			`function init (args)`
			`local needs = {}`
			`needs["http.request_line"] = tostring(true)`
			`return needs`
			`end`

			`function match(args)`
			`a = tostring(args["http.request_line"])`
			`if #a > 0 then`
			`if a:find("^POST%s+/.*%.php%s+HTTP/1.0$") then`
			`return 1`
			`end`
			`end`

			`return 0`
			`end`

			`return 0`
userguide/lua: add explanation about `need` diffs The differences on how the `need` key works, depending on script usage (output or detection) confuses users, sometimes (cf doc#4725). While we don't fix that, just explain this behavior. 4 years ago
doc: Initial doc for lua sandbox 1 year ago			`Sandbox and Available functions`
			`-------------------------------`

			`By default, the maximum memory and lua instruction count per execution of a detection rule will be limited. Additionally,`
			`The following libraries and functions are blocked:`
			`* package`
			`* coroutine`
			`* io`
			`* os`
			`* collectgarbage`
			`* dofile`
			`* getmetatable`
			`* loadfile`
			`* load`
			`* pcall`
			`* setmetatable`
			`* xpcall`
			`* string.rep`

			This behavior can be modified via the ``security.lua`` section of :ref:`suricata-yaml-lua-config`

			`.. note:: Suricata 8.0 has moved to Lua 5.4 and has builtin support for bitwise and utf8 operations now.`

userguide/lua: add explanation about `need` diffs The differences on how the `need` key works, depending on script usage (output or detection) confuses users, sometimes (cf doc#4725). While we don't fix that, just explain this behavior. 4 years ago			A comprehensive list of existing lua functions - with examples - can be found at :ref:`lua-functions` (some of them, however,
			`work only for the lua-output functionality).`