|
|
|
@ -15,7 +15,9 @@ Syntax:
|
|
|
|
|
|
|
|
|
|
|
|
The script filename will be appended to your default rules location.
|
|
|
|
The script filename will be appended to your default rules location.
|
|
|
|
|
|
|
|
|
|
|
|
The script has 2 parts, an init function and a match function. First, the init.
|
|
|
|
A Lua rule script has 2 required functions, an ``init`` function and
|
|
|
|
|
|
|
|
``match`` function, discussed below.
|
|
|
|
|
|
|
|
|
|
|
|
Additionally, the script will run in a limited sandbox by default.
|
|
|
|
Additionally, the script will run in a limited sandbox by default.
|
|
|
|
|
|
|
|
|
|
|
|
Init function
|
|
|
|
Init function
|
|
|
|
@ -104,25 +106,42 @@ Entire script:
|
|
|
|
Sandbox and Available functions
|
|
|
|
Sandbox and Available functions
|
|
|
|
-------------------------------
|
|
|
|
-------------------------------
|
|
|
|
|
|
|
|
|
|
|
|
By default, the maximum memory and lua instruction count per execution of a detection rule will be limited. Additionally,
|
|
|
|
Lua rule scripts are run in a sandbox environment the applies the
|
|
|
|
The following libraries and functions are blocked:
|
|
|
|
following restrictions:
|
|
|
|
* package
|
|
|
|
|
|
|
|
|
|
|
|
* reduced libraries
|
|
|
|
|
|
|
|
* only allowed functions available
|
|
|
|
|
|
|
|
* instruction count limit
|
|
|
|
|
|
|
|
* memory allocation limit
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The following table lists the library and functions available:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
================== =================================================================
|
|
|
|
|
|
|
|
Package Name Functions
|
|
|
|
|
|
|
|
================== =================================================================
|
|
|
|
|
|
|
|
base assert, ipairs, next, pairs, print, rawequal, rawlen, select,
|
|
|
|
|
|
|
|
tonumber, tostring, type, warn, rawget, rawset, error
|
|
|
|
|
|
|
|
table concat, insert, move, pack, remove, sort, unpack
|
|
|
|
|
|
|
|
string byte, char, dump, find, format, gmatch, gsub, len, lower, match,
|
|
|
|
|
|
|
|
pack, packsize, rep, reverse, sub, unpack, upper
|
|
|
|
|
|
|
|
math abs, acos, asin, atan, atan2, ceil, cos, cosh, deg, exp, floor,
|
|
|
|
|
|
|
|
fmod, frexp, ldexp, log, log10, max, min, modf, pow, rad, random,
|
|
|
|
|
|
|
|
randomseed, sin, sinh, sqrt, tan, tanh, tointeger, type, ult
|
|
|
|
|
|
|
|
utf8 offset, len, codes, char, codepoint
|
|
|
|
|
|
|
|
================== =================================================================
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Of note, the following standard libraries are not available:
|
|
|
|
|
|
|
|
|
|
|
|
* coroutine
|
|
|
|
* coroutine
|
|
|
|
* io
|
|
|
|
* package
|
|
|
|
* os
|
|
|
|
* input and output
|
|
|
|
* collectgarbage
|
|
|
|
* operating system facilities
|
|
|
|
* dofile
|
|
|
|
* debug
|
|
|
|
* getmetatable
|
|
|
|
|
|
|
|
* loadfile
|
|
|
|
|
|
|
|
* load
|
|
|
|
|
|
|
|
* pcall
|
|
|
|
|
|
|
|
* setmetatable
|
|
|
|
|
|
|
|
* xpcall
|
|
|
|
|
|
|
|
* string.rep
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This behavior can be modified via the ``security.lua`` section of :ref:`suricata-yaml-lua-config`
|
|
|
|
This behavior can be modified via the ``security.lua`` section of :ref:`suricata-yaml-lua-config`
|
|
|
|
|
|
|
|
|
|
|
|
.. note:: Suricata 8.0 has moved to Lua 5.4 and has builtin support for bitwise and utf8 operations now.
|
|
|
|
.. note:: Suricata 8.0 has moved to Lua 5.4 and has builtin support for bitwise and utf8 operations now.
|
|
|
|
|
|
|
|
|
|
|
|
A comprehensive list of existing lua functions - with examples - can be found at :ref:`lua-functions` (some of them, however,
|
|
|
|
A comprehensive list of existing lua functions - with examples - can
|
|
|
|
work only for the lua-output functionality).
|
|
|
|
be found at :ref:`lua-functions` (some of them, however, work only for
|
|
|
|
|
|
|
|
the lua-output functionality).
|
|
|
|
|
Jason Ish
1 year ago