path: root/doc/userguide/lua
diff options
Diffstat (limited to '')
3 files changed, 1141 insertions, 0 deletions
diff --git a/doc/userguide/lua/index.rst b/doc/userguide/lua/index.rst
new file mode 100644
index 0000000..d6bbf70
--- /dev/null
+++ b/doc/userguide/lua/index.rst
@@ -0,0 +1,7 @@
+Lua support
+.. toctree::
+ lua-usage
+ lua-functions
diff --git a/doc/userguide/lua/lua-functions.rst b/doc/userguide/lua/lua-functions.rst
new file mode 100644
index 0000000..92473d5
--- /dev/null
+++ b/doc/userguide/lua/lua-functions.rst
@@ -0,0 +1,1114 @@
+.. _lua-functions:
+Lua functions
+Differences between `output` and `detect`:
+Currently, the ``needs`` key initialization varies, depending on what is the goal of the script: output or detection.
+If the script is for detection, the ``needs`` initialization should be as seen in the example below (see :ref:`lua-detection` for a complete example of a detection script):
+ function init (args)
+ local needs = {}
+ needs["packet"] = tostring(true)
+ return needs
+ end
+For output logs, follow the pattern below. (The complete script structure can be seen at :ref:`lua-output`:)
+ function init (args)
+ local needs = {}
+ needs["protocol"] = "http"
+ return needs
+ end
+Do notice that the functions and protocols available for ``log`` and ``match`` may also vary. DNP3, for instance, is not
+available for logging.
+Initialize with:
+ function init (args)
+ local needs = {}
+ needs["type"] = "packet"
+ return needs
+ end
+Get packets timestamp as 2 numbers: seconds & microseconds elapsed since
+1970-01-01 00:00:00 UTC.
+ function log(args)
+ local sec, usec = SCPacketTimestamp()
+ end
+Use ``SCPacketTimeString`` to get the packet's time string in the format:
+ function log(args)
+ ts = SCPacketTimeString()
+ ipver, srcip, dstip, proto, sp, dp = SCPacketTuple()
+ p = SCPacketPayload()
+ function init (args)
+ local needs = {}
+ needs["type"] = "flow"
+ return needs
+ end
+Get timestamps (seconds and microseconds) of the first and the last packet from
+the flow.
+ startts, lastts = SCFlowTimestamps()
+ startts_s, lastts_s, startts_us, lastts_us = SCFlowTimestamps()
+ startts = SCFlowTimeString()
+ ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
+Get alproto as a string from the flow. If a alproto is not (yet) known, it
+returns "unknown".
+ function log(args)
+ alproto = SCFlowAppLayerProto()
+ if alproto ~= nil then
+ print (alproto)
+ end
+ end
+Returns 5 values: <alproto> <alproto_ts> <alproto_tc> <alproto_orig> <alproto_expect>
+Orig and expect are used when changing and upgrading protocols. In a SMTP STARTTLS
+case, orig would normally be set to "smtp" and expect to "tls".
+Returns true if flow has alerts.
+ function log(args)
+ has_alerts = SCFlowHasAlerts()
+ if has_alerts then
+ -- do something
+ end
+ end
+Gets the packet and byte counts per flow.
+ tscnt, tsbytes, tccnt, tcbytes = SCFlowStats()
+Gets the flow id.
+ id = SCFlowId()
+Note that simply printing 'id' will likely result in printing a scientific
+notation. To avoid that, simply do:
+ id = SCFlowId()
+ idstr = string.format("%.0f",id)
+ print ("Flow ID: " .. idstr .. "\n")
+For output, init with:
+ function init (args)
+ local needs = {}
+ needs["protocol"] = "http"
+ return needs
+ end
+For detection, use the specific buffer (cf :ref:`lua-detection` for a complete list), as with:
+ function init (args)
+ local needs = {}
+ needs["http.uri"] = tostring(true)
+ return needs
+ end
+HttpGetRequestBody and HttpGetResponseBody.
+Make normalized body data available to the script through
+HttpGetRequestBody and HttpGetResponseBody.
+There no guarantees that all of the body will be available.
+ function log(args)
+ a, o, e = HttpGetResponseBody();
+ --print("offset " .. o .. " end " .. e)
+ for n, v in ipairs(a) do
+ print(v)
+ end
+ end
+Get the host from libhtp's tx->request_hostname, which can either be
+the host portion of the url or the host portion of the Host header.
+ http_host = HttpGetRequestHost()
+ if http_host == nil then
+ http_host = "<hostname unknown>"
+ end
+ http_ua = HttpGetRequestHeader("User-Agent")
+ if http_ua == nil then
+ http_ua = "<useragent unknown>"
+ end
+ server = HttpGetResponseHeader("Server");
+ print ("Server: " .. server);
+ rl = HttpGetRequestLine();
+ print ("Request Line: " .. rl);
+ rsl = HttpGetResponseLine();
+ print ("Response Line: " .. rsl);
+ rh = HttpGetRawRequestHeaders();
+ print ("Raw Request Headers: " .. rh);
+ rh = HttpGetRawResponseHeaders();
+ print ("Raw Response Headers: " .. rh);
+ http_uri = HttpGetRequestUriRaw()
+ if http_uri == nil then
+ http_uri = "<unknown>"
+ end
+ http_uri = HttpGetRequestUriNormalized()
+ if http_uri == nil then
+ http_uri = "<unknown>"
+ end
+ a = HttpGetRequestHeaders();
+ for n, v in pairs(a) do
+ print(n,v)
+ end
+ a = HttpGetResponseHeaders();
+ for n, v in pairs(a) do
+ print(n,v)
+ end
+If your purpose is to create a logging script, initialize the buffer as:
+ function init (args)
+ local needs = {}
+ needs["protocol"] = "dns"
+ return needs
+ end
+If you are going to use the script for rule matching, choose one of the available DNS buffers listed in
+:ref:`lua-detection` and follow the pattern:
+ function init (args)
+ local needs = {}
+ needs["dns.rrname"] = tostring(true)
+ return needs
+ end
+ dns_query = DnsGetQueries();
+ if dns_query ~= nil then
+ for n, t in pairs(dns_query) do
+ rrname = t["rrname"]
+ rrtype = t["type"]
+ print ("QUERY: " .. ts .. " " .. rrname .. " [**] " .. rrtype .. " [**] " ..
+ "TODO" .. " [**] " .. srcip .. ":" .. sp .. " -> " ..
+ dstip .. ":" .. dp)
+ end
+ end
+returns a table of tables
+ dns_answers = DnsGetAnswers();
+ if dns_answers ~= nil then
+ for n, t in pairs(dns_answers) do
+ rrname = t["rrname"]
+ rrtype = t["type"]
+ ttl = t["ttl"]
+ print ("ANSWER: " .. ts .. " " .. rrname .. " [**] " .. rrtype .. " [**] " ..
+ ttl .. " [**] " .. srcip .. ":" .. sp .. " -> " ..
+ dstip .. ":" .. dp)
+ end
+ end
+returns a table of tables
+ dns_auth = DnsGetAuthorities();
+ if dns_auth ~= nil then
+ for n, t in pairs(dns_auth) do
+ rrname = t["rrname"]
+ rrtype = t["type"]
+ ttl = t["ttl"]
+ print ("AUTHORITY: " .. ts .. " " .. rrname .. " [**] " .. rrtype .. " [**] " ..
+ ttl .. " [**] " .. srcip .. ":" .. sp .. " -> " ..
+ dstip .. ":" .. dp)
+ end
+ end
+returns a table of tables
+ rcode = DnsGetRcode();
+ if rcode == nil then
+ return 0
+ end
+ print (rcode)
+returns a lua string with the error message, or nil
+ if DnsGetRecursionDesired() == true then
+ end
+returns a bool
+For log output, initialize with:
+ function init (args)
+ local needs = {}
+ needs["protocol"] = "tls"
+ return needs
+ end
+For detection, initialization is as follows:
+ function init (args)
+ local needs = {}
+ needs["tls"] = tostring(true)
+ return needs
+ end
+Get the negotiated version in a TLS session as a string through TlsGetVersion.
+ function log (args)
+ version = TlsGetVersion()
+ if version then
+ -- do something
+ end
+ end
+Make certificate information available to the script through TlsGetCertInfo.
+ function log (args)
+ version, subject, issuer, fingerprint = TlsGetCertInfo()
+ if version == nil then
+ return 0
+ end
+ end
+Make certificate chain available to the script through TlsGetCertChain.
+The output is an array of certificate with each certificate being an hash
+with `data` and `length` keys.
+ -- Use debian lua-luaossl coming from
+ local x509 = require"openssl.x509"
+ chain = TlsGetCertChain()
+ for k, v in pairs(chain) do
+ -- v.length is length of data
+ -- is raw binary data of certificate
+ cert =["data"], "DER")
+ print(cert:text() .. "\n")
+ end
+Get the Unix timestamp of end of validity of certificate.
+ function log (args)
+ notafter = TlsGetCertNotAfter()
+ if notafter < os.time() then
+ -- expired certificate
+ end
+ end
+Get the Unix timestamp of beginning of validity of certificate.
+ function log (args)
+ notbefore = TlsGetCertNotBefore()
+ if notbefore > os.time() then
+ -- not yet valid certificate
+ end
+ end
+Get TLS certificate serial number through TlsGetCertSerial.
+ function log (args)
+ serial = TlsGetCertSerial()
+ if serial then
+ -- do something
+ end
+ end
+Get the Server name Indication from a TLS connection.
+ function log (args)
+ asked_domain = TlsGetSNI()
+ if string.find(asked_domain, "badguys") then
+ -- ok connection to bad guys let's do something
+ end
+ end
+JA3 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints' to 'yes').
+For log output, initialize with:
+ function init (args)
+ local needs = {}
+ needs["protocol"] = "tls"
+ return needs
+ end
+For detection, initialization is as follows:
+ function init (args)
+ local needs = {}
+ needs["tls"] = tostring(true)
+ return needs
+ end
+Get the JA3 hash (md5sum of JA3 string) through Ja3GetHash.
+ function log (args)
+ hash = Ja3GetHash()
+ if hash == nil then
+ return
+ end
+ end
+Get the JA3 string through Ja3GetString.
+ function log (args)
+ str = Ja3GetString()
+ if str == nil then
+ return
+ end
+ end
+Get the JA3S hash (md5sum of JA3S string) through JA3SGetHash.
+ function log (args)
+ hash = Ja3SGetHash()
+ if hash == nil then
+ return
+ end
+ end
+Or, for detection:
+ function match (args)
+ hash = Ja3SGetHash()
+ if hash == nil then
+ return 0
+ end
+ // matching code
+ return 0
+ end
+Get the JA3S string through Ja3SGetString.
+ function log (args)
+ str = Ja3SGetString()
+ if str == nil then
+ return
+ end
+ end
+Or, for detection:
+ function match (args)
+ str = Ja3SGetString()
+ if str == nil then
+ return 0
+ end
+ // matching code
+ return 0
+ end
+Initialize with:
+ function init (args)
+ local needs = {}
+ needs["protocol"] = "ssh"
+ return needs
+ end
+Get SSH protocol version used by the server through SshGetServerProtoVersion.
+ function log (args)
+ version = SshGetServerProtoVersion()
+ if version == nil then
+ return 0
+ end
+ end
+Get SSH software used by the server through SshGetServerSoftwareVersion.
+ function log (args)
+ software = SshGetServerSoftwareVersion()
+ if software == nil then
+ return 0
+ end
+ end
+Get SSH protocol version used by the client through SshGetClientProtoVersion.
+ function log (args)
+ version = SshGetClientProtoVersion()
+ if version == nil then
+ return 0
+ end
+ end
+Get SSH software used by the client through SshGetClientSoftwareVersion.
+ function log (args)
+ software = SshGetClientSoftwareVersion()
+ if software == nil then
+ return 0
+ end
+ end
+Get MD5 of hassh algorithms used by the client through HasshGet.
+ function log (args)
+ hassh = HasshGet()
+ if hassh == nil then
+ return 0
+ end
+ end
+Get hassh algorithms used by the client through HasshGetString.
+ function log (args)
+ hassh_string = HasshGetString()
+ if hassh == nil then
+ return 0
+ end
+ end
+Get MD5 of hassh algorithms used by the server through HasshServerGet.
+ function log (args)
+ hassh_string = HasshServerGet()
+ if hassh == nil then
+ return 0
+ end
+ end
+Get hassh algorithms used by the server through HasshServerGetString.
+ function log (args)
+ hassh_string = HasshServerGetString()
+ if hassh == nil then
+ return 0
+ end
+ end
+To use the file logging API, the script's init() function needs to look like:
+ function init (args)
+ local needs = {}
+ needs['type'] = 'file'
+ return needs
+ end
+ fileid, txid, name, size, magic, md5, sha1, sha256 = SCFileInfo()
+returns fileid (number), txid (number), name (string), size (number),
+magic (string), md5 in hex (string), sha1 (string), sha256 (string)
+ state, stored = SCFileState()
+returns state (string), stored (bool)
+Alerts are a subset of the 'packet' logger:
+ function init (args)
+ local needs = {}
+ needs["type"] = "packet"
+ needs["filter"] = "alerts"
+ return needs
+ end
+ sid, rev, gid = SCRuleIds()
+ action = SCRuleAction()
+returns one of 'pass', 'reject', 'drop' or 'alert'
+ msg = SCRuleMsg()
+ class, prio = SCRuleClass()
+Streaming Data
+Streaming data can currently log out reassembled TCP data and
+normalized HTTP data. The script will be invoked for each consecutive
+data chunk.
+In case of TCP reassembled data, all possible overlaps are removed
+according to the host OS settings.
+ function init (args)
+ local needs = {}
+ needs["type"] = "streaming"
+ needs["filter"] = "tcp"
+ return needs
+ end
+In case of HTTP body data, the bodies are unzipped and dechunked if applicable.
+ function init (args)
+ local needs = {}
+ needs["type"] = "streaming"
+ needs["protocol"] = "http"
+ return needs
+ end
+ function log(args)
+ -- sb_ts and sb_tc are bools indicating the direction of the data
+ data, sb_open, sb_close, sb_ts, sb_tc = SCStreamingBuffer()
+ if sb_ts then
+ print("->")
+ else
+ print("<-")
+ end
+ hex_dump(data)
+ end
+Flow variables
+It is possible to access, define and modify Flow variables from Lua. To do so,
+you must use the functions described in this section and declare the counter in
+init function:
+ function init(args)
+ local needs = {}
+ needs["tls"] tostring(true)
+ needs["flowint"] = {"tls-cnt"}
+ return needs
+ end
+Here we define a `tls-cnt` Flowint that can now be used in output or in a
+signature via dedicated functions. The access to the Flow variable is done by
+index so in our case we need to use 0.
+ function match(args)
+ a = SCFlowintGet(0);
+ if a then
+ SCFlowintSet(0, a + 1)
+ else
+ SCFlowintSet(0, 1)
+ end
+Get the Flowint at index given by the parameter.
+Set the Flowint at index given by the first parameter. The second parameter is the value.
+Increment Flowint at index given by the first parameter.
+Decrement Flowint at index given by the first parameter.
+Get the Flowvar at index given by the parameter.
+Set a Flowvar. First parameter is the index, second is the data
+and third is the length of data.
+You can use it to set string
+ function init (args)
+ local needs = {}
+ needs["http.request_headers"] = tostring(true)
+ needs["flowvar"] = {"cnt"}
+ return needs
+ end
+ function match(args)
+ a = SCFlowvarGet(0);
+ if a then
+ a = tostring(tonumber(a)+1)
+ SCFlowvarSet(0, a, #a)
+ else
+ a = tostring(1)
+ SCFlowvarSet(0, a, #a)
+ end
+ tid, tname, tgroup = SCThreadInfo()
+It gives: tid (integer), tname (string), tgroup (string)
+SCLogError, SCLogWarning, SCLogNotice, SCLogInfo, SCLogDebug
+Print a message. It will go into the outputs defined in the
+yaml. Whether it will be printed depends on the log level.
+ SCLogError("some error message")
+Expose the log path.
+ name = "fast_lua.log"
+ function setup (args)
+ filename = SCLogPath() .. "/" .. name
+ file = assert(, "a"))
+ end
+Get the ByteVar at index given by the parameter. These variables are defined by
+`byte_extract` or `byte_math` in Suricata rules. Only callable from match scripts.
+ function init(args)
+ local needs = {}
+ needs["bytevar"] = {"var1", "var2"}
+ return needs
+ end
+Here we define a register that we will be using variables `var1` and `var2`.
+The access to the Byte variables is done by index.
+ function match(args)
+ var1 = SCByteVarGet(0)
+ var2 = SCByteVarGet(1)
diff --git a/doc/userguide/lua/lua-usage.rst b/doc/userguide/lua/lua-usage.rst
new file mode 100644
index 0000000..19946db
--- /dev/null
+++ b/doc/userguide/lua/lua-usage.rst
@@ -0,0 +1,20 @@
+Lua usage in Suricata
+Lua scripting can be used in two components of Suricata. The first is in
+output and the second one in rules in the detection engine.
+Both features are using a list of functions to access the data extracted by
+Suricata. You can get the list of functions in the :ref:`lua-functions` page.
+.. note:: Currently, there is a difference in the ``needs`` key in the ``init`` function, depending on what is the usage: ``output`` or ``detection``. The list of available functions may also differ.
+Lua output
+Lua can be used to write arbitrary output. See :ref:`lua-output` for more information.
+Lua detection
+Lua script can be used as a filter condition in signatures. See :ref:`lua-detection` for more information.