Can you get the source IP and the HTTP URI at the same time in Lua?

Joseph_Wills · July 15, 2021, 6:46pm

Is there a way to get a lua script that has access both to the srcip of a packet and http information like the uri?

satta · July 20, 2021, 11:27am

I think so. You can get the HTTP information by e.g. requiring needs, e.g.

needs["http.uri"] = tostring(true)

(see 6.36. Lua Scripting — Suricata 7.0.0-dev documentation)

and the IPs via the flow or packet tuple:

ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()

(see 16.2. Lua functions — Suricata 7.0.0-dev documentation)

Example:

function init (args)
    local needs = {}
    needs["http.uri"] = tostring(true)
    return needs
end

function match(args)
    ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
    SCLogNotice(srcip .. "  " .. args["http.uri"])
    return 0
end

Topic		Replies	Views
Using packet buffer in Lua Rules	14	1443	April 4, 2023
Lua scripting and getting the IP address Rules	1	912	February 15, 2021
Cannot get srcip from the packet buffer in LUA detection script Rules ips , lua	1	288	April 4, 2023
How to extract specified tcp payload with suricata lua scripting？ Help	0	455	September 13, 2021
Suricata has a data corruption problem Help suricata	5	407	January 5, 2023

Can you get the source IP and the HTTP URI at the same time in Lua?

Related topics