Hi,
I have suricata running in IPS mode. I’m trying to read the packet buffer to get the srcip value in the match function. I wrote the following LUA script to test the functionality:
function init (args)
local needs = {}
needs["packet"] = tostring(true)
needs["tls"] = tostring(true)
return needs
end
function match(args)
ipver, srcip, dstip, proto, sp, dp = SCPacketTuple()
SCLogWarning(srcip)
return 0
end
But the script gives me the following error message:
[125383 - W#03] 2023-04-04 17:32:11 Warning: lua-common: internal error: no packet
Lua script rule line:
reject tls any any -> $EXTERNAL_NET 443 (msg:"mac:a4:83:e7:4f:e4:5d DENY HTTPS"; lua:hd.lua; sid:10000; rev:1;)
Suricata version:
7.0.0-rc1 RELEASE
Suricata startup command:
/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -q 0 -D -vvv
BTW suricata is working perfectly fine when I add a non-lua tls rule like this:
reject tls 192.168.1.100 any -> $EXTERNAL_NET any (msg:"DENY HTTPS"; tls.sni; dotprefix; content:"youtube.com"; nocase; endswith; sid:10000; rev:1;)
Any idea what could be the problem? Or what should I do to get the srcip inside the match function?
I’d be grateful for your help.
Thanks.