Cannot get srcip from the packet buffer in LUA detection script

,

Hi,

I have suricata running in IPS mode. I’m trying to read the packet buffer to get the srcip value in the match function. I wrote the following LUA script to test the functionality:

function init (args)
    local needs = {}
    needs["packet"] = tostring(true)
    needs["tls"] = tostring(true)
    return needs
end

function match(args)
    ipver, srcip, dstip, proto, sp, dp = SCPacketTuple()
    SCLogWarning(srcip)
    return 0
end

But the script gives me the following error message:

[125383 - W#03] 2023-04-04 17:32:11 Warning: lua-common: internal error: no packet

Lua script rule line:

reject tls any any -> $EXTERNAL_NET 443 (msg:"mac:a4:83:e7:4f:e4:5d DENY HTTPS"; lua:hd.lua; sid:10000; rev:1;)

Suricata version:

7.0.0-rc1 RELEASE

Suricata startup command:

/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -q 0 -D -vvv

BTW suricata is working perfectly fine when I add a non-lua tls rule like this:

reject tls 192.168.1.100 any -> $EXTERNAL_NET any (msg:"DENY HTTPS"; tls.sni; dotprefix; content:"youtube.com"; nocase; endswith; sid:10000; rev:1;)

Any idea what could be the problem? Or what should I do to get the srcip inside the match function?

I’d be grateful for your help.
Thanks.

Turns out I should have use SCFlowTuple instead of SCPacketTuple :

function init (args)
    local needs = {}
    needs["tls"] = tostring(true)
    return needs
end

function match(args)
    ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
    SCLogWarning(srcip)
    return 0
end