Lua Detection: key/value not recognized

Help
1

Please include the following information with your help request:

  • Suricata version
  • Operating system and/or Linux distribution
  • How you installed Suricata (from source, packages, something else)
    suricata version is 7.0.8
    OS: Ubuntu 20.04
    lua 5.3.3

installed suricata from source iirc.
I have lua enabled:

 546   # Lua Output Support - execute lua script to generate alert and event         
 547   # output.                                                                     
 548   # Documented at:                                                              
 549   # https://docs.suricata.io/en/latest/output/lua-output.html                   
 550   - lua:                                                                        
 551       enabled: yes                                                              
 552       scripts-dir: <directory where my lua script is>               
 553       scripts:                                                                  
 554           - check_empty_request_body.lua                                        
 555       #   - script1.lua                                                         
 556 
...
1214   lua:                                                                          
1215     # Allow Lua rules. Disabled by default.                                     
1216     allow-rules: true                                                           
1217
...
1776 # Luajit has a strange memory requirement, its 'states' need to be in the       
1777 # first 2G of the process' memory.                                              
1778 #                                                                               
1779 # 'luajit.states' is used to control how many states are preallocated.          
1780 # State use: per detect script: 1 per detect thread. Per output script: 1 per   
1781 # script.                                                                       
1782 luajit:                                                                         
1783     128
...

the script is just going to check if http.request_body is empty:

  1 function init (args)                                                            
  2     local needs = {}                                                            
  3     needs["http.request_body"] = tostring(true)                                 
  4     return needs                                                                
  5 end                                                                             
  6                                                                                 
  7 function match(args)                                                            
  8     a = tostring(args["http.request_body"])                                     
  9     if a == "" then                                                             
 10         return 1                                                                
 11     end                                                                         
 12     return 0                                                                    
 13 end                                                                             
 14                                                                                 
 15 return 0                                                                        
 16

the error i get:

i: suricata: This is Suricata version 7.0.8 RELEASE running in USER mode
E: output-lua: unknown key and/or value: k='http.request_body', v='true'
E: output-lua: couldn't initialize script
...
2

Does:

a, o, e = HttpGetRequestBody()

work? From: 18.2. Lua functions — Suricata 8.0.0-dev documentation

3

should this be added in the match function? Based on the error output I’m pretty sure the problem is stemming from the declaration of needs in the init function.

also tested this in match, and it is the same error

4

It’s a bit confusing, but there 2 ways to use lua scripts:

  1. from the rules, these use match functions
  2. from output, these use log functions

From what you shared above, you’re using output (loading the script from the yaml), but using a detection script.

1 Like
5

aha! I see! In the yaml I’ve configured one too many things. I didn’t need to specify the script for output, just the directory! Removing that has fixed the problem! Thanks so much! :slight_smile:

6

So to specify. All I had to do was change the yaml from:

 546   # Lua Output Support - execute lua script to generate alert and event         
 547   # output.                                                                     
 548   # Documented at:                                                              
 549   # https://docs.suricata.io/en/latest/output/lua-output.html                   
 550   - lua:                                                                        
 551       enabled: yes                                                              
 552       scripts-dir: <directory where my lua script is>               
 553       scripts:                                                                  
 554           - check_empty_request_body.lua                                        
 555       #   - script1.lua                                                         
 556

to

 546   # Lua Output Support - execute lua script to generate alert and event         
 547   # output.                                                                     
 548   # Documented at:                                                              
 549   # https://docs.suricata.io/en/latest/output/lua-output.html                   
 550   - lua:                                                                        
 551       enabled: yes                                                              
 552       scripts-dir: <directory where my lua script is>               
 553      #  scripts:                                                                  
 554       #    - check_empty_request_body.lua                                        
 555       #   - script1.lua                                                         
 556