Hello!I’m using an agent on windows, in order to use Lua Scripting for Detection I have to add?
A few observations:
To see if the script gets loaded/triggered properly -and for testing purposes only - you can add a lua print statement at the beginning of each lua function and generate some traffic.
I installed lua.fast rules in winsows agent suricata https://github.com/OISF/suricata/blob/suricata-7.0.1/lua/fast.lua
is lua support enabled with your build? if you run “suricata --build-info” what do you see in the lua sections?
Perhaps you can give advice on setting up? I use wazuh along with suricata
C:\Suricata>suricata --build-info
Info: win32-service: Running as service: no
This is Suricata version 7.0.0 RELEASE
Features: PCAP_SET_BUFF HAVE_PACKET_FANOUT HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_LIBJANSSON TLS TLS_C11 RUST
SIMD support: SSE_3
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 12.2.0, C version 201112
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.45, linked against LibHTP v0.5.45
Suricata Configuration:
AF_PACKET support: no
AF_XDP support: no
DPDK support: no
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: no
Detection enabled: yes
Libmagic support: no
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
PCRE jit: yes
LUA support: yes
libluajit: no
GeoIP2 support: no
Non-bundled htp: no
Hyperscan support: no
Libnet support: no
liblz4 support: yes
Landlock support: no
Rust support: yes
Rust strict mode: no
Rust compiler path: /mingw64/bin/rustc
Rust compiler version: rustc 1.68.2 (9eb3afe9e 2023-03-27) (Rev1, Built by MSYS2 project)
Cargo path: /mingw64/bin/cargo
Cargo version: cargo 1.68.2
Python support: yes
Python path: /mingw64/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Profiling rules enabled: no
Plugin support (experimental): no
DPDK Bond PMD: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Fuzz targets enabled: no
Generic build parameters:
Installation prefix: /mingw64
Configuration directory: C:\Program Files\Suricata
Log directory: C:\Program Files\Suricata\log
–prefix /mingw64
–sysconfdir /mingw64/etc
–localstatedir /mingw64/var
–datarootdir /mingw64/share
Host: x86_64-w64-mingw32
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -DOS_WIN32 -std=c11 -I${srcdir}/…/rust/gen -I${srcdir}/…/rust/dist
PCAP_CFLAGS
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
Based on your --build-info it appears to be compiled with lua support enabled.
Back to my previous suggestion, if you add a print statement to the lua script in the init function (before the return), does it display when you start suricata from a terminal?
something like
function init(args)
…
print(“lua script init called”)
return needs
end
I added print output
C:\Suricata>suricata.exe -c suricata.yaml -i 10.1.1.9
Info: win32-service: Running as service: no
Info: suricata: translated 10.1.1.9 to pcap device \Device\NPF_{1D308553-1669-45C0-A129-D054E7A74D59}
i: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
E: output-lua: couldn’t load file: C:\Program Files\Suricata\rules/fast.lua:19: unexpected symbol near ‘<\226>’
E: output-lua: couldn’t initialize script
W: runmodes: output module “lua”: setup failed
– This is a simple example script to show what you can do with lua output scripts.
– It prints logs similar to the ones produced by the builtin fast.log output
– facility to stdout, hence its name.
– In the init() function we tell suricata, that we want the log function to be
– called for every packet that produces an alert (see needs variable)
– Then in the log() function we get various informations about this packet via
– SCRuleMsg() and all the other API functions and print them to stdout with print()
– To learn more about all the API functions suricata provides for your lua scripts
– and the lua output extension in general see:
– 17.2. Lua Output — Suricata 7.0.2-dev documentation
function init()
local needs = {}
needs[“type”] = “packet”
needs[“filter”] = “alerts”
print(“lua script init called”)
return needs
end
function setup()
alert_count = 0
end
function log()
timestring = SCPacketTimeString()
sid, rev, gid = SCRuleIds()
msg = SCRuleMsg()
class, priority = SCRuleClass()
ip_version, src_ip, dst_ip, protocol, src_port, dst_port = SCPacketTuple()
if class == nil then
class = "unknown"
end
print (timestring .. " [**] [" .. gid .. ":" .. sid .. ":" .. rev .. "] " ..
msg .. " [**] [Classification: " .. class .. "] [Priority: " ..
priority .. "] {" .. protocol .. "} " ..
src_ip .. ":" .. src_port .. " -> " .. dst_ip .. ":" .. dst_port)
alert_count = alert_count + 1;
end
function deinit()
print (“Alerted " … alert_count … " times”);
end
I replaced the quotes and it worked
C:\Suricata>suricata.exe -c suricata.yaml -i 10.1.1.9
Info: win32-service: Running as service: no
Info: suricata: translated 10.1.1.9 to pcap device \Device\NPF_{1D308553-1669-45C0-A129-D054E7A74D59}
i: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
lua script init called
E: detect: previous sticky buffer has no matches