Hi, I upgrade my suricata to 8.0-beta1 release version
# suricata --build-info
This is Suricata version 8.0.0-beta1 RELEASE
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64
SIMD support: SSE_4_2 SSE_4_1 SSE_3 SSE_2
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 13.3.0, C version 201112
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v2.0.0
my detect rule by lua script cannot work now. error message:
E: detect-lua: data type http.request_body no longer supported, use rule hooks
E: detect: error parsing signature "alert http any any -> any any (msg:"suo5 tunnel"; flow:established; flowbits:isset,suo5_req; lua:./lua/suo5.lua; classtype:web-application-attack; sid:0101390; gid:1; priority:1; metadata:env production; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 128
script content:
function init(args)
local needs = {}
needs["http.request_body"] = tostring(true)
return needs
end
function match(args)
reqbody = tostring(args["http.request_body"])
SCLogNotice("reqbody: "..reqbody)
return 0
end
And I read documentation of 8.0.0-beta1 version , change script to:
local http = require("suricata.http")
function init(args)
local needs = {}
return needs
end
function match(args)
local tx = http.get_tx()
http_request_body = tx:request_body()
SCLogNotice("reqbody: "..http_request_body)
return 0
end
it still cannot work with error message:
W: detect-lua: Lua script failed to run successfully: /var/lib/suricata/rules/./lua/suo5.lua:10: attempt to index a nil value (local 'tx')
Thank you for your report. Seems like the docs could do a better job at error handling. It also seems incorrect in the docs to print a table value like that.
user@hostname:/var/log/suricata$ sudo suricata -r ~/suo5-php.pcap -k none
i: suricata: This is Suricata version 8.0.0-beta1 RELEASE running in USER mode
i: threads: Threads created -> RX: 1 W: 18 FM: 1 FR: 1 Engine started.
i: suricata: Signal Received. Stopping engine.
i: lua-common: err: error: no tx available
W: detect-lua: Lua script failed to run successfully: /var/lib/suricata/rules/./lua/suo5.lua:11: attempt to index a nil value (local 'tx')
i: lua-common: err: error: no tx available
i: lua-common: err: error: no tx available
i: lua-common: err: error: no tx available
i: lua-common: err: error: no tx available
i: lua-common: err: error: no tx available
i: lua-common: err: error: no tx available
i: lua-common: err: error: no tx available
i: pcap: read 1 file, 38 packets, 4702 bytes
user@hostname:/var/log/suricata$ cat /var/lib/suricata/rules/lua/suo5.lua
local http = require("suricata.http")
function init(args)
local needs = {}
return needs
end
function match(args)
local tx, err = http.get_tx()
SCLogNotice("err: "..err)
http_response_body, err = tx:response_body()
SCLogNotice("err: "..err)
if http_response_body ~= nil then
SCLogNotice("body: "..http_response_body)
end
return 0
end
Sorry, after testing, I found that there was an issue with my suricata.rule configuration. Using the following rule successfully captures both HTTP request and response bodies.
alert http any any -> any any (msg:"suo5 tunnel"; flow:to_server,established; http.header.raw; content:"Content-Type|3a 20|application/plain"; nocase; flowbits:set,suo5_req; flowbits:noalert; lua:./lua/suo5.lua; classtype:web-application-attack; sid:0101389; gid:1; priority:1; metadata:env production; rev:1;)