Question for new lua support

Hi, I upgrade my suricata to 8.0-beta1 release version

# suricata --build-info
This is Suricata version 8.0.0-beta1 RELEASE
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64
SIMD support: SSE_4_2 SSE_4_1 SSE_3 SSE_2
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 13.3.0, C version 201112
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v2.0.0

my detect rule by lua script cannot work now. error message:

E: detect-lua: data type http.request_body no longer supported, use rule hooks
E: detect: error parsing signature "alert http any any -> any any (msg:"suo5 tunnel"; flow:established; flowbits:isset,suo5_req; lua:./lua/suo5.lua; classtype:web-application-attack; sid:0101390; gid:1; priority:1; metadata:env production; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 128

script content:


function init(args)
    local needs = {}
    needs["http.request_body"] = tostring(true)
    return needs
end

function match(args)
    reqbody = tostring(args["http.request_body"])
    SCLogNotice("reqbody: "..reqbody)
    return 0
end

And I read documentation of 8.0.0-beta1 version , change script to:

local http = require("suricata.http")

function init(args)
    local needs = {}
    return needs
end

function match(args)
    local tx = http.get_tx()
    http_request_body = tx:request_body()
    SCLogNotice("reqbody: "..http_request_body)
    return 0
end

it still cannot work with error message:

W: detect-lua: Lua script failed to run successfully: /var/lib/suricata/rules/./lua/suo5.lua:10: attempt to index a nil value (local 'tx')

Hi!

Thank you for your report. Seems like the docs could do a better job at error handling. It also seems incorrect in the docs to print a table value like that.

A better example is available in suricata-verify test: suricata-verify/tests/lua-detect-http-01/test-response-body.lua at master · OISF/suricata-verify · GitHub

Could you please try this out? Try to print errors on all steps to get a better idea of what goes wrong and where.

Meanwhile, I’ll update the docs.

1 Like

Hi
Thanks for your reply. I’m going to try it.

Hi
by your test example, it still cannot work

user@hostname:/var/log/suricata$ sudo suricata -r ~/suo5-php.pcap -k none
i: suricata: This is Suricata version 8.0.0-beta1 RELEASE running in USER mode
i: threads: Threads created -> RX: 1 W: 18 FM: 1 FR: 1   Engine started.
i: suricata: Signal Received.  Stopping engine.
i: lua-common: err: error: no tx available
W: detect-lua: Lua script failed to run successfully: /var/lib/suricata/rules/./lua/suo5.lua:11: attempt to index a nil value (local 'tx')
i: lua-common: err: error: no tx available
i: lua-common: err: error: no tx available
i: lua-common: err: error: no tx available
i: lua-common: err: error: no tx available
i: lua-common: err: error: no tx available
i: lua-common: err: error: no tx available
i: lua-common: err: error: no tx available
i: pcap: read 1 file, 38 packets, 4702 bytes
user@hostname:/var/log/suricata$ cat /var/lib/suricata/rules/lua/suo5.lua
local http = require("suricata.http")

function init(args)
    local needs = {}
    return needs
end

function match(args)
    local tx, err = http.get_tx()
    SCLogNotice("err: "..err)
    http_response_body, err = tx:response_body()
    SCLogNotice("err: "..err)
    if http_response_body ~= nil then
        SCLogNotice("body: "..http_response_body)
    end
    return 0
end

Sorry, after testing, I found that there was an issue with my suricata.rule configuration. Using the following rule successfully captures both HTTP request and response bodies.

alert http any any -> any any (msg:"suo5 tunnel"; flow:to_server,established; http.header.raw; content:"Content-Type|3a 20|application/plain"; nocase; flowbits:set,suo5_req; flowbits:noalert; lua:./lua/suo5.lua; classtype:web-application-attack; sid:0101389; gid:1; priority:1; metadata:env production; rev:1;)