Hi everyone.
I’m trying to run Lua scripting for detection, but it seems it doesn’t want to run. suricata.yaml is as downloaded, I just tailored it to my system and changed rules path to only include my “local.rules”.
local.rules contains one rule only:
alert tls any any -> any any (msg:"Test1"; flow:established; flowint:test, notset; flowint:test, =, 0;)
alert tls any any -> any any (msg:"Test2"; flow:established; flowint:test, isset; luajit:test.lua;)
test.lua, which I’m quite sure is in the correct location, contains just this code:
function init (args)
local needs = {}
return needs
end
function match (args)
return 1
end
Everything seems super easy and correct to me, but when I run Suricata I get:
<Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
<Error> - [ERRCODE: SC_ERR_DUPLICATE_SIGN(176)] - Duplicate signature "alert tls any any -> any any (msg:"Test2"; flow:established; flowint:test, isset; luajit:test.lua;)"
<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls any any -> any any (msg:"Test2"; flow:established; flowint:test, isset; luajit:test.lua;)" from file /var/lib/suricata/rules/local.rules at line 2
I can’t see what I’m doing wrong.