Hi, I use lua for detection, and an error in suricata.log
[111791 - W#01-enp0s8] 2024-06-06 10:50:59 Warning: detect-lua: Lua script failed to run successfully: /home/suricata/rules/hello.lua:47: attempt to call a nil value (global 'require')
my suricata version:
This is Suricata version 8.0.0-dev (8781e9352 2024-06-04)
my rule content:
alert http any any -> any any (msg:"nacos"; flow: established, to_server; http.uri; content:"/nacos/v1/cs/configs"; lua:hello.lua; flowbits: set, nacos.1000001; flowbits: noalert; classtype:bad-unknown; sid: 1000001; rev: 1;)
hello.lua script:
local nacos_default_secret = "SecretKey012345678901234567890123456789012345678901234567890123456789"
local common
local sha256
local function base64_url_decode(s)
--local common = require"common"
local url_decode = common.url_decode
local base64_decode = common.base64_decode
return base64_decode(url_decode(s))
end
local function verify_jwt(token, secret)
--local sha256 = require"sha256"
local hmac_sha256 = sha256.hmac_sha256
local header_b64, payload_b64, signature_b64 = token:match("([^%.]+)%.([^%.]+)%.([^%.]+)")
if not header_b64 or not payload_b64 or not signature_b64 then
return false, "Invalid JWT format"
end
local header = base64_url_decode(header_b64)
local payload = base64_url_decode(payload_b64)
local signature = base64_url_decode(signature_b64)
local data = header_b64 .. "." .. payload_b64
local expected_signature = hmac_sha256(secret, data)
if signature == expected_signature then
return true, "Valid JWT", payload
else
return false, "Invalid JWT signature"
end
end
local function extract_access_token(url)
local token = url:match("accessToken=([^&]+)")
return token
end
function init (args)
local needs = {}
needs["http.uri"] = tostring(true)
return needs
end
function match(args)
sha256 = require"sha256"
common = require"common"
local http_uri = tostring(args["http.uri"])
if not http_uri then
return 0
end
local token = extract_access_token(http_uri)
if not token then
return 0
end
SCLogInfo("token: " .. token);
local verified, message, payload = verify_jwt(token, nacos_default_secret)
SCLogInfo("verified: " .. verified);
SCLogInfo("message: " .. message);
SCLogInfo("payload: " .. payload);
if verified then
return 1
else
return 0
end
end
return 0