Unable require scripts in lua

haoranli · June 6, 2024, 3:32am

Hi, I use lua for detection, and an error in suricata.log

[111791 - W#01-enp0s8] 2024-06-06 10:50:59 Warning: detect-lua: Lua script failed to run successfully: /home/suricata/rules/hello.lua:47: attempt to call a nil value (global 'require')

my suricata version:

This is Suricata version 8.0.0-dev (8781e9352 2024-06-04)

my rule content:

alert http any any -> any any (msg:"nacos"; flow: established, to_server; http.uri; content:"/nacos/v1/cs/configs"; lua:hello.lua; flowbits: set, nacos.1000001; flowbits: noalert; classtype:bad-unknown; sid: 1000001; rev: 1;)

hello.lua script:

local nacos_default_secret = "SecretKey012345678901234567890123456789012345678901234567890123456789"
local common
local sha256

local function base64_url_decode(s)
    --local common        = require"common"
    local url_decode    = common.url_decode
    local base64_decode = common.base64_decode
    return base64_decode(url_decode(s))
end

local function verify_jwt(token, secret)
    --local sha256        = require"sha256"
    local hmac_sha256   = sha256.hmac_sha256
    local header_b64, payload_b64, signature_b64 = token:match("([^%.]+)%.([^%.]+)%.([^%.]+)")
    if not header_b64 or not payload_b64 or not signature_b64 then
        return false, "Invalid JWT format"
    end

    local header = base64_url_decode(header_b64)
    local payload = base64_url_decode(payload_b64)
    local signature = base64_url_decode(signature_b64)

    local data = header_b64 .. "." .. payload_b64
    local expected_signature = hmac_sha256(secret, data)

    if signature == expected_signature then
        return true, "Valid JWT", payload
    else
        return false, "Invalid JWT signature"
    end
end

local function extract_access_token(url)
    local token = url:match("accessToken=([^&]+)")
    return token
end

function init (args)
    local needs = {}
    needs["http.uri"] = tostring(true)
    return needs
end

function match(args)
    sha256 = require"sha256"
    common = require"common"
    local http_uri = tostring(args["http.uri"])
    if not http_uri then
        return 0
    end
    local token = extract_access_token(http_uri)
    if not token then
        return 0
    end
    SCLogInfo("token: " .. token);
    local verified, message, payload = verify_jwt(token, nacos_default_secret)
    SCLogInfo("verified: " .. verified);
    SCLogInfo("message: " .. message);
    SCLogInfo("payload: " .. payload);
    if verified then
        return 1
    else
        return 0
    end
end

return 0

vjulien · June 6, 2024, 7:21am

It’s unhappy about line 47, the sha256 = require"sha256". This is not a construct or syntax I recognize.

haoranli · June 7, 2024, 9:32am

I tried require("sha256") , and have same error attempt to call a nil value (global 'require')
Is suricata-8.0.0-dev allow use require() to import customized script ?

vjulien · June 7, 2024, 10:04am

ah you may be running into the new sandboxing logic. Loading of modules isn’t permitted. We plan to expose more functionality to the lua layer.

vjulien · June 8, 2024, 5:03am

We created tickets to track some of these:

Topic		Replies	Views
SC_ERR_INVALID_SIGNATURE with Lua Detection Help	2	2317	June 10, 2020
Use lua script error with docs example Help suricata	1	784	December 2, 2022
Some problems about lua scripts install into the suricata Help rules , suricata	2	397	October 7, 2022
How can I determine if the .lua scripting is being called by Suricata?	4	567	March 11, 2023
Lua rules + Lua output Rules	1	725	May 15, 2021

Unable require scripts in lua

Related Topics