After an exciting week of meeting and working with the team around the RAID conference, time for another lua update.
The keyword supports an interesting set of buffers now:
The http keywords are now integrated into their respective inspection engines. This led to one important limitation for now: you can only inspect one such buffer per script.
We pass the inspection offset to the script as well for these. In the lua script you can access it as follows:
function match(args) a = tostring(args["http.request_headers.raw"]) o = args["offset"] s = a:sub(o) print (s) return 0 end
In a buffer “Mozilla/5.0″ and a signature “content:Mozilla;”, “s” in the script will contain “/5.0″. At this moment there is no way yet to pass back an offset from the script to the inspection engine.
On the performance side things are looking good as well. At RAID Will Metcalf converted a set of 6 ETpro sigs to a single lua script. It resulted in better detection accuracy and better performance. That work is still private, but we’ll get some real world scripts public soon! :)
Update 10/4: this code is now available for testing in the new Suricata 1.4beta2 release!