A few days ago I wrote about my Emerging Threats sponsored work to support flowvars from Lua scripts in Suricata.
Today, I updated that support. Flowvar ‘sets’ are now real time. This was needed to fix some issues where a script was invoked multiple times in single rule, which can happen with some buffers, like HTTP headers.
Also, I implemented flowint support. Flowints in Suricata are integers stored in the flow context.
Example script:
function init (args) local needs = {} needs["http.request_headers"] = tostring(true) needs["flowint"] = {"cnt"} return needs end function match(args) a = ScFlowintGet(0); if a then ScFlowintSet(0, a + 1) else ScFlowintSet(0, 1) end a = ScFlowintGet(0); if a == 23 then return 1 end return 0 end return 0
It does the same thing as this flowvar script:
function init (args) local needs = {} needs["http.request_headers"] = tostring(true) needs["flowvar"] = {"cnt"} return needs end function match(args) a = ScFlowvarGet(0); if a then a = tostring(tonumber(a)+1) ScFlowvarSet(0, a, #a) else a = tostring(1) ScFlowvarSet(0, a, #a) end if tonumber(a) == 23 then return 1 end return 0 end return 0
Only, at about half the cost:
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 1 1 1 0 2392221879 70.56 82249 795 834993 29085.12 6964.14 29301.02 2 2 1 0 998297994 29.44 82249 795 483810 12137.51 4019.44 12216.74
Pingback: More on Suricata lua flowints | Inliniac