SnortExtras: src/ips_options/find/find.lua

"Fossies" - the Fresh Open Source Software Archive

Member "snort3_extra-3.1.53.0/src/ips_options/find/find.lua" (20 Dec 2022, 1708 Bytes) of package /linux/misc/snort3_extra-3.1.53.0.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Lua source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file.

    1 -- ----------------------------------------------------------
    2 -- ips_option example:
    3 --
    4 --     define keyword find
    5 --
    6 -- configure snort with
    7 --
    8 --     ./configure_cmake.sh --prefix=my/prefix
    9 --
   10 -- then set up the path as follows:
   11 --
   12 --     export LUA_PATH=my/prefix/include/snort/lua/?.lua\;\;
   13 --
   14 -- write a rule as follows:
   15 --
   16 --     alert tcp any any -> any 80 ( \
   17 --         msg:"luajit example"; sid:1; \
   18 --         content:"GET"; \
   19 --         find:"pat='HTTP/1%.%d'"; )
   20 --
   21 -- the arg string is (in general) optional
   22 -- if present, it will be put in a table named args, eg:
   23 --
   24 --     args { pat='GET .+ HTTP/1.1' }
   25 --
   26 -- this table is defined before init is called
   27 -- the args string, if present, must be valid lua code like
   28 -- name1 = value1, name2 = 'value2'.
   29 -- ----------------------------------------------------------
   30 
   31 -- this pulls in snort bindings with ffi
   32 require("snort_plugin")
   33 
   34 -- init() is optional
   35 -- if present, called once when script is loaded
   36 -- here we return bool indicating args ok
   37 function init ()
   38     if ( args.pat == nil ) then
   39         return 'missing pat'
   40     end
   41 
   42     if ( type(args.pat) ~= 'string' ) then
   43         return 'pat must be string'
   44     end
   45 
   46     return true
   47 end
   48 
   49 -- eval() is required
   50 -- eval must return a bool (match == true)
   51 function eval ()
   52     -- buf is a luajit cdata
   53     local buf = ffi.C.get_buffer()
   54 
   55     -- str is a lua string
   56     local str = ffi.string(buf.data, buf.len)
   57 
   58     local i,j = string.find(str, args.pat)
   59 
   60     return (i and (i > 0))
   61 end
   62 
   63 -- plugin table is required
   64 plugin =
   65 {
   66     type = "ips_option",  -- only available type currently
   67     name = "find",        -- rule option keyword
   68     version = 0           -- optional, defaults to zero
   69 }
   70