Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lua xform/v3 #2240

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions tests/lua/lua-transform-01/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Lua transform test: returns input buffer in uppercase. The rule will match on the uppercase output
Binary file added tests/lua/lua-transform-01/test.pcap
Binary file not shown.
1 change: 1 addition & 0 deletions tests/lua/lua-transform-01/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua;content:"EXEC_POST.PHP"; sid:1; rev:1;)
14 changes: 14 additions & 0 deletions tests/lua/lua-transform-01/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
requires:
min-version: 8

args:
- --set default-rule-path=${TEST_DIR}
- --set security.lua.allow-rules=true

checks:
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 1
http.url: /exec_post.php
10 changes: 10 additions & 0 deletions tests/lua/lua-transform-01/transform.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
-- Arguments supported
local bytes_key = "bytes"
local offset_key = "offset"
function transform(input, args)
local bytes = #input
local offset = 0

local sub = string.sub(input, offset + 1, offset + bytes)
return string.upper(sub), bytes
end
1 change: 1 addition & 0 deletions tests/lua/lua-transform-02/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Lua transform: Ensure non-existent lua scripts are detected.
1 change: 1 addition & 0 deletions tests/lua/lua-transform-02/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:no_filetransform.lua;content:"EXEC_POST.PHP"; sid:1; rev:1;)
20 changes: 20 additions & 0 deletions tests/lua/lua-transform-02/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
requires:
min-version: 8

args:
- --set default-rule-path=${TEST_DIR}
- --set security.lua.allow-rules=true
- --set logging.outputs.1.file.type=json
- -T

exit-code: 1

pcap: false
checks:
- filter:
count: 1
filename: suricata.log
match:
event_type: engine
engine.message.__startswith: "couldn't load file"
engine.message.__find: "no_filetransform.lua: No such file or directory"
1 change: 1 addition & 0 deletions tests/lua/lua-transform-03/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Lua transform test: ensure lua script has a transform function
1 change: 1 addition & 0 deletions tests/lua/lua-transform-03/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua;content:"EXEC_POST.PHP"; sid:1; rev:1;)
20 changes: 20 additions & 0 deletions tests/lua/lua-transform-03/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
requires:
min-version: 8

args:
- --set default-rule-path=${TEST_DIR}
- --set security.lua.allow-rules=true
- --set logging.outputs.1.file.type=json
- -T

pcap: false

exit-code: 1

checks:
- filter:
count: 1
filename: suricata.log
match:
engine.message.__find: "no transform function in script"
event_type: engine
10 changes: 10 additions & 0 deletions tests/lua/lua-transform-03/transform.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
-- Arguments supported
local bytes_key = "bytes"
local offset_key = "offset"
function no_transform(input, args)
local bytes = #input
local offset = 0

local sub = string.sub(input, offset + 1, offset + bytes)
return string.upper(sub), bytes
end
1 change: 1 addition & 0 deletions tests/lua/lua-transform-04/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Ensure Lua transform receives optional transform function arguments
1 change: 1 addition & 0 deletions tests/lua/lua-transform-04/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua, bytes 0, offset 2;content:"EXEC_POST.PHP"; sid:1; rev:1;)
18 changes: 18 additions & 0 deletions tests/lua/lua-transform-04/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
requires:
min-version: 8

args:
- --set default-rule-path=${TEST_DIR}
- --set security.lua.allow-rules=true

pcap: ../lua-transform-01/test.pcap

checks:

- shell:
args: grep "1 item.* bytes 0" stdout | wc -l | xargs
expect: 1

- shell:
args: grep "2 item.* offset 2" stdout| wc -l | xargs
expect: 1
13 changes: 13 additions & 0 deletions tests/lua/lua-transform-04/transform.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
-- Arguments supported
local bytes_key = "bytes"
local offset_key = "offset"
function transform(input, args)
offset = 0
bytes = #input
for i, item in ipairs(args) do
print(i .. " item: " .. item)
end

local sub = string.sub(input, offset + 1, offset + bytes)
return string.upper(sub), bytes
end
1 change: 1 addition & 0 deletions tests/lua/lua-transform-05/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Ensure Lua transform that returns nil is treated as though no transformation took place and the buffer is unchanged.
1 change: 1 addition & 0 deletions tests/lua/lua-transform-05/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua, bytes 0, offset 2;content:"exec_post.php"; sid:1; rev:1;)
17 changes: 17 additions & 0 deletions tests/lua/lua-transform-05/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
requires:
min-version: 8

args:
- --set default-rule-path=${TEST_DIR}
- --set security.lua.allow-rules=true

pcap: ../lua-transform-01/test.pcap

checks:

- filter:
count: 1
match:
event_type: alert
alert.signature_id: 1
http.url: /exec_post.php
3 changes: 3 additions & 0 deletions tests/lua/lua-transform-05/transform.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
function transform(input, args)
return nil, 0
end
1 change: 1 addition & 0 deletions tests/lua/lua-transform-06/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Lua transform test: transform function returns 1 parameter when 2 are required.
1 change: 1 addition & 0 deletions tests/lua/lua-transform-06/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua;content:"EXEC_POST.PHP"; sid:1; rev:1;)
16 changes: 16 additions & 0 deletions tests/lua/lua-transform-06/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
requires:
min-version: 8

args:
- --set default-rule-path=${TEST_DIR}
- --set security.lua.allow-rules=true

pcap: ../lua-transform-01/test.pcap

checks:
- filter:
count: 0
match:
event_type: alert
alert.signature_id: 1
http.url: /exec_post.php
11 changes: 11 additions & 0 deletions tests/lua/lua-transform-06/transform.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
-- Arguments supported
local bytes_key = "bytes"
local offset_key = "offset"
function transform(input, args)
local bytes = #input
local offset = 0

local sub = string.sub(input, offset + 1, offset + bytes)
-- Note -- only one value is returned when 2 are expected: buffer, byte-count
return string.upper(sub)
end
2 changes: 2 additions & 0 deletions tests/lua/lua-transform-07/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Ensure Lua transform receives optional transform function arguments. The Lua transform script
is also provided as an example in the documentation.
1 change: 1 addition & 0 deletions tests/lua/lua-transform-07/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua, bytes 12, offset 2;content:"XEC_POST.PHP"; sid:1; rev:1;)
16 changes: 16 additions & 0 deletions tests/lua/lua-transform-07/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
requires:
min-version: 8

args:
- --set default-rule-path=${TEST_DIR}
- --set security.lua.allow-rules=true

pcap: ../lua-transform-01/test.pcap

checks:

- filter:
count: 1
match:
event_type: alert
alert.signature_id: 1
49 changes: 49 additions & 0 deletions tests/lua/lua-transform-07/transform.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
function init()
end

local function get_value(item, key)
if string.find(item, key) then
local _, value = string.match(item, "(%a+)%s*(%d*)")
if value ~= "" then
return tonumber(value)
end
end

return nil
end

-- Arguments supported
local bytes_key = "bytes"
local offset_key = "offset"
function transform(input, args)
local bytes = #input
local offset = 0

-- Look for optional bytes and offset arguments
for i, item in ipairs(args) do
local value = get_value(item, bytes_key)
if value ~= nil then
bytes = value
else
value = get_value(item, offset_key)
if value ~= nil then
offset = value
end
end
end

local str_len = #input
if offset < 0 or offset > str_len then
print("offset is out of bounds: " .. offset)
return nil
end

local avail_len = str_len - offset
if bytes < 0 or bytes > avail_len then
print("invalid bytes " .. bytes .. " or bytes exceeds available length " .. avail_len)
return nil
end

local sub = string.sub(input, offset + 1, offset + bytes)
return string.upper(sub), bytes
end
Loading