年前有粉丝私信我,想让我做一期lua脚本。作为一个宠粉的博主,那必须给予回应。
suricata结合lua可以达到提升工作效率的作用。
0x00 编译
开启luna 支持:
yum install luarocks (不确定是否有用)
手动下载安装:
(https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_luajit
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gztar -zxf LuaJIT-2.0.5.tar.gzcd LuaJIT-2.0.3
make && make install编译成功的回显:
cd src && install -m 0644 lua.h lualib.h lauxlib.h luaconf.h lua.hpp luajit.h /usr/local/include/luajit-2.0
cd src/jit && install -m 0644 bc.lua v.lua dump.lua dis_x86.lua dis_x64.lua dis_arm.lua dis_ppc.lua dis_mips.lua dis_mipsel.lua bcsave.lua vmdef.lua /usr/local/share/luajit-2.0.5/jit
ln -sf luajit-2.0.5 /usr/local/bin/luajit
==== Successfully installed LuaJIT 2.0.5 to /usr/local ====cd /home/leeezp/suricata
编译
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --enable-luajit \ --with-libluajit-includes=/usr/local/include/luajit-2.0/ --with-libluajit-libraries=/usr/lib/
make & make install运行suricata 报错:
./suricata: error while loading shared libraries: libhtp.so.2: cannot open shared object file: No such file or directorycat /etc/ld.so.conf
echo "/usr/local/lib" >> /etc/ld.so.conf
ldconfig
参考资料:
https://developer.aliyun.com/article/604301
cd /home/leeezp/suricata-6.0.2/src
./suricata --build-info
运行又报错:
/home/leeezp/suricata/rules/test
[root@leezp test]# ../../src/./suricata -r ../ssss.pcap -vvv -k none -c /etc/suricata/suricata.yaml
30/4/2021 -- 18:08:36 - <Notice> - This is Suricata version 6.0.2 RELEASE running in USER mode
30/4/2021 -- 18:08:36 - <Info> - CPUs/cores online: 1
30/4/2021 -- 18:08:36 - <Config> - luajit states preallocated: 128
/home/leeezp/suricata/src/.libs/lt-suricata: symbol lookup error: /home/leeezp/suricata/src/.libs/lt-suricata: undefined symbol: htp_config_set_lzma_layers可能是libhtp 库 与suricata不匹配;
直接从官网克隆;
git clone https://github.com/OISF/suricata.git
cd suricata
git checkout remotes/origin/master-6.0.x
git clone https://github.com/OISF/libhtp.git
./autogen.sh
cargo install --force cbindgen // 开启 rust 支持 (有些协议解析rust写的)
export PATH=$PATH:/root/.cargo/bin/ // 添加 cargo 路径
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --enable-luajit \ --with-libluajit-includes=/usr/local/include/luajit-2.0/ --with-libluajit-libraries=/usr/lib/
make
make install7/5/2021 -- 11:37:51 - <Warning> - [ERRCODE: SC_WARN_PCRE_JITSTACK(326)] - Unable to allocate PCRE JIT stack; will continue without JIT stack
7/5/2021 -- 11:37:51 - <Error> - [ERRCODE: SC_ERR_DETECT_PREPARE(173)] - setting up thread local detect ctx for keyword "pcre" failed
报错可能是因为我之前自己编译过pcre,它使用了我之前自己编译的pcre;
LD_PRELOAD=/lib64/libpcre.so.1 ../../src/./suricata -r ./test.pcap -v -k none -c /etc/suricata/suricata.yaml
suricata]# vim .github/workflows/builds.yml
找到centos7,将里面的 yum -y install 内容复制,依赖库全部更新一遍,应该就好了。
--prefix=/usr/ : 将Suricata二进制文件安装到/usr/bin/中,默认/usr/local/
只有 /usr/bin 下的suricata 是编译正确的:
LD_PRELOAD=/lib64/libpcre.so.1 /usr/bin/suricata -r /home/leeezp/suricata/rules/test/test.pcap -v -k none -c /etc/suricata/suricata.yaml切换版本编译:
git tag -l
git checkout suricata-6.0.1
git checkout .
git status
查看suricata依赖库:
ldd /home/leeezp/suricata
0x01 使用
修改 suricata.yaml 文件 ,我是在 "outputs:" 节点最下方添加的(注意空格):
- lua:
enabled: yes
scripts-dir: /home/leeezp/suricata/rules/test
scripts:
- script1.lua
- http.lua
- test2.lua
- dns.lua
script1.lua 示例:
function init()
local needs = {}
needs["type"] = "packet"
needs["filter"] = "alerts"
return needs
end
function setup()
alert_count = 0
end
function log()
timestring = SCPacketTimeString()
sid, rev, gid = SCRuleIds()
msg = SCRuleMsg()
class, priority = SCRuleClass()
ip_version, src_ip, dst_ip, protocol, src_port, dst_port = SCPacketTuple()
if class == nil then
class = "unknown"
end
print (timestring .. " [**] [" .. gid .. ":" .. sid .. ":" .. rev .. "] " ..
msg .. " [**] [Classification: " .. class .. "] [Priority: " ..
priority .. "] {" .. protocol .. "} " ..
src_ip .. ":" .. src_port .. " -> " .. dst_ip .. ":" .. dst_port)
alert_count = alert_count + 1;
end
function deinit()
print ("Alerted " .. alert_count .. " times");
end运行下试试效果:
是不是一目了然 :)
0x02 后记
本文仅为抛砖引玉,更多玩法欢迎DIY或私信交流。
