LuaJIT is a Just-In-Time Compiler (JIT) for the Lua programming language. Lua is a powerful, dynamic and light-weight programming language. It may be embedded or used as a general-purpose, stand-alone language.
LuaJIT can be used as scripting lauguage for Suricata detection rules. Emerging Threats creates some lua scripts for Suricata at here.
Lua is not enabled by default on Suricata. You need to re-compile it to make it works.
If you compile Suricata from GitHub, you can :
Compile and Install of LuaJIT :
The current version at the writing is 2.0.4.
cd ~
git clone http://luajit.org/git/luajit-2.0.git
cd luajit-2.0
make
sudo make installCompile and Install of Suricata on Ubuntu 14.04.3 LTS :
cd ~
git clone git://phalanx.openinfosecfoundation.org/oisf.git
cd oisf
git clone https://github.com/ironbee/libhtp.git
./autogen.sh
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --enable-luajit \
--enable-geoip --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr \
--with-libcap_ng-libraries=/usr/local/lib --with-libcap_ng-includes=/usr/local/include \
--with-libluajit-includes=/usr/local/include/luajit-2.0/ \
--with-libluajit-libraries=/usr/local/lib/
make clean
make
sudo make install
sudo ldconfigWorks with ET Lua scripts :
# install lua related packages
sudo apt-get -y install cmake lua-zip lua-zip-dev lua-zlib lua-zlib-dev \
luarocks libzzip-dev libzzip-0.13 lua-apr lua-apr-dev lua-socket \
lua-socket-dev lua-sec lua-sec-dev lua-rex-gnu lua-rex-gnu-dev \
lua-rex-pcre lua-rex-pcre-dev lua-bitop lua-bitop-dev liblua5.1 \
libzip-dev
sudo apt-get -y install cmake build-essential
sudo luarocks install struct
sudo luarocks install bitlib
sudo cp /usr/lib/x86_64-linux-gnu/liblua5.1.so /usr/local/lib/liblua.so# compile and install ltn12ce
cd ~
git clone https://github.com/mkottman/ltn12ce.git
cd ltn12ce
mkdir build && cd build
cmake ..
make
sudo make install
sudo mkdir -p /usr/local/lib/lua/5.1/ltn12ce
sudo cp ~/ltn12ce/build/src/ltn12ce/core.so /usr/local/lib/lua/5.1/ltn12ce# compile and install zlib
cd ~
wget http://zlib.net/zlib-1.2.8.tar.gz
tar -xzvf zlib-1.2.8.tar.gz
cd zlib-1.2.8
./configure
make
sudo make install# compile and install lua-zlib
cd ~
git clone https://github.com/brimworks/lua-zlib.git
cd lua-zlib
make linux
sudo mkdir -p /usr/lib/lua/5.1
sudo mkdir -p /usr/local/lib/lua/5.1
sudo cp zlib.so /usr/local/lib/lua/5.1
sudo make install
sudo cp /usr/lib/x86_64-linux-gnu/lua/5.1/zip.so /usr/local/lib/lua/5.1
sudo mkdir -p /usr/local/lib/lua/5.1/apr
sudo cp /usr/lib/x86_64-linux-gnu/lua/5.1/apr/core.so /usr/local/lib/lua/5.1/aprMake sure the ET lua scripts and related rules are placed at "/etc/suricata/rules" and the "luajit-drop.rules" or "luajit.rules" is loaded in suricata.yaml.
Bug Fix on ET Lua scripts :
Please note that CVE-2015-1770.lua and CVE-2015-2375.lua have a small bug when using with luajit. You can fix them like this :
sudo sed -i -e 's/activeX%d+\\.xml/activeX%d+.xml/g' /etc/suricata/rules/CVE-2015-1770.lua
sudo sed -i -e 's/table%d+\\.xml/table%d+.xml/g' /etc/suricata/rules/CVE-2015-2375.luaFinally, if you are using Snorby, you need to copy the all rules files (except lua scripts) to another place, such as "/etc/suricata/rules/snorby" for Snorby; otherwise, Snorby cannot display the rules when requested. Meanwhile, you need to edit "/var/www/snorby/config/snorby_config.yml" for the new rules path.
One more thing, the value of "prealloc" at "flow" section at suricata.yaml should not more than "4000000"; otherwise, the lua scripts cannot be loaded.
After that, restart Suricata.
That's all! See you.
