Suricata

In Suricata 8.0.0, when using a Lua script as a detect keyword (lua:buffer.lua) placed after a sticky buffer (e.g., base64_data;lua:buffer.lua;), the args table passed to match() is always empty. Setting needs["buffer"] = true in init() does not populate args["buffer"].

Looking at the source code (detect-lua.c), DetectLuaMatchBuffer() correctly pushes buffer data into the args table, but it appears to never be called. Only DetectLuaMatch() is invoked, which passes an empty table.

Steps to reproduce:

function init(args)
    return {["buffer"] = true}
end
function match(args)
    for k, v in pairs(args) do
        print(k .. "=" .. type(v))
    end
    return 1
end

With rule: alert http any any -> any any (...; base64_data;lua:test.lua; ...)

Output: empty (no keys in args table).

Question: Is this a known limitation or a bug? Will a future version restore the ability for Lua detect scripts to access the current inspection buffer via args["buffer"], similar to older Suricata versions?

Currently the only workaround is to use suricata.http / suricata.packet libraries, which always return the full transaction/packet data regardless of buffer position.