Project

General

Profile

Bug #1577

Updated by Victor Julien about 9 years ago

I am using the latest git version - Suricata version 2.1dev (rev dcbbda5).    I am using these rules (https://github.com/EmergingThreats/et-luajit-scripts/blob/master/luajit-drop.rules) from https://github.com/EmergingThreats/et-luajit-scripts 

 The build info is : 
 <pre> 
 

 suricata --build-info 
 This is Suricata version 2.1dev (rev dcbbda5) 
 Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS  
 SIMD support: SSE_4_2 SSE_4_1 SSE_3  
 Atomic intrisics: 1 2 4 8 16 byte(s) 
 64-bits, Little-endian architecture 
 GCC version 4.8.4, C version 199901 
 compiled with -fstack-protector 
 compiled with _FORTIFY_SOURCE=2 
 L1 cache line size (CLS)=64 
 thread local storage method: __thread 
 compiled with LibHTP v0.5.18, linked against LibHTP v0.5.18 

 Suricata Configuration: 
   AF_PACKET support:                         yes 
   PF_RING support:                           no 
   NFQueue support:                           no 
   NFLOG support:                             no 
   IPFW support:                              no 
   Netmap support:                            no 
   DAG enabled:                               no 
   Napatech enabled:                          no 

   Unix socket enabled:                       yes 
   Detection enabled:                         yes 

   libnss support:                            yes 
   libnspr support:                           yes 
   libjansson support:                        yes 
   Prelude support:                           no 
   PCRE jit:                                  yes 
   LUA support:                               yes, through luajit 
   libluajit:                                 yes 
   libgeoip:                                  yes 
   Non-bundled htp:                           no 
   Old barnyard2 support:                     no 
   CUDA enabled:                              no 

   Suricatasc install:                        yes 

   Unit tests enabled:                        no 
   Debug output enabled:                      no 
   Debug validation enabled:                  no 
   Profiling enabled:                         no 
   Profiling locks enabled:                   no 
   Coccinelle / spatch:                       no 

 Generic build parameters: 
   Installation prefix:                       /usr 
   Configuration directory:                   /etc/suricata/ 
   Log directory:                             /var/log/suricata/ 

   --prefix                                   /usr 
   --sysconfdir                               /etc 
   --localstatedir                            /var 

   Host:                                      x86_64-unknown-linux-gnu 
   Compiler:                                  gcc (exec name) / gcc (real) 
   GCC Protect enabled:                       no 
   GCC march native enabled:                  yes 
   GCC Profile enabled:                       no 
   Position Independent Executable enabled: no 
   CFLAGS                                     -g -O2 -march=native 
   PCAP_CFLAGS                                 -I/usr/include 
   SECCFLAGS                             
 </pre> 
                             

 The suricata.yaml setting is : 
 <pre> 
   

   # Lua Output Support - execute lua script to generate alert and event 
   # output. 
   # Documented at: 
   # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output 
   - lua: 
 #        enabled: no 
       enabled: yes 
       #scripts-dir: /etc/suricata/lua-output/ 
       scripts-dir: /etc/suricata/rules/ 
       scripts: 
       #     - script1.lua 
 #            - CVE-2012-1535.lua 
 #            - CVE-2013-0074.lua 
 #            - CVE-2014-4114.lua 
 #            - CVE-2015-1641.lua 
 #            - CVE-2015-1650.lua 
 #            - CVE-2015-1770.lua 
 #            - CVE-2015-2375.lua 
 #            - CVE-2015-2377.lua 
 #            - CVE-2015-2426.lua 
 #            - CVE-2015-3113.lua 
 #            - suri-bh2-abc-jar.lua 
 #            - suri-high-entropy.lua 
 #            - suri-nuclear-url.lua 
 #            - suri-regin.lua 
 #            - suri-reversed-compressed-binary.lua 
 #            - suri-styx-url.lua 
 #            - suri-suspicious-flash2.lua 
 #            - suri-suspicious-jar.lua 
 #            - suri-suspicious-jar2.lua 
 #            - suri-suspicious-pack200jar.lua 
 #            - suri-suspicious-pdf.lua 
 #            - suri-suspicious-vbe.lua 
 #            - suri-xor-binary-detect.lua 
 #            - suri-xor-binary-quick.lua 
 #            - suri-xor-non-zero.lua 
 #            - tls-heartbleed.lua 
 </pre> 
 

 All the captioned lua script dependencies have been solved.    All the said lua scripts are placed at /etc/suricata/rules/.    When I restart Suricata, I have the following error at /var/log/suricata.log : 

 http://pastebin.com/7PQ4KbsP 

 Meanwhile, when I uncomment the suricata.yaml for the captioned lua scripts at the lua section, the Suricata restart itself in an endless loop condition. 

Back