Bug #1577
Updated by Victor Julien over 8 years ago
I am using the latest git version - Suricata version 2.1dev (rev dcbbda5). I am using these rules (https://github.com/EmergingThreats/et-luajit-scripts/blob/master/luajit-drop.rules) from https://github.com/EmergingThreats/et-luajit-scripts The build info is : <pre> suricata --build-info This is Suricata version 2.1dev (rev dcbbda5) Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS SIMD support: SSE_4_2 SSE_4_1 SSE_3 Atomic intrisics: 1 2 4 8 16 byte(s) 64-bits, Little-endian architecture GCC version 4.8.4, C version 199901 compiled with -fstack-protector compiled with _FORTIFY_SOURCE=2 L1 cache line size (CLS)=64 thread local storage method: __thread compiled with LibHTP v0.5.18, linked against LibHTP v0.5.18 Suricata Configuration: AF_PACKET support: yes PF_RING support: no NFQueue support: no NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: yes libnss support: yes libnspr support: yes libjansson support: yes Prelude support: no PCRE jit: yes LUA support: yes, through luajit libluajit: yes libgeoip: yes Non-bundled htp: no Old barnyard2 support: no CUDA enabled: no Suricatasc install: yes Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Profiling enabled: no Profiling locks enabled: no Coccinelle / spatch: no Generic build parameters: Installation prefix: /usr Configuration directory: /etc/suricata/ Log directory: /var/log/suricata/ --prefix /usr --sysconfdir /etc --localstatedir /var Host: x86_64-unknown-linux-gnu Compiler: gcc (exec name) / gcc (real) GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no Position Independent Executable enabled: no CFLAGS -g -O2 -march=native PCAP_CFLAGS -I/usr/include SECCFLAGS </pre> The suricata.yaml setting is : <pre> # Lua Output Support - execute lua script to generate alert and event # output. # Documented at: # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output - lua: # enabled: no enabled: yes #scripts-dir: /etc/suricata/lua-output/ scripts-dir: /etc/suricata/rules/ scripts: # - script1.lua # - CVE-2012-1535.lua # - CVE-2013-0074.lua # - CVE-2014-4114.lua # - CVE-2015-1641.lua # - CVE-2015-1650.lua # - CVE-2015-1770.lua # - CVE-2015-2375.lua # - CVE-2015-2377.lua # - CVE-2015-2426.lua # - CVE-2015-3113.lua # - suri-bh2-abc-jar.lua # - suri-high-entropy.lua # - suri-nuclear-url.lua # - suri-regin.lua # - suri-reversed-compressed-binary.lua # - suri-styx-url.lua # - suri-suspicious-flash2.lua # - suri-suspicious-jar.lua # - suri-suspicious-jar2.lua # - suri-suspicious-pack200jar.lua # - suri-suspicious-pdf.lua # - suri-suspicious-vbe.lua # - suri-xor-binary-detect.lua # - suri-xor-binary-quick.lua # - suri-xor-non-zero.lua # - tls-heartbleed.lua </pre> All the captioned lua script dependencies have been solved. All the said lua scripts are placed at /etc/suricata/rules/. When I restart Suricata, I have the following error at /var/log/suricata.log : http://pastebin.com/7PQ4KbsP Meanwhile, when I uncomment the suricata.yaml for the captioned lua scripts at the lua section, the Suricata restart itself in an endless loop condition.