From 3eb8c728fd5a30e02eff17f9135b991d9b5c3d35 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Mon, 27 May 2024 16:12:30 -0600 Subject: [PATCH] doc: update lua sandbox docs for allowed packages/functions --- doc/userguide/rules/lua-detection.rst | 53 ++++++++++++++++++--------- 1 file changed, 36 insertions(+), 17 deletions(-) diff --git a/doc/userguide/rules/lua-detection.rst b/doc/userguide/rules/lua-detection.rst index 56412cb7d5..0f2011987e 100644 --- a/doc/userguide/rules/lua-detection.rst +++ b/doc/userguide/rules/lua-detection.rst @@ -15,7 +15,9 @@ Syntax: The script filename will be appended to your default rules location. -The script has 2 parts, an init function and a match function. First, the init. +A Lua rule script has 2 required functions, an ``init`` function and +``match`` function, discussed below. + Additionally, the script will run in a limited sandbox by default. Init function @@ -104,25 +106,42 @@ Entire script: Sandbox and Available functions ------------------------------- -By default, the maximum memory and lua instruction count per execution of a detection rule will be limited. Additionally, -The following libraries and functions are blocked: -* package +Lua rule scripts are run in a sandbox environment the applies the +following restrictions: + +* reduced libraries +* only allowed functions available +* instruction count limit +* memory allocation limit + +The following table lists the library and functions available: + +================== ================================================================= +Package Name Functions +================== ================================================================= +base assert, ipairs, next, pairs, print, rawequal, rawlen, select, + tonumber, tostring, type, warn, rawget, rawset, error +table concat, insert, move, pack, remove, sort, unpack +string byte, char, dump, find, format, gmatch, gsub, len, lower, match, + pack, packsize, rep, reverse, sub, unpack, upper +math abs, acos, asin, atan, atan2, ceil, cos, cosh, deg, exp, floor, + fmod, frexp, ldexp, log, log10, max, min, modf, pow, rad, random, + randomseed, sin, sinh, sqrt, tan, tanh, tointeger, type, ult +utf8 offset, len, codes, char, codepoint +================== ================================================================= + +Of note, the following standard libraries are not available: + * coroutine -* io -* os -* collectgarbage -* dofile -* getmetatable -* loadfile -* load -* pcall -* setmetatable -* xpcall -* string.rep +* package +* input and output +* operating system facilities +* debug This behavior can be modified via the ``security.lua`` section of :ref:`suricata-yaml-lua-config` .. note:: Suricata 8.0 has moved to Lua 5.4 and has builtin support for bitwise and utf8 operations now. -A comprehensive list of existing lua functions - with examples - can be found at :ref:`lua-functions` (some of them, however, -work only for the lua-output functionality). +A comprehensive list of existing lua functions - with examples - can +be found at :ref:`lua-functions` (some of them, however, work only for +the lua-output functionality).