Created
November 3, 2025 19:43
-
-
Save williamzujkowski/a6630cefcbe03030515d0b3310251b7a to your computer and use it in GitHub Desktop.
Suricata Advanced Lua Detection - HTTP anomaly detection using Lua scripting and ML dataset configuration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- Suricata Advanced Detection with Lua Scripts | |
| -- Location: /etc/suricata/lua/http-anomaly.lua | |
| -- Purpose: Complex HTTP anomaly detection using Lua scripting | |
| -- ============================================================================ | |
| -- HTTP Anomaly Detection Script | |
| -- ============================================================================ | |
| function init(args) | |
| local needs = {} | |
| needs["http.request_headers"] = tostring(true) | |
| return needs | |
| end | |
| function match(args) | |
| local headers = HttpGetRequestHeaders() | |
| if headers == nil then | |
| return 0 | |
| end | |
| -- Check for multiple suspicious indicators | |
| local score = 0 | |
| if string.match(headers, "curl") then | |
| score = score + 1 | |
| end | |
| if not string.match(headers, "Accept:") then | |
| score = score + 1 | |
| end | |
| if score >= 2 then | |
| return 1 | |
| end | |
| return 0 | |
| end | |
| -- ============================================================================ | |
| -- Usage in Suricata Rule | |
| -- ============================================================================ | |
| -- alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Anomalous Request Headers"; flow:to_server,established; luajit:lua/http-anomaly.lua; classtype:policy-violation; sid:1000040; rev:1;) | |
| -- ============================================================================ | |
| -- Machine Learning Dataset Configuration - suricata.yaml | |
| -- ============================================================================ | |
| -- datasets: | |
| -- malicious-ips: | |
| -- type: sha256 | |
| -- load: /etc/suricata/datasets/malicious-ips.txt | |
| -- ============================================================================ | |
| -- Rule Using Dataset | |
| -- ============================================================================ | |
| -- alert ip [!$HOME_NET] any -> $HOME_NET any (msg:"THREAT Known Malicious IP"; dataset:sha256-src, state /etc/suricata/datasets/malicious-ips.txt, type sha256, state malicious-ip-detected; classtype:trojan-activity; sid:1000050; rev:1;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment