Forked from williamzujkowski/suricata-advanced-lua-detection.lua
Created
December 3, 2025 11:51
-
-
Save adampielak/a9f57f07feef86bad220c6d547339ccf to your computer and use it in GitHub Desktop.
Suricata Advanced Lua Detection - HTTP anomaly detection using Lua scripting and ML dataset configuration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- Suricata Advanced Detection with Lua Scripts | |
| -- Location: /etc/suricata/lua/http-anomaly.lua | |
| -- Purpose: Complex HTTP anomaly detection using Lua scripting | |
| -- ============================================================================ | |
| -- HTTP Anomaly Detection Script | |
| -- ============================================================================ | |
| function init(args) | |
| local needs = {} | |
| needs["http.request_headers"] = tostring(true) | |
| return needs | |
| end | |
| function match(args) | |
| local headers = HttpGetRequestHeaders() | |
| if headers == nil then | |
| return 0 | |
| end | |
| -- Check for multiple suspicious indicators | |
| local score = 0 | |
| if string.match(headers, "curl") then | |
| score = score + 1 | |
| end | |
| if not string.match(headers, "Accept:") then | |
| score = score + 1 | |
| end | |
| if score >= 2 then | |
| return 1 | |
| end | |
| return 0 | |
| end | |
| -- ============================================================================ | |
| -- Usage in Suricata Rule | |
| -- ============================================================================ | |
| -- alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Anomalous Request Headers"; flow:to_server,established; luajit:lua/http-anomaly.lua; classtype:policy-violation; sid:1000040; rev:1;) | |
| -- ============================================================================ | |
| -- Machine Learning Dataset Configuration - suricata.yaml | |
| -- ============================================================================ | |
| -- datasets: | |
| -- malicious-ips: | |
| -- type: sha256 | |
| -- load: /etc/suricata/datasets/malicious-ips.txt | |
| -- ============================================================================ | |
| -- Rule Using Dataset | |
| -- ============================================================================ | |
| -- alert ip [!$HOME_NET] any -> $HOME_NET any (msg:"THREAT Known Malicious IP"; dataset:sha256-src, state /etc/suricata/datasets/malicious-ips.txt, type sha256, state malicious-ip-detected; classtype:trojan-activity; sid:1000050; rev:1;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment