Created
November 3, 2025 19:43
-
-
Save williamzujkowski/a6630cefcbe03030515d0b3310251b7a to your computer and use it in GitHub Desktop.
Revisions
-
williamzujkowski created this gist
Nov 3, 2025 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,58 @@ -- Suricata Advanced Detection with Lua Scripts -- Location: /etc/suricata/lua/http-anomaly.lua -- Purpose: Complex HTTP anomaly detection using Lua scripting -- ============================================================================ -- HTTP Anomaly Detection Script -- ============================================================================ function init(args) local needs = {} needs["http.request_headers"] = tostring(true) return needs end function match(args) local headers = HttpGetRequestHeaders() if headers == nil then return 0 end -- Check for multiple suspicious indicators local score = 0 if string.match(headers, "curl") then score = score + 1 end if not string.match(headers, "Accept:") then score = score + 1 end if score >= 2 then return 1 end return 0 end -- ============================================================================ -- Usage in Suricata Rule -- ============================================================================ -- alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Anomalous Request Headers"; flow:to_server,established; luajit:lua/http-anomaly.lua; classtype:policy-violation; sid:1000040; rev:1;) -- ============================================================================ -- Machine Learning Dataset Configuration - suricata.yaml -- ============================================================================ -- datasets: -- malicious-ips: -- type: sha256 -- load: /etc/suricata/datasets/malicious-ips.txt -- ============================================================================ -- Rule Using Dataset -- ============================================================================ -- alert ip [!$HOME_NET] any -> $HOME_NET any (msg:"THREAT Known Malicious IP"; dataset:sha256-src, state /etc/suricata/datasets/malicious-ips.txt, type sha256, state malicious-ip-detected; classtype:trojan-activity; sid:1000050; rev:1;)