QRDI supports the concept of a Lua function library shared by all QRDI detections. This allows customers to write Lua functions which can be referenced by JSON documents to implement certain parts of a detection, e.g. to calculate buffer content to be sent, or to implement custom parsing rules.
You’ll upload a Lua library file to the subscription which contains Lua function definitions. Then you can refer to the Lua functions in the JSON detection logic for any QRDI check. When you scan a QRDI check that uses Lua functions, and assuming the library is in Published state, we’ll send the library file to the scanner to execute the Lua code on the target host.
Qualys Cloud Platform account with Qualys Custom QRDI Checks enabled. Manager role is required to create and edit custom QRDI checks, and to upload the Lua library file and change the library status.
This user guide provides details on Custom QRDI Checks and Lua scripting:
Custom Vulnerability Checks with QRDI
1) Go to VM/VMDR > KnowledgeBase > New > QRDI > QRDI LUA Library.
2) Click Choose File to browse and select the Lua library file (.lua or .txt) from your system.
3) Set the Library Status to Published to start using it. If you don’t want to use the library (perhaps you’re still working on it) set the status to Draft or Inactive.
4) Click Save.
Upon saving the file, the LUA Library Information screen appears where you can view details.
Feel free to close this window. You can return to it at any time by going to KnowledgeBase > New > QRDI > QRDI LUA Library. From here, you can take these actions:
Edit - Click Edit to upload a new/revised library file (remember, there can only be one Lua library file in the subscription at a time) or change the library status.
Download - Click Download to download the last saved library file, perhaps to make changes.
Delete - Click Delete to remove the Lua library file from the subscription.
The shared Lua library consists of a series of Lua function definitions, with each definition having the following format:
function qrdiuser_my_function_1 (ctx, additional_args)
lua_function_body
end
Functions defined in the library must start with the prefix "qrdiuser_".
Each function that should be callable directly from a detection must have at least one argument to accept the current context.
Learn more in the Custom Vulnerability Checks with QRDI User Guide.
This is a sample of Lua functions that you'd include in the Lua library file.
function qrdiuser_post(ctx)
return "s=sample_user"
end
function qrdiuser_dump()
local ss = string.dump(qrdiuser_select)
end
function qrdiuser_select (...)
select ("#", ...)
select (2, ...)
end
function qrdiuser_smb_create_v1_packet(ctx, hdr, words, bytes)
local numb, numw, str, _, v
numb = #bytes
numw = #words
str = hdr .. string.char(numw)
for _, v in ipairs(words) do
str = str .. string.char(v % 256, v >> 8)
end
str = str .. string.char(numb % 256, numb >> 8) .. bytes
return qrdiuser_smb_create_packet(ctx, str)
end
function qrdiuser_smb_create_v1_negotiate(ctx)
--qrdisystem_is_tcp_port_open(ctx, 445)
return qrdiuser_smb_create_v1_packet(ctx,
"\xffSMB\x72\x00\x00\x00\x00\x00\x03\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", {}, "\x02SMB 2.???\x00\x02SMB 2.002\x00\x02NT LM 0.12\x00")
end
This is what you’d enter in the QRDI vulnerability check. Note that the Lua functions start with "qrdiuser_". The function definitions are in the Lua library file.
{
"detection_type": "tcp dialog",
"api_version": 1,
"trigger_type": "service",
"services": ["microsoft-ds"],
"title": "test check 2",
"dialog": [
{
"transaction": "send",
"data": {"call": {"name": "qrdiuser_smb_create_v1_negotiate"}}
},
{
"transaction": "receive",
"mode": "call",
"name": "qrdiuser_smb_check"
},
{
"transaction": "process",
"mode": "call",
"name": "qrdiuser_smb_process_packet"
},
{
"transaction": "report",
"mode": "luapattern",
"result": {"user": "result"}
}
]
}