aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

lua: fix fast.lua example

Browse Source 
This one is a little different as it logs to a file, and is the same
fast.lua used in the new Suricata-Verify test.

Ticket: #7656
pull/13079/head
Jason Ish 7 months ago committed by Victor Julien
parent b99f254105
commit 13de319b01
1 changed files with 36 additions and 18 deletions
Show Stats Download Patch File Download Diff File

54
lua/fast.lua
Unescape Escape View File

@ -1,17 +1,24 @@
-- This is a simple example script to show what you can do with lua output scripts. -- This is a simple example script to show what you can do with lua
-- It prints logs similar to the ones produced by the builtin fast.log output -- output scripts.
-- facility to stdout, hence its name. --
-- It prints logs similar to the ones produced by the builtin fast.log
-- In the init() function we tell suricata, that we want the log function to be -- output facility to stdout, hence its name.
-- called for every packet that produces an alert (see needs variable) --
-- In the init() function we tell suricata, that we want the log
-- Then in the log() function we get various informations about this packet via -- function to be called for every packet that produces an alert (see
-- SCRuleMsg() and all the other API functions and print them to stdout with print() -- needs variable)
--
-- To learn more about all the API functions suricata provides for your lua scripts -- Then in the log() function we get various informations about this
-- and the lua output extension in general see: -- packet via the "suricata.packet" and "suricata.rule" library and
-- print them to a file.
--
-- To learn more about all the API functions suricata provides for
-- your lua scripts and the lua output extension in general see:
-- http://docs.suricata.io/en/latest/output/lua-output.html -- http://docs.suricata.io/en/latest/output/lua-output.html
local packet = require("suricata.packet")
local rule = require("suricata.rule")
function init() function init()
local needs = {} local needs = {}
needs["type"] = "packet" needs["type"] = "packet"
@ -20,29 +27,40 @@ function init()
end end
function setup() function setup()
filename = SCLogPath() .. "/fast.log"
file = assert(io.open(filename, "a"))
alert_count = 0 alert_count = 0
end end
function log() function log()
timestring = SCPacketTimeString() local p = packet.get()
sid, rev, gid = SCRuleIds() local s = rule.get_rule()
msg = SCRuleMsg()
class, priority = SCRuleClass() local timestring = p:timestring_legacy()
local sid = s:sid()
local rev = s:rev()
local gid = s:gid()
local msg = s:msg()
local class = s:class_description()
local priority = s:priority()
ip_version, src_ip, dst_ip, protocol, src_port, dst_port = SCPacketTuple() local ip_version, src_ip, dst_ip, protocol, src_port, dst_port = p:tuple()
if class == nil then if class == nil then
class = "unknown" class = "unknown"
end end
print (timestring .. " [**] [" .. gid .. ":" .. sid .. ":" .. rev .. "] " .. local alert = (timestring .. " [**] [" .. gid .. ":" .. sid .. ":" .. rev .. "] " ..
msg .. " [**] [Classification: " .. class .. "] [Priority: " .. msg .. " [**] [Classification: " .. class .. "] [Priority: " ..
priority .. "] {" .. protocol .. "} " .. priority .. "] {" .. protocol .. "} " ..
src_ip .. ":" .. src_port .. " -> " .. dst_ip .. ":" .. dst_port) src_ip .. ":" .. src_port .. " -> " .. dst_ip .. ":" .. dst_port)
file:write(alert)
alert_count = alert_count + 1; alert_count = alert_count + 1;
end end
function deinit() function deinit()
file:close(file)
print ("Alerted " .. alert_count .. " times"); print ("Alerted " .. alert_count .. " times");
end end

Write Preview
Loading…
Cancel
Save