mirror of https://github.com/OISF/suricata
Juliana Fajardini
7 months ago
committed by
Victor Julien
parent
9480272509
commit
cd69955d7f
@ -0,0 +1,148 @@
|
||||
Flow
|
||||
----
|
||||
|
||||
Flows are exposed to Lua scripts with the ``suricata.flow``
|
||||
library. To use it, the script must require it. For example::
|
||||
|
||||
local flow = require("suricata.flow")
|
||||
|
||||
Following are the functions currently available for acessing Flow details.
|
||||
|
||||
Initialization
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
``get``
|
||||
^^^^^^^
|
||||
|
||||
Init the flow for use in the script. The flow is the current one the engine is
|
||||
processing. ::
|
||||
|
||||
f = flow.get()
|
||||
|
||||
Time
|
||||
~~~~
|
||||
|
||||
``timestamps``
|
||||
^^^^^^^^^^^^^^
|
||||
|
||||
Get timestamps of the first and the last packets from the flow, as seconds and
|
||||
microseconds since `1970-01-01 00:00:00` UTC, returning 4 numbers::
|
||||
|
||||
f = flow.get()
|
||||
local start_sec, start_usec, last_sec, last_usec = f:timestamps()
|
||||
|
||||
``timestring_legacy``
|
||||
^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Get the timestamp of the first packet from the flow, as a string in the format:
|
||||
`11/24/2009-18:57:25.179869`. This is the format used by `fast.log`, `http.log`
|
||||
and other legacy outputs.
|
||||
|
||||
::
|
||||
|
||||
f = flow.get()
|
||||
print f:timestring_legacy()
|
||||
|
||||
``timestring_iso8601``
|
||||
^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Get the timestamp of the first packet from the flow, as a string in the format:
|
||||
`2015-10-06T15:16:43.136733+0000`. This is the format used by EVE outputs.
|
||||
|
||||
::
|
||||
|
||||
f = flow.get()
|
||||
print f:timestring_iso8601()
|
||||
|
||||
Ports and Addresses
|
||||
~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
``tuple``
|
||||
~~~~~~~~~
|
||||
|
||||
Using the `tuple` method, the IP version (4 or 6), src IP and dest IP (as
|
||||
string), IP protocol (int), and ports (ints) are retrieved.
|
||||
|
||||
The protocol value comes from the IP header. See further
|
||||
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml .
|
||||
|
||||
::
|
||||
|
||||
f = flow.get()
|
||||
ipver, srcip, dstip, proto, sp, dp = f:tuple()
|
||||
|
||||
App Layer Protocols
|
||||
~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
``app_layer_proto``
|
||||
^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Get `alproto` from the flow as a string. If an `alproto` is not (yet) known, it
|
||||
returns "unknown".
|
||||
|
||||
Returns 5 values: <alproto>, <alproto_ts>, <alproto_tc>, <alproto_orig>,
|
||||
<alproto_expect>.
|
||||
|
||||
Example::
|
||||
|
||||
f = flow.get()
|
||||
alproto, alproto_ts, alproto_tc, alproto_orig, alproto_expect = f:app_layer_proto()
|
||||
|
||||
`orig` and `expect` are used when changing and upgrading protocols. In an SMTP
|
||||
STARTTLS case, `orig` would normally be set to "smtp" and `expect` to "tls".
|
||||
|
||||
Misc
|
||||
~~~~
|
||||
|
||||
``has_alerts``
|
||||
^^^^^^^^^^^^^^
|
||||
|
||||
Returns `true` if the flow has alerts. ::
|
||||
|
||||
f = flow.get()
|
||||
alerted = f:has_alerts()
|
||||
|
||||
``id``
|
||||
^^^^^^
|
||||
|
||||
Get the flow id. Note that simply printing the ``id`` will likely result in
|
||||
printing a scientific notation. To avoid that, simply do::
|
||||
|
||||
f = flow.get()
|
||||
id = f:id()
|
||||
id_str = string.format("%.0f", id)
|
||||
print ("Flow ID: " .. id_str .."\n")
|
||||
|
||||
``stats``
|
||||
^^^^^^^^^
|
||||
|
||||
Get the packet and byte counts (for both directions), as 4 numbers, per flow.
|
||||
|
||||
::
|
||||
|
||||
f = flow.get()
|
||||
tscnt, tsbytes, tccnt, tcbytes = f:stats()
|
||||
|
||||
Example
|
||||
~~~~~~~
|
||||
|
||||
A simple ``log`` function for a script to output Flow details if the flow
|
||||
triggered an alert::
|
||||
|
||||
function log(args)
|
||||
local f = flow.get()
|
||||
ts = f:timestring_iso8601()
|
||||
has_alerts = f:has_alerts()
|
||||
ipver, srcip, dstip, proto, sp, dp = f:tuple()
|
||||
alproto, alproto_ts, alproto_tc, alproto_orig, alproto_expect = f:app_layer_proto()
|
||||
start_sec, start_usec, last_sec, last_usec = f:timestamps()
|
||||
id = f:id()
|
||||
|
||||
if has_alerts then
|
||||
file:write ("[**] Start time " .. ts .. " [**] -> alproto " .. alproto .. " [**] " .. proto .. " [**] alerted: true\n[**] First packet: " .. start_sec .." [**] Last packet: " .. last_sec .. " [**] Flow id: " .. id .. "\n")
|
||||
file:flush()
|
||||
end
|
||||
end
|
||||
|
||||
For complete scripts using these and other lua functions, the Suricata-verify
|
||||
can be a good resource: https://github.com/OISF/suricata-verify/tree/master/tests .
|
||||
Loading…
Reference in New Issue