aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/github_actions/github/codeql-action-3.26.13
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '08b875c03b'
${ noResults }
suricata/doc/userguide/output/lua-output.rst

657 lines
11 KiB
ReStructuredText
Raw Blame History

Lua Output
==========
Note: this page new Lua scripting available for outputs. It will be
available in 2.1.
Script structure
----------------
A script defines 4 functions: init, setup, log, deinit
* init -- registers where the script hooks into the output engine
* setup -- does per output thread setup
* log -- logging function
* deinit -- clean up function
Example:
::
function init (args)
local needs = {}
needs["protocol"] = "http"
return needs
end
function setup (args)
filename = SCLogPath() .. "/" .. name
file = assert(io.open(filename, "a"))
SCLogInfo("HTTP Log Filename " .. filename)
http = 0
end
function log(args)
http_uri = HttpGetRequestUriRaw()
if http_uri == nil then
http_uri = "<unknown>"
end
http_uri = string.gsub(http_uri, "%c", ".")
http_host = HttpGetRequestHost()
if http_host == nil then
http_host = "<hostname unknown>"
end
http_host = string.gsub(http_host, "%c", ".")
http_ua = HttpGetRequestHeader("User-Agent")
if http_ua == nil then
http_ua = "<useragent unknown>"
end
http_ua = string.gsub(http_ua, "%g", ".")
ts = SCPacketTimeString()
ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
file:write (ts .. " " .. http_host .. " [**] " .. http_uri .. " [**] " ..
http_ua .. " [**] " .. srcip .. ":" .. sp .. " -> " ..
dstip .. ":" .. dp .. "\n")
file:flush()
http = http + 1
end
function deinit (args)
SCLogInfo ("HTTP transactions logged: " .. http);
file:close(file)
end
YAML
----
To enable the lua output, add the 'lua' output and add one or more
scripts like so:
::
outputs:
- lua:
enabled: yes
scripts-dir: /etc/suricata/lua-output/
scripts:
- tcp-data.lua
- flow.lua
The scripts-dir option is optional. It makes Suricata load the scripts
from this directory. Otherwise scripts will be loaded from the current
workdir.
packet
------
Initialize with:
::
function init (args)
local needs = {}
needs["type"] = "packet"
return needs
end
SCPacketTimeString
~~~~~~~~~~~~~~~~~~
Add SCPacketTimeString to get the packets time string in the format:
11/24/2009-18:57:25.179869
::
function log(args)
ts = SCPacketTimeString()
SCPacketTuple
~~~~~~~~~~~~~
::
ipver, srcip, dstip, proto, sp, dp = SCPacketTuple()
SCPacketPayload
~~~~~~~~~~~~~~~
::
p = SCPacketPayload()
flow
----
::
function init (args)
local needs = {}
needs["type"] = "flow"
return needs
end
SCFlowTimeString
~~~~~~~~~~~~~~~~
::
startts = SCFlowTimeString()
SCFlowTuple
~~~~~~~~~~~
::
ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
SCFlowAppLayerProto
~~~~~~~~~~~~~~~~~~~
Get alproto as string from the flow. If alproto is not (yet) known, it
returns "unknown".
Example:
::
function log(args)
alproto = SCFlowAppLayerProto()
if alproto ~= nil then
print (alproto)
end
end
SCFlowStats
~~~~~~~~~~~
Gets the packet and byte counts per flow.
::
tscnt, tsbytes, tccnt, tcbytes = SCFlowStats()
http
----
Init with:
::
function init (args)
local needs = {}
needs["protocol"] = "http"
return needs
end
HttpGetRequestBody and HttpGetResponseBody.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Make normalized body data available to the script through
HttpGetRequestBody and HttpGetResponseBody.
There no guarantees that all of the body will be availble.
Example:
::
function log(args)
a, o, e = HttpGetResponseBody();
--print("offset " .. o .. " end " .. e)
for n, v in ipairs(a) do
print(v)
end
end
HttpGetRequestHost
~~~~~~~~~~~~~~~~~~
Get the host from libhtp's tx->request_hostname, which can either be
the host portion of the url or the host portion of the Host header.
Example:
::
http_host = HttpGetRequestHost()
if http_host == nil then
http_host = "<hostname unknown>"
end
HttpGetRequestHeader
~~~~~~~~~~~~~~~~~~~~
::
http_ua = HttpGetRequestHeader("User-Agent")
if http_ua == nil then
http_ua = "<useragent unknown>"
end
HttpGetResponseHeader
~~~~~~~~~~~~~~~~~~~~~
::
server = HttpGetResponseHeader("Server");
print ("Server: " .. server);
HttpGetRequestLine
~~~~~~~~~~~~~~~~~~
::
rl = HttpGetRequestLine();
print ("Request Line: " .. rl);
HttpGetResponseLine
~~~~~~~~~~~~~~~~~~~
::
rsl = HttpGetResponseLine();
print ("Response Line: " .. rsl);
HttpGetRawRequestHeaders
~~~~~~~~~~~~~~~~~~~~~~~~
::
rh = HttpGetRawRequestHeaders();
print ("Raw Request Headers: " .. rh);
HttpGetRawResponseHeaders
~~~~~~~~~~~~~~~~~~~~~~~~~
::
rh = HttpGetRawResponseHeaders();
print ("Raw Response Headers: " .. rh);
HttpGetRequestUriRaw
~~~~~~~~~~~~~~~~~~~~
::
http_uri = HttpGetRequestUriRaw()
if http_uri == nil then
http_uri = "<unknown>"
end
HttpGetRequestUriNormalized
~~~~~~~~~~~~~~~~~~~~~~~~~~~
::
http_uri = HttpGetRequestUriNormalized()
if http_uri == nil then
http_uri = "<unknown>"
end
HttpGetRequestHeaders
~~~~~~~~~~~~~~~~~~~~~
::
a = HttpGetRequestHeaders();
for n, v in pairs(a) do
print(n,v)
end
HttpGetResponseHeaders
~~~~~~~~~~~~~~~~~~~~~~
::
a = HttpGetResponseHeaders();
for n, v in pairs(a) do
print(n,v)
end
DNS
---
DnsGetQueries
~~~~~~~~~~~~~
::
dns_query = DnsGetQueries();
if dns_query ~= nil then
for n, t in pairs(dns_query) do
rrname = t["rrname"]
rrtype = t["type"]
print ("QUERY: " .. ts .. " " .. rrname .. " [**] " .. rrtype .. " [**] " ..
"TODO" .. " [**] " .. srcip .. ":" .. sp .. " -> " ..
dstip .. ":" .. dp)
end
end
returns a table of tables
DnsGetAnswers
~~~~~~~~~~~~~
::
dns_answers = DnsGetAnswers();
if dns_answers ~= nil then
for n, t in pairs(dns_answers) do
rrname = t["rrname"]
rrtype = t["type"]
ttl = t["ttl"]
print ("ANSWER: " .. ts .. " " .. rrname .. " [**] " .. rrtype .. " [**] " ..
ttl .. " [**] " .. srcip .. ":" .. sp .. " -> " ..
dstip .. ":" .. dp)
end
end
returns a table of tables
DnsGetAuthorities
~~~~~~~~~~~~~~~~~
::
dns_auth = DnsGetAuthorities();
if dns_auth ~= nil then
for n, t in pairs(dns_auth) do
rrname = t["rrname"]
rrtype = t["type"]
ttl = t["ttl"]
print ("AUTHORITY: " .. ts .. " " .. rrname .. " [**] " .. rrtype .. " [**] " ..
ttl .. " [**] " .. srcip .. ":" .. sp .. " -> " ..
dstip .. ":" .. dp)
end
end
returns a table of tables
DnsGetRcode
~~~~~~~~~~~
::
rcode = DnsGetRcode();
if rcode == nil then
return 0
end
print (rcode)
returns a lua string with the error message, or nil
DnsGetRecursionDesired
~~~~~~~~~~~~~~~~~~~~~~
::
if DnsGetRecursionDesired() == true then
print ("RECURSION DESIRED")
end
returns a bool
TLS
---
Initialize with:
::
function init (args)
local needs = {}
needs["protocol"] = "tls"
return needs
end
TlsGetCertInfo
~~~~~~~~~~~~~~
Make certificate information available to the script through TlsGetCertInfo.
Example:
::
function log (args)
version, subject, issuer, fingerprint = TlsGetCertInfo()
if version == nil then
return 0
end
end
SSH
---
Initialize with:
::
function init (args)
local needs = {}
needs["protocol"] = "ssh"
return needs
end
SshGetServerProtoVersion
~~~~~~~~~~~~~~~~~~~~~~~~
Get SSH protocol version used by the server through SshGetServerProtoVersion.
Example:
::
function log (args)
version = SshGetServerProtoVersion()
if version == nil then
return 0
end
end
SshGetServerSoftwareVersion
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get SSH software used by the server through SshGetServerSoftwareVersion.
Example:
::
function log (args)
software = SshGetServerSoftwareVersion()
if software == nil then
return 0
end
end
SshGetClientProtoVersion
~~~~~~~~~~~~~~~~~~~~~~~~
Get SSH protocol version used by the client through SshGetClientProtoVersion.
Example:
::
function log (args)
version = SshGetClientProtoVersion()
if version == nil then
return 0
end
end
SshGetClientSoftwareVersion
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get SSH software used by the client through SshGetClientSoftwareVersion.
Example:
::
function log (args)
software = SshGetClientSoftwareVersion()
if software == nil then
return 0
end
end
Files
-----
To use the file logging API, the script's init() function needs to look like:
::
function init (args)
local needs = {}
needs['type'] = 'file'
return needs
end
SCFileInfo
~~~~~~~~~~
::
fileid, txid, name, size, magic, md5 = SCFileInfo()
returns fileid (number), txid (number), name (string), size (number),
magic (string), md5 in hex (string)
SCFileState
~~~~~~~~~~~
::
state, stored = SCFileState()
returns state (string), stored (bool)
Alerts
------
Alerts are a subset of the 'packet' logger:
::
function init (args)
local needs = {}
needs["type"] = "packet"
needs["filter"] = "alerts"
return needs
end
SCRuleIds
~~~~~~~~~
::
sid, rev, gid = SCRuleIds()
SCRuleMsg
~~~~~~~~~
::
msg = SCRuleMsg()
SCRuleClass
~~~~~~~~~~~
::
class, prio = SCRuleClass()
Streaming Data
--------------
Streaming data can currently log out reassembled TCP data and
normalized HTTP data. The script will be invoked for each consecutive
data chunk.
In case of TCP reassembled data, all possible overlaps are removed
according to the host OS settings.
::
function init (args)
local needs = {}
needs["type"] = "streaming"
needs["filter"] = "tcp"
return needs
end
In case of HTTP body data, the bodies are unzipped and dechunked if applicable.
::
function init (args)
local needs = {}
needs["type"] = "streaming"
needs["protocol"] = "http"
return needs
end
SCStreamingBuffer
~~~~~~~~~~~~~~~~~
::
function log(args)
data = SCStreamingBuffer()
hex_dump(data)
end
Misc
----
SCThreadInfo
~~~~~~~~~~~~
::
tid, tname, tgroup = SCThreadInfo()
It gives: tid (integer), tname (string), tgroup (string)
SCLogError, SCLogWarning, SCLogNotice, SCLogInfo, SCLogDebug
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Print a message. It will go into the outputs defined in the
yaml. Whether it will be printed depends on the log level.
Example:
::
SCLogError("some error message")
SCLogPath
~~~~~~~~~
Expose the log path.
::
name = "fast_lua.log"
function setup (args)
filename = SCLogPath() .. "/" .. name
file = assert(io.open(filename, "a"))
end
Reference in New Issue View Git Blame Copy Permalink