Suricata Lua: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 3: | Zeile 3: | ||
* '''vim /etc/suricata/lua-output/http.lua''' | * '''vim /etc/suricata/lua-output/http.lua''' | ||
| − | + | <syntaxhighlight lang="yaml"> | |
| − | + | local name = "http.log" | |
| − | + | ||
| − | + | function init (args) | |
| − | + | local needs = {} | |
| − | + | needs["protocol"] = "http" | |
| − | + | return needs | |
| − | + | end | |
| − | + | ||
| − | + | function setup (args) | |
| − | + | filename = SCLogPath() .. "/" .. name | |
| − | + | file = assert(io.open(filename, "a")) | |
| − | + | SCLogInfo("HTTP Log Filename " .. filename) | |
| − | + | http = 0 | |
| − | + | end | |
| − | + | ||
| − | + | function log(args) | |
| − | + | http_uri = HttpGetRequestUriRaw() | |
| − | + | if http_uri == nil then | |
| − | + | http_uri = "<unknown>" | |
| − | + | end | |
| − | + | ||
| − | + | http_uri = string.gsub(http_uri, "%c", ".") | |
| − | + | http_host = HttpGetRequestHost() | |
| − | + | if http_host == nil then | |
| − | + | http_host = "<hostname unknown>" | |
| − | + | end | |
| − | + | ||
| − | + | http_host = string.gsub(http_host, "%c", ".") | |
| − | + | http_ua = HttpGetRequestHeader("User-Agent") | |
| − | + | if http_ua == nil then | |
| − | + | http_ua = "<useragent unknown>" | |
| − | + | end | |
| − | + | ||
| − | + | http_ua = string.gsub(http_ua, "%g", ".") | |
| − | + | timestring = SCPacketTimeString() | |
| − | + | ip_version, src_ip, dst_ip, protocol, src_port, dst_port = SCFlowTuple() | |
| − | + | file:write (timestring .. " " .. http_host .. " [**] " .. http_uri .. " [**] " .. | |
| − | + | http_ua .. " [**] " .. src_ip .. ":" .. src_port .. " -> " .. | |
| − | + | dst_ip .. ":" .. dst_port .. "\n") | |
| − | + | file:flush() | |
| − | + | http = http + 1 | |
| − | + | end | |
| − | + | ||
| − | + | function deinit (args) | |
| − | + | SCLogInfo ("HTTP transactions logged: " .. http); | |
| − | + | file:close(file) | |
| + | end | ||
| + | </syntaxhighlight> | ||
* '''vim /etc/suricata/suricata.yaml''' | * '''vim /etc/suricata/suricata.yaml''' | ||
Version vom 19. September 2023, 19:51 Uhr
Beispiel
- vim /etc/suricata/lua-output/http.lua
local name = "http.log"
function init (args)
local needs = {}
needs["protocol"] = "http"
return needs
end
function setup (args)
filename = SCLogPath() .. "/" .. name
file = assert(io.open(filename, "a"))
SCLogInfo("HTTP Log Filename " .. filename)
http = 0
end
function log(args)
http_uri = HttpGetRequestUriRaw()
if http_uri == nil then
http_uri = "<unknown>"
end
http_uri = string.gsub(http_uri, "%c", ".")
http_host = HttpGetRequestHost()
if http_host == nil then
http_host = "<hostname unknown>"
end
http_host = string.gsub(http_host, "%c", ".")
http_ua = HttpGetRequestHeader("User-Agent")
if http_ua == nil then
http_ua = "<useragent unknown>"
end
http_ua = string.gsub(http_ua, "%g", ".")
timestring = SCPacketTimeString()
ip_version, src_ip, dst_ip, protocol, src_port, dst_port = SCFlowTuple()
file:write (timestring .. " " .. http_host .. " [**] " .. http_uri .. " [**] " ..
http_ua .. " [**] " .. src_ip .. ":" .. src_port .. " -> " ..
dst_ip .. ":" .. dst_port .. "\n")
file:flush()
http = http + 1
end
function deinit (args)
SCLogInfo ("HTTP transactions logged: " .. http);
file:close(file)
end
- vim /etc/suricata/suricata.yaml
outputs:
- lua:
enabled: yes
scripts-dir: /etc/suricata/lua-output/
scripts:
- tcp-data.lua
- flow.lua