Suricata Lua: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(4 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
 
= Beispiel =
 
= Beispiel =
  
 +
* Das folgende Skript loggt HTTP-Anfragen und schreibt sie in ''http.log''
 
* '''vim /etc/suricata/lua-output/http.lua'''
 
* '''vim /etc/suricata/lua-output/http.lua'''
  
local name = "http.log"
+
<syntaxhighlight lang="lua">
+
local name = "http.log"
function init (args)
 
    local needs = {}
 
    needs["protocol"] = "http"
 
    return needs
 
end
 
 
function setup (args)
 
    filename = SCLogPath() .. "/" .. name
 
    file = assert(io.open(filename, "a"))
 
    SCLogInfo("HTTP Log Filename " .. filename)
 
    http = 0
 
end
 
 
function log(args)
 
    http_uri = HttpGetRequestUriRaw()
 
    if http_uri == nil then
 
        http_uri = "<unknown>"
 
    end
 
 
    http_uri = string.gsub(http_uri, "%c", ".")
 
    http_host = HttpGetRequestHost()
 
    if http_host == nil then
 
        http_host = "<hostname unknown>"
 
    end
 
 
    http_host = string.gsub(http_host, "%c", ".")
 
    http_ua = HttpGetRequestHeader("User-Agent")
 
    if http_ua == nil then
 
        http_ua = "<useragent unknown>"
 
    end
 
 
    http_ua = string.gsub(http_ua, "%g", ".")
 
    timestring = SCPacketTimeString()
 
    ip_version, src_ip, dst_ip, protocol, src_port, dst_port = SCFlowTuple()
 
    file:write (timestring .. " " .. http_host .. " [**] " .. http_uri .. " [**] " ..
 
            http_ua .. " [**] " .. src_ip .. ":" .. src_port .. " -> " ..
 
            dst_ip .. ":" .. dst_port .. "\n")
 
    file:flush()
 
    http = http + 1
 
end
 
 
function deinit (args)
 
    SCLogInfo ("HTTP transactions logged: " .. http);
 
    file:close(file)
 
end
 
  
 +
function init (args)
 +
    local needs = {}
 +
    needs["protocol"] = "http"
 +
    return needs
 +
end
 +
 +
function setup (args)
 +
    filename = SCLogPath() .. "/" .. name
 +
    file = assert(io.open(filename, "a"))
 +
    SCLogInfo("HTTP Log Filename " .. filename)
 +
    http = 0
 +
end
 +
 +
function log(args)
 +
    http_uri = HttpGetRequestUriRaw()
 +
    if http_uri == nil then
 +
        http_uri = "<unknown>"
 +
    end
 +
 +
    http_uri = string.gsub(http_uri, "%c", ".")
 +
    http_host = HttpGetRequestHost()
 +
    if http_host == nil then
 +
        http_host = "<hostname unknown>"
 +
    end
 +
 +
    http_host = string.gsub(http_host, "%c", ".")
 +
    http_ua = HttpGetRequestHeader("User-Agent")
 +
    if http_ua == nil then
 +
        http_ua = "<useragent unknown>"
 +
    end
 +
 +
    http_ua = string.gsub(http_ua, "%g", ".")
 +
    timestring = SCPacketTimeString()
 +
    ip_version, src_ip, dst_ip, protocol, src_port, dst_port = SCFlowTuple()
 +
    file:write (timestring .. " " .. http_host .. " [**] " .. http_uri .. " [**] " ..
 +
          http_ua .. " [**] " .. src_ip .. ":" .. src_port .. " -> " ..
 +
          dst_ip .. ":" .. dst_port .. "\n")
 +
    file:flush()
 +
    http = http + 1
 +
end
 +
 +
function deinit (args)
 +
    SCLogInfo ("HTTP transactions logged: " .. http);
 +
    file:close(file)
 +
end
 +
</syntaxhighlight>
 +
 +
* Lua-Scripting in der Konfiguration aktivieren
 
* '''vim /etc/suricata/suricata.yaml'''
 
* '''vim /etc/suricata/suricata.yaml'''
  
 
<syntaxhighlight lang="yaml">
 
<syntaxhighlight lang="yaml">
 
outputs:
 
outputs:
 +
  ...
 
   - lua:
 
   - lua:
 
       enabled: yes
 
       enabled: yes
 
       scripts-dir: /etc/suricata/lua-output/
 
       scripts-dir: /etc/suricata/lua-output/
 
       scripts:
 
       scripts:
         - tcp-data.lua
+
         - http.lua
        - flow.lua
+
  ...
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
 +
* Suricata neustarten
 +
* '''systemctl restart suricata'''
 +
* bzw.
 +
* '''suricatasc -c shutdown'''
 +
* '''suricata -D --af-packet'''
 +
* '''tail -fn0 /var/log/suricata/http.log'''
 +
 +
= Links =
 +
 +
* https://docs.suricata.io/en/suricata-6.0.1/output/lua-output.html#lua-output

Aktuelle Version vom 19. September 2023, 19:57 Uhr

Beispiel

  • Das folgende Skript loggt HTTP-Anfragen und schreibt sie in http.log
  • vim /etc/suricata/lua-output/http.lua
local name = "http.log"

function init (args)
    local needs = {}
    needs["protocol"] = "http"
    return needs
end

function setup (args)
    filename = SCLogPath() .. "/" .. name
    file = assert(io.open(filename, "a"))
    SCLogInfo("HTTP Log Filename " .. filename)
    http = 0
end

function log(args)
    http_uri = HttpGetRequestUriRaw()
    if http_uri == nil then
        http_uri = "<unknown>"
    end

    http_uri = string.gsub(http_uri, "%c", ".")
    http_host = HttpGetRequestHost()
    if http_host == nil then
        http_host = "<hostname unknown>"
    end

    http_host = string.gsub(http_host, "%c", ".")
    http_ua = HttpGetRequestHeader("User-Agent")
    if http_ua == nil then
        http_ua = "<useragent unknown>"
    end

    http_ua = string.gsub(http_ua, "%g", ".")
    timestring = SCPacketTimeString()
    ip_version, src_ip, dst_ip, protocol, src_port, dst_port = SCFlowTuple()
    file:write (timestring .. " " .. http_host .. " [**] " .. http_uri .. " [**] " ..
           http_ua .. " [**] " .. src_ip .. ":" .. src_port .. " -> " ..
           dst_ip .. ":" .. dst_port .. "\n")
    file:flush()
    http = http + 1
end

function deinit (args)
    SCLogInfo ("HTTP transactions logged: " .. http);
    file:close(file)
end
  • Lua-Scripting in der Konfiguration aktivieren
  • vim /etc/suricata/suricata.yaml
outputs:
  ...
  - lua:
      enabled: yes
      scripts-dir: /etc/suricata/lua-output/
      scripts:
        - http.lua
  ...
  • Suricata neustarten
  • systemctl restart suricata
  • bzw.
  • suricatasc -c shutdown
  • suricata -D --af-packet
  • tail -fn0 /var/log/suricata/http.log

Links

Abgerufen von „http://wiki.ixheim.de/index.php?title=Suricata_Lua&oldid=49562