upstream/suricata
1
0
Fork 0
mirror of https://github.com/OISF/suricata.git synced 2026-05-28 04:32:12 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

output-lua: rule info callback

Browse source 
SCRuleIds(): returns sid, rev, gid:

    function log(args)
        sid, rev, gid = SCRuleIds()

SCRuleMsg(): returns msg

    function log(args)
        msg = SCRuleMsg()

SCRuleClass(): returns class msg and prio:

    function log(args)
        class, prio = SCRuleClass()
        if class == nil then
            class = "unknown"
        end
This commit is contained in:
Victor Julien 2014-03-17 18:44:09 +01:00
parent d9efa7048a
commit b3dfd3cd8e
5 changed files with 124 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
lua/fast.lua
View file

@ -12,18 +12,14 @@ function setup (args)
end
function log(args)
sid = args['sid'];
rev = args['rev'];
gid = args['gid'];
msg = args['msg'];
srcip = args['srcip'];
dstip = args['dstip'];
sid, rev, gid = SCRuleIds()
ipver, srcip, dstip, proto, sp, dp = SCPacketTuple()
msg = SCRuleMsg()
class, prio = SCRuleClass()
if class == nil then
class = "unknown"
end
ts = args['ts'];
class = args['class'];
prio = args['priority'];
proto = args['ipproto'];
sp = args['sp'];
dp = args['dp'];
print (ts .. " [**] [" .. gid .. ":" .. sid .. ":" .. rev .. "] " ..
msg .. " [**] [Classification: " .. class .. "] [Priority: " ..

92
src/output-lua-common.c
View file

@ -253,6 +253,90 @@ static int LuaCallbackTupleFlow(lua_State *luastate)
return r;
}
/** \internal
* \brief fill lua stack with alert info
* \param luastate the lua state
* \param pa pointer to packet alert struct
* \retval cnt number of data items placed on the stack
*
* Places: sid (number), rev (number), gid (number)
*/
static int LuaCallbackRuleIdsPushToStackFromPacketAlert(lua_State *luastate, const PacketAlert *pa)
{
lua_pushnumber (luastate, pa->s->id);
lua_pushnumber (luastate, pa->s->rev);
lua_pushnumber (luastate, pa->s->gid);
return 3;
}
/** \internal
* \brief Wrapper for getting tuple info into a lua script
* \retval cnt number of items placed on the stack
*/
static int LuaCallbackRuleIds(lua_State *luastate)
{
const PacketAlert *pa = LuaStateGetPacketAlert(luastate);
if (pa == NULL)
return LuaCallbackError(luastate, "internal error: no packet");
return LuaCallbackRuleIdsPushToStackFromPacketAlert(luastate, pa);
}
/** \internal
* \brief fill lua stack with alert info
* \param luastate the lua state
* \param pa pointer to packet alert struct
* \retval cnt number of data items placed on the stack
*
* Places: msg (string)
*/
static int LuaCallbackRuleMsgPushToStackFromPacketAlert(lua_State *luastate, const PacketAlert *pa)
{
lua_pushstring (luastate, pa->s->msg);
return 1;
}
/** \internal
* \brief Wrapper for getting tuple info into a lua script
* \retval cnt number of items placed on the stack
*/
static int LuaCallbackRuleMsg(lua_State *luastate)
{
const PacketAlert *pa = LuaStateGetPacketAlert(luastate);
if (pa == NULL)
return LuaCallbackError(luastate, "internal error: no packet");
return LuaCallbackRuleMsgPushToStackFromPacketAlert(luastate, pa);
}
/** \internal
* \brief fill lua stack with alert info
* \param luastate the lua state
* \param pa pointer to packet alert struct
* \retval cnt number of data items placed on the stack
*
* Places: class (string), prio (number)
*/
static int LuaCallbackRuleClassPushToStackFromPacketAlert(lua_State *luastate, const PacketAlert *pa)
{
lua_pushstring (luastate, pa->s->class_msg);
lua_pushnumber (luastate, pa->s->prio);
return 2;
}
/** \internal
* \brief Wrapper for getting tuple info into a lua script
* \retval cnt number of items placed on the stack
*/
static int LuaCallbackRuleClass(lua_State *luastate)
{
const PacketAlert *pa = LuaStateGetPacketAlert(luastate);
if (pa == NULL)
return LuaCallbackError(luastate, "internal error: no packet");
return LuaCallbackRuleClassPushToStackFromPacketAlert(luastate, pa);
}
static int LuaCallbackLogPath(lua_State *luastate)
{
const char *ld = ConfigGetLogDirectory();
@ -327,6 +411,14 @@ int LogLuaRegisterFunctions(lua_State *luastate)
lua_setglobal(luastate, "SCLogWarning");
lua_pushcfunction(luastate, LuaCallbackLogError);
lua_setglobal(luastate, "SCLogError");
lua_pushcfunction(luastate, LuaCallbackRuleIds);
lua_setglobal(luastate, "SCRuleIds");
lua_pushcfunction(luastate, LuaCallbackRuleMsg);
lua_setglobal(luastate, "SCRuleMsg");
lua_pushcfunction(luastate, LuaCallbackRuleClass);
lua_setglobal(luastate, "SCRuleClass");
return 0;
}

25
src/output-lua.c
View file

@ -121,14 +121,7 @@ static int LuaPacketLoggerAlerts(ThreadVars *tv, void *thread_data, const Packet
char timebuf[64];
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
char srcip[46], dstip[46];
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
} else {
if (!(PKT_IS_IPV4(p)) && !(PKT_IS_IPV6(p))) {
/* decoder event */
goto not_supported;
}
@ -153,26 +146,12 @@ static int LuaPacketLoggerAlerts(ThreadVars *tv, void *thread_data, const Packet
LuaStateSetPacket(td->lua_ctx->luastate, (Packet *)p);
LuaStateSetFlow(td->lua_ctx->luastate, p->flow, /* unlocked */TRUE);
LuaStateSetPacketAlert(td->lua_ctx->luastate, (PacketAlert *)pa);
/* prepare data to pass to script */
lua_newtable(td->lua_ctx->luastate);
LogLuaPushTableKeyValueInt(td->lua_ctx->luastate, "sid", pa->s->id);
LogLuaPushTableKeyValueInt(td->lua_ctx->luastate, "gid", pa->s->gid);
LogLuaPushTableKeyValueInt(td->lua_ctx->luastate, "rev", pa->s->rev);
LogLuaPushTableKeyValueInt(td->lua_ctx->luastate, "priority", pa->s->prio);
if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) {
LogLuaPushTableKeyValueInt(td->lua_ctx->luastate, "sp", p->sp);
LogLuaPushTableKeyValueInt(td->lua_ctx->luastate, "dp", p->dp);
}
LogLuaPushTableKeyValueString(td->lua_ctx->luastate, "msg", pa->s->msg);
LogLuaPushTableKeyValueString(td->lua_ctx->luastate, "srcip", srcip);
LogLuaPushTableKeyValueString(td->lua_ctx->luastate, "dstip", dstip);
LogLuaPushTableKeyValueString(td->lua_ctx->luastate, "ts", timebuf);
LogLuaPushTableKeyValueString(td->lua_ctx->luastate, "ipproto", proto);
LogLuaPushTableKeyValueString(td->lua_ctx->luastate, "class", pa->s->class_msg);
int retval = lua_pcall(td->lua_ctx->luastate, 1, 0, 0);
if (retval != 0) {

19
src/util-lua.c
View file

@ -63,6 +63,9 @@ const char lua_ext_key_flow[] = "suricata:lua:flow:ptr";
/* key for flow lock hint bool */
const char lua_ext_key_flow_lock_hint[] = "suricata:lua:flow:lock_hint";
/* key for pa (packet alert) pointer */
const char lua_ext_key_pa[] = "suricata:lua:pkt:alert:ptr";
/** \brief get packet pointer from the lua state */
Packet *LuaStateGetPacket(lua_State *luastate)
{
@ -126,6 +129,22 @@ void LuaStateSetFlow(lua_State *luastate, Flow *f, int need_flow_lock)
lua_settable(luastate, LUA_REGISTRYINDEX);
}
/** \brief get packet alert pointer from the lua state */
PacketAlert *LuaStateGetPacketAlert(lua_State *luastate)
{
lua_pushlightuserdata(luastate, (void *)&lua_ext_key_pa);
lua_gettable(luastate, LUA_REGISTRYINDEX);
void *pa = lua_touserdata(luastate, -1);
return (PacketAlert *)pa;
}
void LuaStateSetPacketAlert(lua_State *luastate, PacketAlert *pa)
{
lua_pushlightuserdata(luastate, (void *)&lua_ext_key_pa);
lua_pushlightuserdata(luastate, (void *)pa);
lua_settable(luastate, LUA_REGISTRYINDEX);
}
/** \brief dump stack from lua state to screen */
void LuaPrintStack(lua_State *state) {
int size = lua_gettop(state);

4
src/util-lua.h
View file

@ -40,6 +40,8 @@ void *LuaStateGetTX(lua_State *luastate);
*/
Flow *LuaStateGetFlow(lua_State *luastate, int *lock_hint);
PacketAlert *LuaStateGetPacketAlert(lua_State *luastate);
/* sets */
void LuaStateSetPacket(lua_State *luastate, Packet *p);
@ -53,6 +55,8 @@ void LuaStateSetTX(lua_State *luastate, void *tx);
*/
void LuaStateSetFlow(lua_State *luastate, Flow *f, int need_flow_lock);
void LuaStateSetPacketAlert(lua_State *luastate, PacketAlert *pa);
void LuaPrintStack(lua_State *state);
#endif /* HAVE_LUA */