Project

General

Profile

Download (1.88 KB)

Bug #3257 ยป http_audit_demo.lua

lua script demo - xu hui, 10/17/2019 02:11 PM

 
-- event_name
event_name = "http_audit"

-- event_type
event_type = "lua"

-- logs
name = "http_audit.txt"


-- defind function
function urlDecode(args)
s = string.gsub(args, "%%(%x%x)", function(h) return string.char(tonumber(h, 16)) end)
return s
end

function string.split(s, p)
rt = {}
string.gsub(s, '[^'..p..']+', function(w) table.insert(rt, w) end )
return rt
end


-- default funtion
function init(args)
local needs = {}
needs["protocol"] = "http"
return needs
end

function setup(args)
filename = SCLogPath() .. "/" .. name
file = assert(io.open(filename, "a"))
SCLogInfo("HTTP Audit Log Filename " .. filename)
http = 0
end

function log(args)

-- http_hostname
http_host = HttpGetRequestHost()

if http_host == nil then
return
end

-- http_url
http_url = HttpGetRequestUriNormalized()

-- http_url_path
http_url_path = string.split(http_url, "?")[1]

-- http_method
rl = HttpGetRequestLine()
http_method = string.match(rl, "%w+")

-- http_status
rsl = HttpGetResponseLine()
status_code = string.match(rsl, "%s(%d+)%s")
http_status = tonumber(status_code)

-- http_protocol
http_protocol = string.match(rsl, "(.-)%s")

-- timestring = SCPacketTimeString() 2019-09-10T06:08:35.582449+0000
sec, usec = SCPacketTimestamp()
timestring = os.date("!%Y-%m-%dT%T", sec) .. "." .. usec .. "+0000"
-- flow_info
ip_version, src_ip, dst_ip, protocol, src_port, dst_port = SCFlowTuple()

-- flow_id
id = SCFlowId()
flow_id = string.format("%.0f", id)

file:write (timestring .. " " .. http_host .. " [**] " .. http_url .. " [**] " .. " [**] " .. src_ip .. ":" .. src_port .. " -> " .. dst_ip .. ":" .. dst_port .. "\n")
file:flush()
http = http + 1
end

function deinit (args)
SCLogInfo ("HTTP transactions logged: " .. http);
file:close(file)
end
    (1-1/1)