Suricata

fast.lua

-- This is a simple example script to show what you can do with lua output scripts.
-- It prints logs similar to the ones produced by the builtin fast.log output
-- facility to stdout, hence its name.

-- In the init() function we tell suricata, that we want the log function to be
-- called for every packet that produces an alert (see needs variable)

-- Then in the log() function we get various informations about this packet via
-- SCRuleMsg() and all the other API functions and print them to stdout with print()

-- To learn more about all the API functions suricata provides for your lua scripts
-- and the lua output extension in general see:
-- http://docs.suricata.io/en/latest/output/lua-output.html

function init()
    local needs     = {}
    needs["type"]   = "packet" 
    needs["filter"] = "alerts" 
    return needs
end

function setup()
    alert_count = 0
end

function log()

    sid, rev, gid   = SCRuleIds()
    msg             = SCRuleMsg()
    class, priority = SCRuleClass()
    timestring = SCPacketTimeString()
    ip_version, src_ip, dst_ip, protocol, src_port, dst_port = SCFlowTuple()

    if class == nil then
        class = "unknown" 
    end

    print (timestring .. "  [**] [" .. gid .. ":" .. sid .. ":" .. rev .. "] " ..
           msg .. " [**] [Classification: " .. class .. "] [Priority: " ..
           priority .. "] {" .. protocol .. "} " ..
           src_ip .. ":" .. src_port .. " -> " .. dst_ip .. ":" .. dst_port)

    alert_count = alert_count + 1;
end

function deinit()
    print(msg)
    print ("Alerted " .. alert_count .. " times");
end

suricata -c /etc/suricata/suricata.yaml -k none -r ~/pcap/testxxx.pcap -v

Notice: suricata: This is Suricata version 8.0.0-beta1 RELEASE running in USER mode
Info: cpu: CPUs/cores online: 4
Info: suricata: Setting engine mode to IDS mode by default
Info: exception-policy: master exception-policy set to: auto
Info: logopenfile: fast output device (regular) initialized: fast.log
Info: logopenfile: eve-log output device (regular) initialized: eve.json
Info: logopenfile: stats output device (regular) initialized: stats.log
Info: output-lua: enabling script fast.lua
Info: detect: 1 rule files processed. 1 rules successfully loaded, 0 rules failed, 0 rules skipped
Info: threshold-config: Threshold config parsed: 0 rule(s) found
Info: detect: 424 signatures processed. 0 are IP-only rules, 55 are inspecting packet payload, 369 inspect application layer, 0 are decoder event only
Info: pcap: Starting file run for ~/pcap/testxxx.pcap
Info: pcap: pcap file ~/pcap/testxxx.pcap end of file reached (pcap err code 0)
Notice: threads: Threads created -> RX: 1 W: 4 FM: 1 FR: 1   Engine started.
Notice: suricata: Signal Received.  Stopping engine.
Info: output-lua: failed to run script: /etc/suricata/rules/fast.lua:31: attempt to call a nil value (global 'SCPacketTimeString')
Info: suricata: time elapsed 0.029s
Notice: pcap: read 1 file, 9 packets, 1390 bytes
testxxx
Alerted 0 times
Info: counters: Alerts: 1

If I comment out the code related to SCPacketTimeString, it will trigger an alarm: attempt to call a nil value (global 'SCFlowTuple')