Actions
Task #7656
openfast.lua: update script to reflect library use
Description
fast.lua
-- This is a simple example script to show what you can do with lua output scripts.
-- It prints logs similar to the ones produced by the builtin fast.log output
-- facility to stdout, hence its name.
-- In the init() function we tell suricata, that we want the log function to be
-- called for every packet that produces an alert (see needs variable)
-- Then in the log() function we get various informations about this packet via
-- SCRuleMsg() and all the other API functions and print them to stdout with print()
-- To learn more about all the API functions suricata provides for your lua scripts
-- and the lua output extension in general see:
-- http://docs.suricata.io/en/latest/output/lua-output.html
function init()
local needs = {}
needs["type"] = "packet"
needs["filter"] = "alerts"
return needs
end
function setup()
alert_count = 0
end
function log()
sid, rev, gid = SCRuleIds()
msg = SCRuleMsg()
class, priority = SCRuleClass()
timestring = SCPacketTimeString()
ip_version, src_ip, dst_ip, protocol, src_port, dst_port = SCFlowTuple()
if class == nil then
class = "unknown"
end
print (timestring .. " [**] [" .. gid .. ":" .. sid .. ":" .. rev .. "] " ..
msg .. " [**] [Classification: " .. class .. "] [Priority: " ..
priority .. "] {" .. protocol .. "} " ..
src_ip .. ":" .. src_port .. " -> " .. dst_ip .. ":" .. dst_port)
alert_count = alert_count + 1;
end
function deinit()
print(msg)
print ("Alerted " .. alert_count .. " times");
end
suricata -c /etc/suricata/suricata.yaml -k none -r ~/pcap/testxxx.pcap -v
Notice: suricata: This is Suricata version 8.0.0-beta1 RELEASE running in USER mode Info: cpu: CPUs/cores online: 4 Info: suricata: Setting engine mode to IDS mode by default Info: exception-policy: master exception-policy set to: auto Info: logopenfile: fast output device (regular) initialized: fast.log Info: logopenfile: eve-log output device (regular) initialized: eve.json Info: logopenfile: stats output device (regular) initialized: stats.log Info: output-lua: enabling script fast.lua Info: detect: 1 rule files processed. 1 rules successfully loaded, 0 rules failed, 0 rules skipped Info: threshold-config: Threshold config parsed: 0 rule(s) found Info: detect: 424 signatures processed. 0 are IP-only rules, 55 are inspecting packet payload, 369 inspect application layer, 0 are decoder event only Info: pcap: Starting file run for ~/pcap/testxxx.pcap Info: pcap: pcap file ~/pcap/testxxx.pcap end of file reached (pcap err code 0) Notice: threads: Threads created -> RX: 1 W: 4 FM: 1 FR: 1 Engine started. Notice: suricata: Signal Received. Stopping engine. Info: output-lua: failed to run script: /etc/suricata/rules/fast.lua:31: attempt to call a nil value (global 'SCPacketTimeString') Info: suricata: time elapsed 0.029s Notice: pcap: read 1 file, 9 packets, 1390 bytes testxxx Alerted 0 times Info: counters: Alerts: 1
If I comment out the code related to SCPacketTimeString, it will trigger an alarm: attempt to call a nil value (global 'SCFlowTuple')
Updated by Victor Julien 9 days ago
This is expected. These calls have been removed and replaced by the lua packet and flow libs. See #7488 and #7489.
See for example https://github.com/OISF/suricata-verify/blob/master/tests/lua/lua-packetlib-01/packet.lua
Updated by jghs chha 9 days ago
Victor Julien wrote in #note-1:
This is expected. These calls have been removed and replaced by the lua packet and flow libs. See #7488 and #7489.
See for example https://github.com/OISF/suricata-verify/blob/master/tests/lua/lua-packetlib-01/packet.lua
OK , thanks your reply. maybe also should update doc and github repo fast.lua!
Updated by Shivani Bhardwaj 9 days ago
- Tracker changed from Bug to Task
- Subject changed from suricata 8.0.0-beta1 SCPacketTimeString and SCFlowTuple attempt to call a nil value to fast.lua: update script to reflect library use
- Target version changed from TBD to 8.0.0-rc1
- Affected Versions deleted (
8.0.0-beta1)
Actions