Lua functions
=============
+Differences between `output` and `detect`:
+------------------------------------------
+
+Currently, the ``needs`` key initialization varies, depending on what is the goal of the script: output or detection.
+
+If the script is for detection, the ``needs`` initialization should be as seen in the example below (see :ref:`lua-scripting` for a complete example for a detect script):
+
+::
+
+ function init (args)
+ local needs = {}
+ needs["packet"] = tostring(true)
+ return needs
+ end
+
+For output logs, follow the pattern below. (The complete script structure can be seen at :ref:`lua-output`:)
+
+::
+
+ function init (args)
+ local needs = {}
+ needs["protocol"] = "http"
+ return needs
+ end
+
+
+Do notice that the functions and protocols available for ``log`` and ``match`` may also vary. DNP3, for instance, is not
+available for logging.
+
packet
------
http
----
-Init with:
+For output, init with:
::
return needs
end
+For detection, use the specific buffer (cf :ref:`lua-detection` for a complete list), as with:
+
+::
+
+ function init (args)
+ local needs = {}
+ needs["http.uri"] = tostring(true)
+ return needs
+ end
+
HttpGetRequestBody and HttpGetResponseBody.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DNS
---
+If your purpose is to create a logging script, initialize the buffer as:
+
+::
+
+ function init (args)
+ local needs = {}
+ needs["protocol"] = "dns"
+ return needs
+ end
+
+If you are going to use the script for rule matching, choose one of the available DNS buffers listed in
+:ref:`lua-detection` and follow the pattern:
+
+::
+
+ function init (args)
+ local needs = {}
+ needs["dns.rrname"] = tostring(true)
+ return needs
+ end
+
DnsGetQueries
~~~~~~~~~~~~~
TLS
---
-Initialize with:
+For log output, initialize with:
::
return needs
end
+For detection, initialization is as follows:
+
+::
+
+ function init (args)
+ local needs = {}
+ needs["tls"] = tostring(true)
+ return needs
+ end
+
TlsGetVersion
~~~~~~~~~~~~~
JA3 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints' to 'yes').
-Initialize with:
+For log output, initialize with:
::
return needs
end
+For detection, initialization is as follows:
+
+::
+
+ function init (args)
+ local needs = {}
+ needs["tls"] = tostring(true)
+ return needs
+ end
+
Ja3GetHash
~~~~~~~~~~
Get the JA3S hash (md5sum of JA3S string) through JA3SGetHash.
-Example:
+Examples:
::
end
end
+Or, for detection:
+
+::
+
+ function match (args)
+ hash = Ja3SGetHash()
+ if hash == nil then
+ return 0
+ end
+
+ // matching code
+
+ return 0
+ end
+
JA3SGetString
~~~~~~~~~~~~~
Get the JA3S string through Ja3SGetString.
-Example:
+Examples:
::
end
end
+Or, for detection:
+
+::
+
+ function match (args)
+ str = Ja3SGetString()
+ if str == nil then
+ return 0
+ end
+
+ // matching code
+
+ return 0
+ end
+
SSH
---
::
-
function init (args)
local needs = {}
needs["protocol"] = "ssh"
::
-
function log (args)
software = SshGetServerSoftwareVersion()
if software == nil then