From: Jason Ish Date: Thu, 10 Apr 2025 22:49:37 +0000 (-0600) Subject: test: test a lua based fast.log X-Git-Tag: suricata-7.0.11~83 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2463%2Fhead;p=thirdparty%2Fsuricata-verify.git test: test a lua based fast.log --- diff --git a/tests/lua/lua-fastlog/README.md b/tests/lua/lua-fastlog/README.md new file mode 100644 index 000000000..df079ca7d --- /dev/null +++ b/tests/lua/lua-fastlog/README.md @@ -0,0 +1 @@ +Test using Lua to replicate fast.log. diff --git a/tests/lua/lua-fastlog/expected/fast.log b/tests/lua/lua-fastlog/expected/fast.log new file mode 100644 index 000000000..8409dda1b --- /dev/null +++ b/tests/lua/lua-fastlog/expected/fast.log @@ -0,0 +1 @@ +07/13/2016-22:42:07.573103 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {6} 82.165.177.154:80 -> 10.16.1.11:54186 \ No newline at end of file diff --git a/tests/lua/lua-fastlog/fast.lua b/tests/lua/lua-fastlog/fast.lua new file mode 100644 index 000000000..f72283ef0 --- /dev/null +++ b/tests/lua/lua-fastlog/fast.lua @@ -0,0 +1,66 @@ +-- This is a simple example script to show what you can do with lua +-- output scripts. +-- +-- It prints logs similar to the ones produced by the builtin fast.log +-- output facility to stdout, hence its name. +-- +-- In the init() function we tell suricata, that we want the log +-- function to be called for every packet that produces an alert (see +-- needs variable) +-- +-- Then in the log() function we get various informations about this +-- packet via the "suricata.packet" and "suricata.rule" library and +-- print them to a file. +-- +-- To learn more about all the API functions suricata provides for +-- your lua scripts and the lua output extension in general see: +-- http://docs.suricata.io/en/latest/output/lua-output.html + +local packet = require("suricata.packet") +local rule = require("suricata.rule") + +function init() + local needs = {} + needs["type"] = "packet" + needs["filter"] = "alerts" + return needs +end + +function setup() + filename = SCLogPath() .. "/fast.log" + file = assert(io.open(filename, "a")) + alert_count = 0 +end + +function log() + local p = packet.get() + local s = rule.get_rule() + + local timestring = p:timestring_legacy() + local sid = s:sid() + local rev = s:rev() + local gid = s:gid() + local msg = s:msg() + local class = s:class_description() + local priority = s:priority() + + local ip_version, src_ip, dst_ip, protocol, src_port, dst_port = p:tuple() + + if class == nil then + class = "unknown" + end + + local alert = (timestring .. " [**] [" .. gid .. ":" .. sid .. ":" .. rev .. "] " .. + msg .. " [**] [Classification: " .. class .. "] [Priority: " .. + priority .. "] {" .. protocol .. "} " .. + src_ip .. ":" .. src_port .. " -> " .. dst_ip .. ":" .. dst_port) + + file:write(alert) + + alert_count = alert_count + 1; +end + +function deinit() + file:close(file) + print ("Alerted " .. alert_count .. " times"); +end diff --git a/tests/lua/lua-fastlog/suricata.yaml b/tests/lua/lua-fastlog/suricata.yaml new file mode 100644 index 000000000..e7187615e --- /dev/null +++ b/tests/lua/lua-fastlog/suricata.yaml @@ -0,0 +1,22 @@ +%YAML 1.1 +--- + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + +outputs: + - lua: + enabled: yes + scripts-dir: . + scripts: + - fast.lua + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: diff --git a/tests/lua/lua-fastlog/test.rules b/tests/lua/lua-fastlog/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/lua/lua-fastlog/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/lua/lua-fastlog/test.yaml b/tests/lua/lua-fastlog/test.yaml new file mode 100644 index 000000000..c5afcfa55 --- /dev/null +++ b/tests/lua/lua-fastlog/test.yaml @@ -0,0 +1,16 @@ +pcap: ../../flowbit-oring/input.pcap + +requires: + features: + - HAVE_LUA + min-version: 8 + +checks: + - filter: + count: 1 + match: + event_type: alert + - file-compare: + # A check that compares two files + filename: fast.log + expected: expected/fast.log