For tests that used SCFlow functions but are min-version: 8.
Add a few more tests to cover other funcitons.
Task #7489
local dataset = require "suricata.dataset"
+local flow = require("suricata.flow")
function init (args)
local needs = {}
end
function match (args)
- ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
+ local f = flow.get()
+ ipver, srcip, dstip, proto, sp, dp = f:tuple()
str = ipver .. ":<" .. srcip .. ">:<" .. dstip .. ">:" .. dp
ret, err = conn_new:add(str, #str);
+local flow = require("suricata.flow")
local dataset = require("suricata.dataset")
local dns = require("suricata.dns")
end
function match (args)
- ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
+ local f = flow.get()
+ ipver, srcip, dstip, proto, sp, dp = f:tuple()
local tx = dns.get_tx()
query = tx:rrname()
if query == nil then
--- /dev/null
+Test Lua flow lib functions
--- /dev/null
+alert http any any -> any any (msg:"HTTP GET"; http.method; content:"GET"; sid:1;)
--- /dev/null
+[**] Start time 2015-10-06T15:16:43.136335+0000 [**] -> alproto http [**] 6 [**] alerted: true
+[**] First packet: 1444144603.0 [**] Last packet: 136335.0
--- /dev/null
+-- simple output test for some lua flow lib functions
+name = "flow_http_lua.log"
+
+local flow = require("suricata.flow")
+
+function init (args)
+ local needs = {}
+ needs["type"] = "flow"
+ needs["protocol"] = "http"
+ return needs
+end
+
+function setup (args)
+ filename = SCLogPath() .. "/" .. name
+ file = assert(io.open(filename, "a"))
+ SCLogInfo("Log Filename " .. filename)
+ http = 0
+end
+
+function log(args)
+ local f = flow.get()
+ ts = f:timestring_iso8601()
+ has_alerts = f:has_alerts()
+ ipver, srcip, dstip, proto, sp, dp = f:tuple()
+ alproto, alproto_ts, alproto_tc, alproto_orig, alproto_expect = f:app_layer_proto()
+ start_sec, start_usec, last_sec, last_usec = f:timestamps()
+ id = f:id()
+ id_str = string.format("%.0f", id)
+
+ if has_alerts then
+ file:write ("[**] Start time " .. ts .. " [**] -> alproto " .. alproto .. " [**] " .. proto .. " [**] alerted: true\n[**] First packet: " .. start_sec .." [**] Last packet: " .. last_sec .. "\n")
+ file:flush()
+ end
+end
+
+function deinit (args)
+ SCLogInfo ("HTTP logged: " .. http);
+ file:close(file)
+end
--- /dev/null
+%YAML 1.1
+---
+
+include: ../lua-output-http/default.yaml
+
+outputs:
+ - lua:
+ enabled: yes
+ scripts-dir: .
+ scripts:
+ - lua-flowfunctions.lua
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert
+ - http
+ - flow
--- /dev/null
+pcap: ../lua-output-http/input.pcap
+
+requires:
+ features:
+ - HAVE_LUA
+ min-version: 8
+
+checks:
+ - file-compare:
+ filename: flow_http_lua.log
+ expected: expected/flow_http_lua.log
+ - filter:
+ count: 1
+ match:
+ event_type: alert
--- /dev/null
+Tests lua flow suricata lib flow stats output.
--- /dev/null
+[**] 10/06/2015-15:16:43.136335
+SCFlowStats is
+Packet count to server: 6
+Byte count to server: 504
+Packet count to client: 4
+Byte count to client: 635
+[**]
\ No newline at end of file
--- /dev/null
+-- fast.log style output test for suricata.flow lua lib
+name = "lua-scflowstats.log"
+
+local flow = require("suricata.flow")
+
+function init(args)
+ local needs = {}
+ needs["type"] = "flow"
+ return needs
+end
+
+function setup(args)
+ filename = SCLogPath() .. "/" .. name
+ file = assert(io.open(filename, "a"))
+ SCLogInfo("lua SCFlowStats Log Filename " .. filename)
+end
+
+function log(args)
+ local f = flow.get()
+ timestring = f:timestring_legacy()
+ tscnt, tsbytes, tccnt, tcbytes = f:stats()
+
+ file:write ("[**] " .. timestring .. "\nSCFlowStats is\nPacket count to server: " .. tscnt .. "\nByte count to server: " .. tsbytes .. "\nPacket count to client: " .. tccnt .. "\nByte count to client: " .. tcbytes .. "\n[**]")
+ file:flush()
+end
+
+function deinit(args)
+ file:close(file)
+end
--- /dev/null
+%YAML 1.1
+---
+
+include: ../lua-output-http/default.yaml
+
+outputs:
+ - lua:
+ enabled: yes
+ scripts-dir: .
+ scripts:
+ - lua-scflowstats.lua
--- /dev/null
+pcap: ../lua-output-http/input.pcap
+
+requires:
+ features:
+ - HAVE_LUA
+ min-version: 8
+
+checks:
+ - file-compare:
+ # A check that compares two files
+ filename: lua-scflowstats.log
+ expected: expected/lua-scflowstats.log
--- /dev/null
+Tests Lua's SCFlowTuple output.
--- /dev/null
+{2018-08-12T17:30:41.693796+0000 [**]
+SCFlowTuple is
+IP Version: 4
+Src: 10.9.0.2:58038 -> Dst: 139.162.123.134:80 [**] Protocol: http2(6) alproto_orig: http alproto_expect: http2}
--- /dev/null
+-- simple SCFlowTuple log test
+local flow = require("suricata.flow")
+
+name = "scflow-tuple.log"
+
+function init(args)
+ local needs = {}
+ needs["type"] = "flow"
+ return needs
+end
+
+
+function setup(args)
+ filename = SCLogPath() .. "/" .. name
+ file = assert(io.open(filename, "a"))
+ SCLogNotice("lua SCFlowTuple Log Filename " .. filename)
+end
+
+function log(args)
+ f = flow.get()
+ startts = f:timestring_iso8601()
+ ipver, srcip, dstip, proto, sp, dp = f:tuple()
+ alproto, alproto_ts, alproto_tc, alproto_orig, alproto_expect = f:app_layer_proto()
+
+ file:write ("{" .. startts .. " [**]\nSCFlowTuple is\nIP Version: " .. ipver .. "\nSrc: " .. srcip .. ":" .. sp .. " -> Dst: " .. dstip .. ":" .. dp .. " [**] Protocol: " .. alproto .. "(" .. proto .. ")" .. " alproto_orig: " .. alproto_orig .. " alproto_expect: " .. alproto_expect .. "}\n")
+ file:flush()
+end
+
+function deinit(args)
+ file:close(file)
+end
--- /dev/null
+%YAML 1.1
+---
+
+include: ../lua-output-http/default.yaml
+
+outputs:
+ - lua:
+ enabled: yes
+ scripts-dir: .
+ scripts:
+ - scflowtuple.lua
+
--- /dev/null
+pcap: ../http2-keywords2/input.pcap
+
+args:
+- -k none --set stream.midstream=true
+
+requires:
+ features:
+ - HAVE_LUA
+ min-version: 8
+
+checks:
+ - file-compare:
+ # A check that compares two files
+ filename: scflow-tuple.log
+ expected: expected/scflow-tuple.log
+local flow = require("suricata.flow")
local packet = require "suricata.packet"
local dns = require "suricata.dns"
function log(args)
p = packet.get()
ts = p:timestring_legacy()
- ip_ver, src_ip, dst_ip, proto, sp, dp = SCFlowTuple()
+ f = flow.get()
+ ip_ver, src_ip, dst_ip, proto, sp, dp = f:tuple()
local tx = dns.get_tx()
tx_id = tx:txid()
-- simple fast-log to file lua module
+local flow = require("suricata.flow")
local packet = require "suricata.packet"
name = "http_lua.log"
p = packet.get()
ts = p:timestring_iso8601()
- ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
+ f = flow.get()
+ ipver, srcip, dstip, proto, sp, dp = f:tuple()
file:write (ts .. " " .. http_host .. " [**] " .. http_uri .. " [**] " ..
http_ua .. " [**] " .. srcip .. ":" .. math.floor(sp) .. " -> " ..
-- simple fast-log to file lua module
local packet = require "suricata.packet"
+local flow = require("suricata.flow")
name = "http_lua.log"
p = packet.get()
ts = p:timestring_legacy()
- ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
+ f = flow.get()
+ ipver, srcip, dstip, proto, sp, dp = f:tuple()
file:write (ts .. " " .. http_host .. " [**] " .. http_uri .. " [**] " ..
http_ua .. " [**] " .. srcip .. ":" .. math.floor(sp) .. " -> " ..
--- /dev/null
+local flow = require "suricata.flow"
+
+function init (args)
+ local needs = {}
+ needs["type"] = "streaming"
+ needs["protocol"] = "http"
+ return needs
+end
+
+function setup (args)
+ filepath = SCLogPath()
+end
+
+function log(args)
+ f = flow.get()
+ ts = f:timestring_legacy()
+ ipver, srcip, dstip, proto, sp, dp = f:tuple()
+ data, data_open, data_close = SCStreamingBuffer()
+ SCLogNotice("called with data_open " .. tostring(data_open) .. " data_close " .. tostring(data_close));
+ filename = filepath .. "/http-" .. proto .. "-" .. srcip .. "-" .. dstip .. "-" .. sp .. "-" .. dp
+
+ file_mode = "a"
+ if (data_open == true) then
+ file_mode = "w"
+ end
+
+ file = assert(io.open(filename, file_mode))
+ file:write (data)
+ file:flush()
+ file.close(file)
+end
+
+function deinit (args)
+end
--- /dev/null
+local flow = require("suricata.flow")
+
+function init (args)
+ local needs = {}
+ needs["type"] = "streaming"
+ needs["filter"] = "tcp"
+ return needs
+end
+
+function setup (args)
+ filepath = SCLogPath()
+ alerts = 0
+end
+
+function log(args)
+ f = flow.get()
+ ts = f:timestring_legacy()
+ ipver, srcip, dstip, proto, sp, dp = f:tuple()
+ data, data_open, data_close = SCStreamingBuffer()
+ filename = filepath .. "/" .. proto .. "-" .. srcip .. "-" .. dstip .. "-" .. sp .. "-" .. dp
+
+ file_mode = "a"
+ if (data_open == true) then
+ file_mode = "w"
+ end
+
+ file = assert(io.open(filename, file_mode))
+ file:write (data)
+ file:flush()
+ file.close(file)
+end
+
+function deinit (args)
+end
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - lua:
+ enabled: yes
+ scripts-dir: .
+ scripts:
+ - streaming-tcp.lua
+ - streaming-http.lua
+
+app-layer:
+ protocols:
+ http:
+ enabled: yes
+ libhtp:
+ default-config:
+ personality: IDS
+
+ # Can be specified in kb, mb, gb. Just a number indicates
+ # it's in bytes.
+ request-body-limit: 200kb
+ response-body-limit: 200kb
+
+ # inspection limits
+ request-body-minimal-inspect-size: 32kb
+ request-body-inspect-window: 4kb
+ response-body-minimal-inspect-size: 40kb
+ response-body-inspect-window: 16kb
+
+ # response body decompression (0 disables)
+ response-body-decompress-layer-limit: 2
+
+ # auto will use http-body-inline mode in IPS mode, yes or no set it statically
+ http-body-inline: auto
--- /dev/null
+requires:
+ features:
+ - HAVE_LUA
+ min-version: 8
+
+pcap: ../filestore-v2.1-forced/suricata-update-pdf.pcap
+
+checks:
+ - file-compare:
+ filename: 6-172.16.1.68-162.209.114.75-58384-80
+ expected: expected/6-172.16.1.68-162.209.114.75-58384-80
+ - file-compare:
+ filename: http-6-172.16.1.68-162.209.114.75-58384-80
+ expected: expected/http-6-172.16.1.68-162.209.114.75-58384-80
projects / thirdparty / suricata-verify.git / commitdiff
