--- /dev/null
+function init (args)
+ local needs = {}
+ needs["type"] = "streaming"
+ needs["protocol"] = "http"
+ return needs
+end
+
+function setup (args)
+ filepath = SCLogPath()
+end
+
+function log(args)
+ ts = SCFlowTimeString()
+ ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
+ data, data_open, data_close = SCStreamingBuffer()
+ SCLogNotice("called with data_open " .. tostring(data_open) .. " data_close " .. tostring(data_close));
+ filename = filepath .. "/http-" .. proto .. "-" .. srcip .. "-" .. dstip .. "-" .. sp .. "-" .. dp
+
+ file_mode = "a"
+ if (data_open == true) then
+ file_mode = "w"
+ end
+
+ file = assert(io.open(filename, file_mode))
+ file:write (data)
+ file:flush()
+ file.close(file)
+end
+
+function deinit (args)
+end
--- /dev/null
+function init (args)
+ local needs = {}
+ needs["type"] = "streaming"
+ needs["filter"] = "tcp"
+ return needs
+end
+
+function setup (args)
+ filepath = SCLogPath()
+ alerts = 0
+end
+
+function log(args)
+ ts = SCFlowTimeString()
+ ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
+ data, data_open, data_close = SCStreamingBuffer()
+ filename = filepath .. "/" .. proto .. "-" .. srcip .. "-" .. dstip .. "-" .. sp .. "-" .. dp
+
+ file_mode = "a"
+ if (data_open == true) then
+ file_mode = "w"
+ end
+
+ file = assert(io.open(filename, file_mode))
+ file:write (data)
+ file:flush()
+ file.close(file)
+end
+
+function deinit (args)
+end
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - lua:
+ enabled: yes
+ scripts-dir: .
+ scripts:
+ - streaming-tcp.lua
+ - streaming-http.lua
+
+app-layer:
+ protocols:
+ http:
+ enabled: yes
+ libhtp:
+ default-config:
+ personality: IDS
+
+ # Can be specified in kb, mb, gb. Just a number indicates
+ # it's in bytes.
+ request-body-limit: 200kb
+ response-body-limit: 200kb
+
+ # inspection limits
+ request-body-minimal-inspect-size: 32kb
+ request-body-inspect-window: 4kb
+ response-body-minimal-inspect-size: 40kb
+ response-body-inspect-window: 16kb
+
+ # response body decompression (0 disables)
+ response-body-decompress-layer-limit: 2
+
+ # auto will use http-body-inline mode in IPS mode, yes or no set it statically
+ http-body-inline: auto
--- /dev/null
+requires:
+ features:
+ - HAVE_LUA
+
+pcap: ../filestore-v2.1-forced/suricata-update-pdf.pcap
+
+checks:
+ - file-compare:
+ filename: 6-172.16.1.68-162.209.114.75-58384-80
+ expected: expected/6-172.16.1.68-162.209.114.75-58384-80
+ - file-compare:
+ filename: http-6-172.16.1.68-162.209.114.75-58384-80
+ expected: expected/http-6-172.16.1.68-162.209.114.75-58384-80
projects / thirdparty / suricata-verify.git / commitdiff
