Skip to content

Instantly share code, notes, and snippets.

@inliniac

inliniac/Print unique request header names

Created March 19, 2014 17:53
Show Gist options
  • Save inliniac/9647424 to your computer and use it in GitHub Desktop.
Save inliniac/9647424 to your computer and use it in GitHub Desktop.
Download ZIP
Lua output scripts for Suricata
Raw
file log
function init (args)
local needs = {}
needs['type'] = 'file'
print ("init() done")
return needs
end
function setup (args)
print ("setup() done")
end
function log(args)
ts = SCPacketTimeString()
ipv, srcip, dstip, proto, sp, dp = SCFlowTuple()
http_host = HttpGetRequestHeader('Host')
nuri = HttpGetRequestUriNormalized()
ua = HttpGetRequestHeader('User-Agent')
if ua == nil then
ua = "<unknown>"
end
fileid, txid, name, size, magic, md5 = SCFileInfo()
if md5 == nil then
md5 = "<unknown>"
end
state, stored = SCFileState()
print (ts .. " " .. http_host .. " [**] " .. name .. " [**] " .. ua ..
" [**] " .. magic .. " [**] " .. md5 .. " [**] " .. srcip ..
":" .. sp .. " -> " .. dstip .. ":" .. dp)
-- print ("log() done")
end
function deinit (args)
end
Raw
flow
function init (args)
local needs = {}
needs["type"] = "packet"
return needs
end
function setup (args)
end
function log(args)
startts = SCFlowTimeString()
ts = SCPacketTimeString()
if ts == startts then
ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
print ("Flow IPv" .. ipver .. " src " .. srcip .. " dst " .. dstip ..
" proto " .. proto .. " sp " .. sp .. " dp " .. dp)
end
end
function deinit (args)
end
Raw
full fast log
-- simple fast-log to file lua module
name = "fast_lua.log"
function init (args)
local needs = {}
needs["type"] = "packet"
needs["filter"] = "alerts"
return needs
end
function setup (args)
filename = SCLogPath() .. "/" .. name
file = assert(io.open(filename, "a"))
print("Filename " .. filename)
alerts = 0
end
function log(args)
ts = SCPacketTimeString()
sid, rev, gid = SCRuleIds()
ipver, srcip, dstip, proto, sp, dp = SCPacketTuple()
msg = SCRuleMsg()
class, prio = SCRuleClass()
if class == nil then
class = "unknown"
end
if (ipver > 0) then
file:write (ts .. " [**] [" .. gid .. ":" .. sid .. ":" .. rev .. "] " ..
msg .. " [**] [Classification: " .. class .. "] [Priority: " ..
prio .. "] {" .. proto .. "} " ..
srcip .. ":" .. sp .. " -> " .. dstip .. ":" .. dp .. "\n")
file:flush()
else
SCLogWarning("decoder events not yet supported")
end
alerts = alerts + 1;
end
function deinit (args)
SCLogInfo ("Alerted " .. alerts .. " times");
file.close(file)
end
Raw
Print unique request header names
function init (args)
local needs = {}
needs["protocol"] = "http"
return needs
end
function setup (args)
sqlite3, errmsg = require("lsqlite3")
db = sqlite3.open_memory()
db:exec[[CREATE TABLE headers (id INTEGER PRIMARY KEY, header);]]
end
function log(args)
a = HttpGetRequestHeaders();
for n, v in pairs(a) do
local stmt = db:prepare[[ INSERT INTO headers VALUES (:key, :header) ]]
stmt:bind_names{ key = NULL, header = n}
stmt:step()
stmt:finalize()
end
end
function deinit (args)
print ("Request Headers:")
for row in db:nrows("SELECT header, COUNT(*) as count FROM headers GROUP BY header") do
print(row.count, row.header)
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment