Created
December 12, 2014 09:25
-
-
Save mpurzynski/d11dae47ac15f88fca76 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| local cjson = require "cjson" | |
| -- local dt = require "date_time" | |
| -- { | |
| -- "timestamp": "2009-11-24T21:27:09.534255", | |
| -- "event_type": "alert", | |
| -- "src_ip": "192.168.2.7", | |
| -- "src_port": 1041, | |
| -- "dest_ip": "x.x.250.50", | |
| -- "dest_port": 80, | |
| -- "proto": "TCP", | |
| -- "alert": { | |
| -- "action": "allowed", | |
| -- "gid": 1, | |
| -- "signature_id" :2001999, | |
| -- "rev": 9, | |
| -- "signature": "ET MALWARE BTGrab.com Spyware Downloading Ads", | |
| -- "category": "A Network Trojan was detected", | |
| -- "severity": 1 | |
| -- } | |
| -- } | |
| local msg = { | |
| Type = "suricata_event_log", | |
| Logger = "nsm", | |
| Payload = nil, | |
| Fields = { | |
| -- Initializing our fields | |
| ['ts'] = nil, | |
| ['event_type'] = 'surialert', | |
| ['flow_id'] = nil, | |
| ['in_iface'] = nil, | |
| ['vlan'] = nil, | |
| ['sourceipaddress'] = nil, | |
| ['sourceport'] = nil, | |
| ['destinationipaddress'] = nil, | |
| ['destinationport'] = nil, | |
| ['proto'] = nil, | |
| ['gid'] = nil, | |
| ['signature_id'] = nil, | |
| ['rev'] = nil, | |
| ['signature'] = nil, | |
| ['category'] = nil, | |
| ['severity'] = nil, | |
| ['tx_id'] = nil, | |
| severity = "INFO", | |
| category = "suricata_event", | |
| tags = "nsm,suricata,event" | |
| } | |
| } | |
| function toString(value) | |
| if value == "-" then | |
| return nil | |
| end | |
| return value | |
| end | |
| function nilToString(value) | |
| if value == nil then | |
| return "" | |
| end | |
| return value | |
| end | |
| function toNumber(value) | |
| if value == "-" then | |
| return nil | |
| end | |
| return tonumber(value) | |
| end | |
| function lastField(value) | |
| -- remove last "\n" if there's one | |
| if value ~= nil and string.len(value) > 1 and string.sub(value, -2) == "\n" then | |
| return string.sub(value, 1, -2) | |
| end | |
| return value | |
| end | |
| function process_message() | |
| local log = read_message("Payload") | |
| local ok, json = pcall(cjson.decode, log) | |
| if not ok then | |
| return 0 -- when plain text is found, ship it in it's raw form | |
| end | |
| -- allows timestamp (optional) to be set within the json "@timestamp" field | |
| -- useful for output to elasticsearch | |
| -- if json["@timestamp"] ~= nil then | |
| -- local ts = lpeg.match(dt.rfc3339, json["@timestamp"]) | |
| -- if not ts then return -1 end | |
| -- message.Timestamp = dt.time_to_ns(ts) | |
| -- json["@timestamp"] = nil -- remove the original so it isn't duplicated in Fields | |
| -- end | |
| msg.Fields['Type'] = 'suricata_event_log' | |
| msg.Fields['flow_id'] = toNumber(json['flow_id']) | |
| msg.Fields['in_iface'] = json['in_iface'] | |
| msg.Fields['vlan'] = toNumber(json['vlan']) | |
| msg.Fields['sourceipaddress'] = json['src_ip'] | |
| msg.Fields['sourceport'] = toNumber(json['src_port']) | |
| msg.Fields['destinationipaddress'] = json['dst_ip'] | |
| msg.Fields['destinationport'] = toNumber(json['dst_port']) | |
| msg.Fields['proto'] = json['proto'] | |
| msg.Fields['gid'] = toNumber(json.alert['gid']) | |
| msg.Fields['signature_id'] = toNumber(json.alert['signature_id']) | |
| msg.Fields['rev'] = toNumber(json.alert['rev']) | |
| msg.Fields['signature'] = json.alert['signature'] | |
| msg.Fields['category'] = json.alert['category'] | |
| msg.Fields['severity'] = json.alert['severity'] | |
| msg.Fields['tx_id'] = toNumber(json.alert['tx_id']) | |
| inject_message(msg) | |
| return 0 | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment