inliniac · March 19, 2014 17:53
diff --git a/file log b/file log
 function init (args)
    local needs = {}
    needs['type'] = 'file'
    print ("init() done")
    return needs
 end

 function setup (args)
    print ("setup() done")
 end

 function log(args)
    ts = SCPacketTimeString()
    ipv, srcip, dstip, proto, sp, dp = SCFlowTuple()

    http_host = HttpGetRequestHeader('Host')
    nuri = HttpGetRequestUriNormalized()
    ua = HttpGetRequestHeader('User-Agent')
    if ua == nil then
        ua = "<unknown>"
    end
    fileid, txid, name, size, magic, md5 = SCFileInfo()
    if md5 == nil then
        md5 = "<unknown>"
    end
    state, stored = SCFileState()

    print (ts .. " " .. http_host .. " [**] " .. name .. " [**] " .. ua ..
           " [**] " .. magic .. " [**] " .. md5 .. " [**] " .. srcip ..
           ":" .. sp .. " -> " .. dstip .. ":" .. dp)

 --    print ("log() done")
 end

 function deinit (args)
 end
diff --git a/flow b/flow
 function init (args)
    local needs = {}
    needs["type"] = "packet"
    return needs
 end

 function setup (args)
 end

 function log(args)
    startts = SCFlowTimeString()
    ts = SCPacketTimeString()
    if ts == startts then
        ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
        print ("Flow IPv" .. ipver .. " src " .. srcip .. " dst " .. dstip ..
               " proto " .. proto .. " sp " .. sp .. " dp " .. dp)
    end
 end

 function deinit (args)
 end
diff --git a/full fast log b/full fast log
 -- simple fast-log to file lua module
 name = "fast_lua.log"

 function init (args)
    local needs = {}
    needs["type"] = "packet"
    needs["filter"] = "alerts"
    return needs
 end

 function setup (args)
    filename = SCLogPath() .. "/" .. name
    file = assert(io.open(filename, "a"))
    print("Filename " .. filename)
    alerts = 0
 end

 function log(args)
    ts = SCPacketTimeString()
    sid, rev, gid = SCRuleIds()
    ipver, srcip, dstip, proto, sp, dp = SCPacketTuple()
    msg = SCRuleMsg()
    class, prio = SCRuleClass()
    if class == nil then
        class = "unknown"
    end

    if (ipver > 0) then
        file:write (ts .. "  [**] [" .. gid .. ":" .. sid .. ":" .. rev .. "] " ..
                    msg .. " [**] [Classification: " .. class .. "] [Priority: " ..
                    prio .. "] {" .. proto .. "} " ..
                    srcip .. ":" .. sp .. " -> " .. dstip .. ":" .. dp .. "\n")
        file:flush()
    else
        SCLogWarning("decoder events not yet supported")
    end
    alerts = alerts + 1;
 end

 function deinit (args)
    SCLogInfo ("Alerted " .. alerts .. " times");
    file.close(file)
 end
diff --git a/Print unique request header names b/Print unique request header names
 function init (args)
    local needs = {}
    needs["protocol"] = "http"
    return needs
 end

 function setup (args)
    sqlite3, errmsg = require("lsqlite3")
    db = sqlite3.open_memory()
    db:exec[[CREATE TABLE headers (id INTEGER PRIMARY KEY, header);]]
 end

 function log(args)
    a = HttpGetRequestHeaders();
    for n, v in pairs(a) do
        local stmt = db:prepare[[ INSERT INTO headers VALUES (:key, :header) ]]
        stmt:bind_names{ key = NULL, header = n}
        stmt:step()
        stmt:finalize()
    end

 end

 function deinit (args)
    print ("Request Headers:")
    for row in db:nrows("SELECT header, COUNT(*) as count FROM headers GROUP BY header") do
        print(row.count, row.header)
    end
 end
	function init (args)
	local needs = {}
	needs['type'] = 'file'
	print ("init() done")
	return needs
	end

	function setup (args)
	print ("setup() done")
	end

	function log(args)
	ts = SCPacketTimeString()
	ipv, srcip, dstip, proto, sp, dp = SCFlowTuple()

	http_host = HttpGetRequestHeader('Host')
	nuri = HttpGetRequestUriNormalized()
	ua = HttpGetRequestHeader('User-Agent')
	if ua == nil then
	ua = "<unknown>"
	end
	fileid, txid, name, size, magic, md5 = SCFileInfo()
	if md5 == nil then
	md5 = "<unknown>"
	end
	state, stored = SCFileState()

	print (ts .. " " .. http_host .. " [] " .. name .. " [] " .. ua ..
	" [] " .. magic .. " [] " .. md5 .. " [**] " .. srcip ..
	":" .. sp .. " -> " .. dstip .. ":" .. dp)

	-- print ("log() done")
	end

	function deinit (args)
	end
	function init (args)
	local needs = {}
	needs["type"] = "packet"
	return needs
	end

	function setup (args)
	end

	function log(args)
	startts = SCFlowTimeString()
	ts = SCPacketTimeString()
	if ts == startts then
	ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
	print ("Flow IPv" .. ipver .. " src " .. srcip .. " dst " .. dstip ..
	" proto " .. proto .. " sp " .. sp .. " dp " .. dp)
	end
	end

	function deinit (args)
	end
	-- simple fast-log to file lua module
	name = "fast_lua.log"

	function init (args)
	local needs = {}
	needs["type"] = "packet"
	needs["filter"] = "alerts"
	return needs
	end

	function setup (args)
	filename = SCLogPath() .. "/" .. name
	file = assert(io.open(filename, "a"))
	print("Filename " .. filename)
	alerts = 0
	end

	function log(args)
	ts = SCPacketTimeString()
	sid, rev, gid = SCRuleIds()
	ipver, srcip, dstip, proto, sp, dp = SCPacketTuple()
	msg = SCRuleMsg()
	class, prio = SCRuleClass()
	if class == nil then
	class = "unknown"
	end

	if (ipver > 0) then
	file:write (ts .. " [**] [" .. gid .. ":" .. sid .. ":" .. rev .. "] " ..
	msg .. " [**] [Classification: " .. class .. "] [Priority: " ..
	prio .. "] {" .. proto .. "} " ..
	srcip .. ":" .. sp .. " -> " .. dstip .. ":" .. dp .. "\n")
	file:flush()
	else
	SCLogWarning("decoder events not yet supported")
	end
	alerts = alerts + 1;
	end

	function deinit (args)
	SCLogInfo ("Alerted " .. alerts .. " times");
	file.close(file)
	end