markuskont · February 9, 2018 13:54
diff --git a/count-packets.lua b/count-packets.lua
 function init (args)
    local needs = {}
    needs["type"] = "packet"
    return needs
 end
    
 function setup (args)
    name = "hello.log"
    filename = SCLogPath() .. "/" .. name
    file = assert(io.open(filename, "a"))
    start_time = os.time()
    SCLogInfo("Hello Log Filename " .. filename)
    count = 0
    data = {}
    data["v4"] = 0
    data["v6"] = 0
 end 

 function log(args)
    local ipver, srcip, dstip, proto, sp, dp = SCPacketTuple()
    if sp == nil then
        sp = "<nil>"
    end
    if dp == nil then
        dp = "<nil>"
    end
    local sec, usec = SCPacketTimestamp()
    
    if ipver == 4 then
       data["v4"] = data["v4"] + 1
    else
       data["v6"] = data["v4"] + 1
    end
    t = os.time();
 --    if (math.mod(t,5) == 0) then
 --        SCLogInfo(t);
 --    end
    --file:write (sec .. "|" .. ipver .. "|" .. srcip .. "|" .. dstip .. "|" .. proto .. "|" .. sp .. "|" .. dp .. "\n")
    --file:flush()
    count = count + 1 
 end
    
 function deinit (args)
    SCLogInfo ("Events logged: " .. count);
    SCLogInfo ("IPv4 packets: " .. data["v4"]);
    SCLogInfo ("IPv6 packets: " .. data["v6"]);
    file:close(file)
 end
diff --git a/log-dns.lua b/log-dns.lua
 function init (args)
    local needs = {}
    needs["protocol"] = "dns"
    return needs
 end

 function setup (args)
    name = "dns.log"
    filename = SCLogPath() .. "/" .. name
    file = assert(io.open(filename, "a"))
 end

 function log(args)
    dns_answers = DnsGetAnswers();
    if dns_answers ~= nil then
        for n, t in pairs(dns_answers) do
            rrname = t["rrname"]
            rrtype = t["type"]
            ttl = t["ttl"]

            print("ANSWER: " .. rrname .. " [**] " .. rrtype .. " [**] ")
        end
    end
 end

 function deinit (args)
    file:close(file)
 end
diff --git a/log-new-tls.lua b/log-new-tls.lua
 function init (args)
    local needs = {}
    needs["protocol"] = "tls"
    return needs
 end

 function setup (args)
    name = "tls.log"
    filename = SCLogPath() .. "/" .. name
    file = assert(io.open(filename, "a"))
    seen = {}
 end

 function log(args)
    version, subject, issuer, fingerprint = TlsGetCertInfo()
    serial = TlsGetCertSerial()
    if version == nil then
        version = "<nil>"
    end
    if subject == nil then
        subject = "<nil>"
    end
    if issuer == nil then
        issuer = "<nil>"
    end
    if fingerprint == nil then
        fingerprint = "<nil>"
    end
    if fingerprint ~= nil then
        if seen[fingerprint] == nil then
            file:write(version .. "|" .. subject .. "|" .. issuer .. "|" .. fingerprint .. "|" .. serial .. "\n");
            file:flush();
            seen[fingerprint] = true
        end
    end
 end

 function deinit (args)
    file:close(file)
 end
diff --git a/rule-tls-useless.lua b/rule-tls-useless.lua
 function init (args)
    local needs = {}
    needs["tls"] = tostring(true)
    return needs
 end

 function match(args)
    version, subject, issuer, fingerprint = TlsGetCertInfo();
    SCLogInfo(fingerprint);
 end
	function init (args)
	local needs = {}
	needs["type"] = "packet"
	return needs
	end

	function setup (args)
	name = "hello.log"
	filename = SCLogPath() .. "/" .. name
	file = assert(io.open(filename, "a"))
	start_time = os.time()
	SCLogInfo("Hello Log Filename " .. filename)
	count = 0
	data = {}
	data["v4"] = 0
	data["v6"] = 0
	end

	function log(args)
	local ipver, srcip, dstip, proto, sp, dp = SCPacketTuple()
	if sp == nil then
	sp = "<nil>"
	end
	if dp == nil then
	dp = "<nil>"
	end
	local sec, usec = SCPacketTimestamp()

	if ipver == 4 then
	data["v4"] = data["v4"] + 1
	else
	data["v6"] = data["v4"] + 1
	end
	t = os.time();
	-- if (math.mod(t,5) == 0) then
	-- SCLogInfo(t);
	-- end
	--file:write (sec .. "\|" .. ipver .. "\|" .. srcip .. "\|" .. dstip .. "\|" .. proto .. "\|" .. sp .. "\|" .. dp .. "\n")
	--file:flush()
	count = count + 1
	end

	function deinit (args)
	SCLogInfo ("Events logged: " .. count);
	SCLogInfo ("IPv4 packets: " .. data["v4"]);
	SCLogInfo ("IPv6 packets: " .. data["v6"]);
	file:close(file)
	end
	function init (args)
	local needs = {}
	needs["protocol"] = "dns"
	return needs
	end

	function setup (args)
	name = "dns.log"
	filename = SCLogPath() .. "/" .. name
	file = assert(io.open(filename, "a"))
	end

	function log(args)
	dns_answers = DnsGetAnswers();
	if dns_answers ~= nil then
	for n, t in pairs(dns_answers) do
	rrname = t["rrname"]
	rrtype = t["type"]
	ttl = t["ttl"]

	print("ANSWER: " .. rrname .. " [] " .. rrtype .. " [] ")
	end
	end
	end

	function deinit (args)
	file:close(file)
	end
	function init (args)
	local needs = {}
	needs["protocol"] = "tls"
	return needs
	end

	function setup (args)
	name = "tls.log"
	filename = SCLogPath() .. "/" .. name
	file = assert(io.open(filename, "a"))
	seen = {}
	end

	function log(args)
	version, subject, issuer, fingerprint = TlsGetCertInfo()
	serial = TlsGetCertSerial()
	if version == nil then
	version = "<nil>"
	end
	if subject == nil then
	subject = "<nil>"
	end
	if issuer == nil then
	issuer = "<nil>"
	end
	if fingerprint == nil then
	fingerprint = "<nil>"
	end
	if fingerprint ~= nil then
	if seen[fingerprint] == nil then
	file:write(version .. "\|" .. subject .. "\|" .. issuer .. "\|" .. fingerprint .. "\|" .. serial .. "\n");
	file:flush();
	seen[fingerprint] = true
	end
	end
	end

	function deinit (args)
	file:close(file)
	end
	function init (args)
	local needs = {}
	needs["tls"] = tostring(true)
	return needs
	end

	function match(args)
	version, subject, issuer, fingerprint = TlsGetCertInfo();
	SCLogInfo(fingerprint);
	end