I’m writing a lua script for a rule (not output). Is there a way to get the full packet from lua? If I try something, for example, like this:
function init (args)
local needs = {}
needs["packet"] = tostring(true)
return needs
end
function match(args)
p = args["packet"]
SCLogNotice(p)
return 1
end
Nothing is output to suricata.log. Is there a way to just get the whole packet in hexadecimal characters? What am I missing?
From the documentation, I’m not sure there’s something just like that.
You could use SCPacketPayload to get access to the packet contents, and SCPacketTuple to access IP version, and source and destination IP and ports.
Another thing that may be causing issues is the way you’re retrieving the packet in your init function. According to documentation, and from my own experience, it should be: needs["type"] = "packet".
Not sure if that’s another possible way, but maybe that could also help in moving forward with your intent!
Well as far as I know you can’t retrieve that data at the same time because they’re in different buffers. maybe that’s a better question – can you get the source ip and http uri at the same time?
Hm, I think there may be some more freedom as to how you write things within the match function in the lua script.
Check this other Suricata-verify test:
As for a buffer, if you want that, I could be wrong, but I think you could build your own, using string.format(). Then you format it the way it would show up in the packet. S-V test for DNS output in lua has an example of formatting a string:
I’m not really sure what you’re getting at. The problem isn’t string formatting, it’s that you simply can’t get the source ip (from the packet buffer) and the http uri (from the http uri buffer) in the same lua script.
I’m sorry, I’m just trying to help. I thought I saw that done in that http output suricata-verify test by means of the SCFlowTuple(), so I assumed it is possible. But I don’t have more knowledge to help you further, right now.
Edit: It actually does work, I had something wrong in the previous version of my script.
Sorry if I came off as rude, that is not my intention.
Your code does have the right information, unfortunately I’m working with suricata lua detection and not logging. I want to use the lua script I’m writing to trigger a rule, and you can’t use needs[“protocol”] = “http”, you have to use their buffers.
Turns out, in my case SCFlowTuple should be used instead of SCPacketTuple .
In case anyone ends up at this post, this is how I managed to get the source ip:
function init (args)
local needs = {}
needs["tls"] = tostring(true)
return needs
end
function match(args)
ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
SCLogWarning(srcip)
return 0
end