|
|
|
|
@ -133,270 +133,6 @@ static int LuaCallbackStreamingBuffer(lua_State *luastate)
|
|
|
|
|
return LuaCallbackStreamingBufferPushToStack(luastate, b);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
|
* \brief fill lua stack with flow timestamps
|
|
|
|
|
* \param luastate the lua state
|
|
|
|
|
* \param startts timestamp of first packet in the flow
|
|
|
|
|
* \param lastts timestamp of last packet in the flow
|
|
|
|
|
* \retval cnt number of data items placed on the stack
|
|
|
|
|
*
|
|
|
|
|
* Places: seconds (number), seconds (number), microseconds (number),
|
|
|
|
|
* microseconds (number)
|
|
|
|
|
*/
|
|
|
|
|
static int LuaCallbackFlowTimestampsPushToStack(
|
|
|
|
|
lua_State *luastate, const SCTime_t startts, const SCTime_t lastts)
|
|
|
|
|
{
|
|
|
|
|
lua_pushnumber(luastate, (double)SCTIME_SECS(startts));
|
|
|
|
|
lua_pushnumber(luastate, (double)SCTIME_SECS(lastts));
|
|
|
|
|
lua_pushnumber(luastate, (double)SCTIME_USECS(startts));
|
|
|
|
|
lua_pushnumber(luastate, (double)SCTIME_USECS(lastts));
|
|
|
|
|
return 4;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
|
* \brief Wrapper for getting flow timestamp (as numbers) into a lua script
|
|
|
|
|
* \retval cnt number of items placed on the stack
|
|
|
|
|
*/
|
|
|
|
|
static int LuaCallbackFlowTimestamps(lua_State *luastate)
|
|
|
|
|
{
|
|
|
|
|
Flow *flow = LuaStateGetFlow(luastate);
|
|
|
|
|
if (flow == NULL) {
|
|
|
|
|
return LuaCallbackError(luastate, "internal error: no flow");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return LuaCallbackFlowTimestampsPushToStack(luastate, flow->startts, flow->lastts);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
|
* \brief fill lua stack with time string
|
|
|
|
|
* \param luastate the lua state
|
|
|
|
|
* \param flow flow
|
|
|
|
|
* \retval cnt number of data items placed on the stack
|
|
|
|
|
*
|
|
|
|
|
* Places: ts (string)
|
|
|
|
|
*/
|
|
|
|
|
static int LuaCallbackTimeStringPushToStackFromFlow(lua_State *luastate, const Flow *flow)
|
|
|
|
|
{
|
|
|
|
|
char timebuf[64];
|
|
|
|
|
CreateTimeString(flow->startts, timebuf, sizeof(timebuf));
|
|
|
|
|
lua_pushstring (luastate, timebuf);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
|
* \brief Wrapper for getting ts info into a lua script
|
|
|
|
|
* \retval cnt number of items placed on the stack
|
|
|
|
|
*/
|
|
|
|
|
static int LuaCallbackFlowTimeString(lua_State *luastate)
|
|
|
|
|
{
|
|
|
|
|
int r = 0;
|
|
|
|
|
Flow *flow = LuaStateGetFlow(luastate);
|
|
|
|
|
if (flow == NULL)
|
|
|
|
|
return LuaCallbackError(luastate, "internal error: no flow");
|
|
|
|
|
|
|
|
|
|
r = LuaCallbackTimeStringPushToStackFromFlow(luastate, flow);
|
|
|
|
|
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
|
* \brief fill lua stack with flow has alerts
|
|
|
|
|
* \param luastate the lua state
|
|
|
|
|
* \param flow flow
|
|
|
|
|
* \retval cnt number of data items placed on the stack
|
|
|
|
|
*
|
|
|
|
|
* Places alerts (bool)
|
|
|
|
|
*/
|
|
|
|
|
static int LuaCallbackHasAlertsPushToStackFromFlow(lua_State *luastate, const Flow *flow)
|
|
|
|
|
{
|
|
|
|
|
lua_pushboolean(luastate, FlowHasAlerts(flow));
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
|
* \brief Wrapper for getting flow has alerts info into a lua script
|
|
|
|
|
* \retval cnt number of items placed on the stack
|
|
|
|
|
*/
|
|
|
|
|
static int LuaCallbackFlowHasAlerts(lua_State *luastate)
|
|
|
|
|
{
|
|
|
|
|
int r = 0;
|
|
|
|
|
Flow *flow = LuaStateGetFlow(luastate);
|
|
|
|
|
if (flow == NULL)
|
|
|
|
|
return LuaCallbackError(luastate, "internal error: no flow");
|
|
|
|
|
|
|
|
|
|
r = LuaCallbackHasAlertsPushToStackFromFlow(luastate, flow);
|
|
|
|
|
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
|
* \brief fill lua stack with header info
|
|
|
|
|
* \param luastate the lua state
|
|
|
|
|
* \param f flow, locked
|
|
|
|
|
* \retval cnt number of data items placed on the stack
|
|
|
|
|
*
|
|
|
|
|
* Places: ipver (number), src ip (string), dst ip (string), protocol (number),
|
|
|
|
|
* sp or icmp type (number), dp or icmp code (number).
|
|
|
|
|
*/
|
|
|
|
|
static int LuaCallbackTuplePushToStackFromFlow(lua_State *luastate, const Flow *f)
|
|
|
|
|
{
|
|
|
|
|
int ipver = 0;
|
|
|
|
|
if (FLOW_IS_IPV4(f)) {
|
|
|
|
|
ipver = 4;
|
|
|
|
|
} else if (FLOW_IS_IPV6(f)) {
|
|
|
|
|
ipver = 6;
|
|
|
|
|
}
|
|
|
|
|
lua_pushinteger(luastate, ipver);
|
|
|
|
|
if (ipver == 0)
|
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
|
|
char srcip[46] = "", dstip[46] = "";
|
|
|
|
|
if (FLOW_IS_IPV4(f)) {
|
|
|
|
|
PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), srcip, sizeof(srcip));
|
|
|
|
|
PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dstip, sizeof(dstip));
|
|
|
|
|
} else if (FLOW_IS_IPV6(f)) {
|
|
|
|
|
PrintInet(AF_INET6, (const void *)&(f->src.address), srcip, sizeof(srcip));
|
|
|
|
|
PrintInet(AF_INET6, (const void *)&(f->dst.address), dstip, sizeof(dstip));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
lua_pushstring (luastate, srcip);
|
|
|
|
|
lua_pushstring (luastate, dstip);
|
|
|
|
|
|
|
|
|
|
/* proto and ports (or type/code) */
|
|
|
|
|
lua_pushinteger(luastate, f->proto);
|
|
|
|
|
if (f->proto == IPPROTO_TCP || f->proto == IPPROTO_UDP) {
|
|
|
|
|
lua_pushinteger(luastate, f->sp);
|
|
|
|
|
lua_pushinteger(luastate, f->dp);
|
|
|
|
|
|
|
|
|
|
} else if (f->proto == IPPROTO_ICMP || f->proto == IPPROTO_ICMPV6) {
|
|
|
|
|
lua_pushinteger(luastate, f->icmp_s.type);
|
|
|
|
|
lua_pushinteger(luastate, f->icmp_s.code);
|
|
|
|
|
} else {
|
|
|
|
|
lua_pushinteger(luastate, 0);
|
|
|
|
|
lua_pushinteger(luastate, 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 6;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
|
* \brief Wrapper for getting tuple info into a lua script
|
|
|
|
|
* \retval cnt number of items placed on the stack
|
|
|
|
|
*/
|
|
|
|
|
static int LuaCallbackTupleFlow(lua_State *luastate)
|
|
|
|
|
{
|
|
|
|
|
int r = 0;
|
|
|
|
|
Flow *f = LuaStateGetFlow(luastate);
|
|
|
|
|
if (f == NULL)
|
|
|
|
|
return LuaCallbackError(luastate, "internal error: no flow");
|
|
|
|
|
|
|
|
|
|
r = LuaCallbackTuplePushToStackFromFlow(luastate, f);
|
|
|
|
|
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
|
* \brief fill lua stack with AppLayerProto
|
|
|
|
|
* \param luastate the lua state
|
|
|
|
|
* \param alproto AppProto to push to stack as string
|
|
|
|
|
* \retval cnt number of data items placed on the stack
|
|
|
|
|
*
|
|
|
|
|
* Places: alproto as string (string)
|
|
|
|
|
*/
|
|
|
|
|
static int LuaCallbackAppLayerProtoPushToStackFromFlow(lua_State *luastate, const AppProto alproto)
|
|
|
|
|
{
|
|
|
|
|
const char *string = AppProtoToString(alproto);
|
|
|
|
|
if (string == NULL)
|
|
|
|
|
string = "unknown";
|
|
|
|
|
lua_pushstring(luastate, string);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
|
* \brief Wrapper for getting AppLayerProto info into a lua script
|
|
|
|
|
* \retval cnt number of items placed on the stack
|
|
|
|
|
*/
|
|
|
|
|
static int LuaCallbackAppLayerProtoFlow(lua_State *luastate)
|
|
|
|
|
{
|
|
|
|
|
int r = 0;
|
|
|
|
|
Flow *f = LuaStateGetFlow(luastate);
|
|
|
|
|
if (f == NULL)
|
|
|
|
|
return LuaCallbackError(luastate, "internal error: no flow");
|
|
|
|
|
|
|
|
|
|
r = LuaCallbackAppLayerProtoPushToStackFromFlow(luastate, f->alproto);
|
|
|
|
|
r += LuaCallbackAppLayerProtoPushToStackFromFlow(luastate, f->alproto_ts);
|
|
|
|
|
r += LuaCallbackAppLayerProtoPushToStackFromFlow(luastate, f->alproto_tc);
|
|
|
|
|
r += LuaCallbackAppLayerProtoPushToStackFromFlow(luastate, f->alproto_orig);
|
|
|
|
|
r += LuaCallbackAppLayerProtoPushToStackFromFlow(luastate, f->alproto_expect);
|
|
|
|
|
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
|
* \brief fill lua stack with flow stats
|
|
|
|
|
* \param luastate the lua state
|
|
|
|
|
* \param f flow, locked
|
|
|
|
|
* \retval cnt number of data items placed on the stack
|
|
|
|
|
*
|
|
|
|
|
* Places: ts pkts (number), ts bytes (number), tc pkts (number), tc bytes (number)
|
|
|
|
|
*/
|
|
|
|
|
static int LuaCallbackStatsPushToStackFromFlow(lua_State *luastate, const Flow *f)
|
|
|
|
|
{
|
|
|
|
|
lua_pushinteger(luastate, f->todstpktcnt);
|
|
|
|
|
lua_pushinteger(luastate, f->todstbytecnt);
|
|
|
|
|
lua_pushinteger(luastate, f->tosrcpktcnt);
|
|
|
|
|
lua_pushinteger(luastate, f->tosrcbytecnt);
|
|
|
|
|
return 4;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
|
* \brief Wrapper for getting AppLayerProto info into a lua script
|
|
|
|
|
* \retval cnt number of items placed on the stack
|
|
|
|
|
*/
|
|
|
|
|
static int LuaCallbackStatsFlow(lua_State *luastate)
|
|
|
|
|
{
|
|
|
|
|
int r = 0;
|
|
|
|
|
Flow *f = LuaStateGetFlow(luastate);
|
|
|
|
|
if (f == NULL)
|
|
|
|
|
return LuaCallbackError(luastate, "internal error: no flow");
|
|
|
|
|
|
|
|
|
|
r = LuaCallbackStatsPushToStackFromFlow(luastate, f);
|
|
|
|
|
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
|
* \brief fill lua stack with flow id
|
|
|
|
|
* \param luastate the lua state
|
|
|
|
|
* \param f flow, locked
|
|
|
|
|
* \retval cnt number of data items placed on the stack
|
|
|
|
|
*
|
|
|
|
|
* Places: flow id (number)
|
|
|
|
|
*/
|
|
|
|
|
static int LuaCallbackPushFlowIdToStackFromFlow(lua_State *luastate, const Flow *f)
|
|
|
|
|
{
|
|
|
|
|
int64_t id = FlowGetId(f);
|
|
|
|
|
lua_pushinteger(luastate, id);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
|
* \brief Wrapper for getting FlowId into lua script
|
|
|
|
|
* \retval cnt number of items placed on the stack
|
|
|
|
|
*/
|
|
|
|
|
static int LuaCallbackFlowId(lua_State *luastate)
|
|
|
|
|
{
|
|
|
|
|
int r = 0;
|
|
|
|
|
Flow *f = LuaStateGetFlow(luastate);
|
|
|
|
|
if (f == NULL)
|
|
|
|
|
return LuaCallbackError(luastate, "internal error: no flow");
|
|
|
|
|
|
|
|
|
|
r = LuaCallbackPushFlowIdToStackFromFlow(luastate, f);
|
|
|
|
|
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \internal
|
|
|
|
|
* \brief fill lua stack with signature info
|
|
|
|
|
* \param luastate the lua state
|
|
|
|
|
@ -784,21 +520,6 @@ static int LuaCallbackThreadInfo(lua_State *luastate)
|
|
|
|
|
int LuaRegisterFunctions(lua_State *luastate)
|
|
|
|
|
{
|
|
|
|
|
/* registration of the callbacks */
|
|
|
|
|
lua_pushcfunction(luastate, LuaCallbackFlowTimestamps);
|
|
|
|
|
lua_setglobal(luastate, "SCFlowTimestamps");
|
|
|
|
|
lua_pushcfunction(luastate, LuaCallbackFlowTimeString);
|
|
|
|
|
lua_setglobal(luastate, "SCFlowTimeString");
|
|
|
|
|
lua_pushcfunction(luastate, LuaCallbackTupleFlow);
|
|
|
|
|
lua_setglobal(luastate, "SCFlowTuple");
|
|
|
|
|
lua_pushcfunction(luastate, LuaCallbackAppLayerProtoFlow);
|
|
|
|
|
lua_setglobal(luastate, "SCFlowAppLayerProto");
|
|
|
|
|
lua_pushcfunction(luastate, LuaCallbackStatsFlow);
|
|
|
|
|
lua_setglobal(luastate, "SCFlowStats");
|
|
|
|
|
lua_pushcfunction(luastate, LuaCallbackFlowHasAlerts);
|
|
|
|
|
lua_setglobal(luastate, "SCFlowHasAlerts");
|
|
|
|
|
lua_pushcfunction(luastate, LuaCallbackFlowId);
|
|
|
|
|
lua_setglobal(luastate, "SCFlowId");
|
|
|
|
|
|
|
|
|
|
lua_pushcfunction(luastate, LuaCallbackStreamingBuffer);
|
|
|
|
|
lua_setglobal(luastate, "SCStreamingBuffer");
|
|
|
|
|
|
|
|
|
|
|
Juliana Fajardini
4 months ago
committed by
Victor Julien