mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
172 lines
2.8 KiB
ReStructuredText
172 lines
2.8 KiB
ReStructuredText
File
|
|
####
|
|
|
|
File information is exposed to Lua scripts with the ``suricata.file``
|
|
library, for example::
|
|
|
|
local filelib = require("suricata.file")
|
|
|
|
Setup
|
|
*****
|
|
|
|
If your purpose is to create a logging script, initialize the script
|
|
as:
|
|
|
|
::
|
|
|
|
function init (args)
|
|
local needs = {}
|
|
needs["type"] = "file"
|
|
return needs
|
|
end
|
|
|
|
Currently the Lua file library is not implemented for rules.
|
|
|
|
API
|
|
***
|
|
|
|
File Object
|
|
===========
|
|
|
|
File data is accessed through the file object, which must be
|
|
obtained before use::
|
|
|
|
local file, err = filelib.get_file()
|
|
if file == nil then
|
|
print(err)
|
|
end
|
|
|
|
File Methods
|
|
============
|
|
|
|
``file_id()``
|
|
-------------
|
|
|
|
Returns the ID number of the file.
|
|
|
|
Example::
|
|
|
|
local file = filelib.get_file()
|
|
local id = file:file_id()
|
|
print("File ID: " .. id)
|
|
|
|
``tx_id()``
|
|
-----------
|
|
|
|
Returns the transaction ID associated with the file.
|
|
|
|
Example::
|
|
|
|
local file = filelib.get_file()
|
|
local tx_id = file:tx_id()
|
|
print("Transaction ID: " .. tx_id)
|
|
|
|
``name()``
|
|
----------
|
|
|
|
Returns the file name.
|
|
|
|
Example::
|
|
|
|
local file = filelib.get_file()
|
|
local name = file:name()
|
|
if name ~= nil then
|
|
print("Filename: " .. name)
|
|
end
|
|
|
|
``size()``
|
|
----------
|
|
|
|
Returns the file size.
|
|
|
|
Example::
|
|
|
|
local file = filelib.get_file()
|
|
local size = file:size()
|
|
print("File size: " .. size .. " bytes")
|
|
|
|
``magic()``
|
|
-----------
|
|
|
|
Returns the file type based on libmagic (if available). Will return
|
|
nil if magic is not available.
|
|
|
|
Example::
|
|
|
|
local file = filelib.get_file()
|
|
local magic = file:magic()
|
|
if magic ~= nil then
|
|
print("File type: " .. magic)
|
|
end
|
|
|
|
``md5()``
|
|
---------
|
|
|
|
Returns the MD5 hash of the file (if calculated). Will return nil if
|
|
the MD5 hash was not calculated.
|
|
|
|
Example::
|
|
|
|
local file = filelib.get_file()
|
|
local md5 = file:md5()
|
|
if md5 ~= nil then
|
|
print("MD5: " .. md5)
|
|
end
|
|
|
|
``sha1()``
|
|
----------
|
|
|
|
Returns the SHA1 hash of the file (if calculated). Will return nil if
|
|
the SHA1 hash was not calculated.
|
|
|
|
Example::
|
|
|
|
local file = filelib.get_file()
|
|
local sha1 = file:sha1()
|
|
if sha1 ~= nil then
|
|
print("SHA1: " .. sha1)
|
|
end
|
|
|
|
``sha256()``
|
|
------------
|
|
|
|
Returns the SHA256 hash of the file (if calculated). Will return nil
|
|
if the SHA256 hash was not calculated.
|
|
|
|
Example::
|
|
|
|
local file = filelib.get_file()
|
|
local sha256 = file:sha256()
|
|
if sha256 ~= nil then
|
|
print("SHA256: " .. sha256)
|
|
end
|
|
|
|
``get_state()``
|
|
---------------
|
|
|
|
Returns the current state of the file.
|
|
|
|
Returns:
|
|
|
|
- State: "CLOSED", "TRUNCATED", "ERROR", "OPENED", "NONE", or
|
|
"UNKNOWN"
|
|
|
|
Example::
|
|
|
|
local file = filelib.get_file()
|
|
local state = file:get_state()
|
|
if state ~= nil then
|
|
print("File state: " .. state)
|
|
end
|
|
|
|
``is_stored()``
|
|
---------------
|
|
|
|
Returns true if the file has been stored to disk, false otherwise.
|
|
|
|
Example::
|
|
|
|
local file = filelib.get_file()
|
|
local stored = file:is_stored()
|
|
print("File stored: " .. tostring(stored))
|