[Oisf-users] Lua output - flow

[Victor Julien]

On 04-07-17 17:32, Martin Petracek wrote:
> I have a question about Suricata Lua scripts.
> 
> I have a simple Lua script to get info about flows:
> 
> function init (args)
>     local needs = {}
>     needs["type"] = "flow"
>     return needs
> end
> 
> function log(args)
>     ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
>     print (src " .. srcip .. " dst " .. dstip)
> end
> 
> The thing that bothers me is that this script (its log function) gets
> called only when the flow ended (if I got right what's happening).
> 
> Am I right? Or when exactly is this Lua script called?

Yep, this is how it is supposed to work.

> I would like to get this function called when the flow starts (and
> ideally in some intervals then, when the flow is active), not only when
> it already ended.

There is no hook to do this currently.

> Is there a way how to accomplish this?
> 
> I know it's possible to set needs["type"] to "packet" and then this
> function is called for every packet, but I don't want to do this for
> performance reasons. For me it's enough to have some information about
> the flow, not about every single packet. But I need this information
> when the the flow is still active, not when it ended already...

Yeah, I think the only way is to use the packet type and then get the
flow counters to determine if it's the first time you're called for this
flow. But the performance impact is likely going to be noticeable. Might
be worth a try though. Also luajit might help perf.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170706/23efb173/attachment-0002.sig>