ossec-lua lua interpreter #120
Conversation
|
I would like to get this into 2.8 as i think it is the framework for doing a lot more with ossec in the future, and is low impact as it does not change anything outside of the install scripts at this time. |
|
Seems like a good idea to me. A lot of code to sift through to see if it actually works though. Hard to say if it works without throwing it into an install and testing it. Would it be possible for you to put in a few test scripts for Windows/NIX that would help in determining that LUA is actually working? They don't have to be crazy. Just some example code that maybe does a few simple things with LUA. Maybe a "Hello world" for example. I'm not that familiar with LUA personally but having something to look at and expand on would be helpful and would help in testing to make sure it is working properly. |
|
Will do I was going to start built on this base for adding more troubleshooting tools into ossec. Will add some examples into contrib for now. |
|
As for the code. It's all 100% lua 5.2. I have done nothing other then add it into the build system. I would like to do more with it but need to get the basic code imported and then I will build on this. :) i have lots of good stuff planned. See https://github.com/jrossi/ossec-hids/tree/ossec-lua/src/os_execd for the idea of a lua script that can keep state as it's built into the agent. Here is an example of the active response script: function tick(time)
-- I get run every 60 seconds
if changes them
f = assert(open("/etc/hosts.deny", "w"))
for ip_addr, v in pairs(table_of_entries) do
f:write(string.format("%s:DENY", ip_addr)
end
f:close()
end
end
function event_delete(ip, ...)
for ip_addr, v in pairs(table_of_entries) do
if ip_addr == ip then
table_of_entries[ip_addr] = nil
changes = true
end
end
end
function event_add(ip, ...)
local found = false
for ip_addr, v in pairs(table_of_entries) do
if ip_addr == ip then
found = true
end
end
if not found then
tables_of_entries[ip] = true
change = true
end
end
-- Run a script load
function init(script_name)
table_of_entries = {}
changes = false
-- register a timer functions call
ar:register_timer(60, tick)
ar:register_add(event_add)
ar:register_delete(event_delete)
end |
|
LUA is a great tool to have, especially on agents. I vote for including LUA in 2.8. |
This add a lua interpreter to ossec agent and master install. This is the smallest change allowing Lua to become the defacto script language for ossec.
Their are many reasons for lua support to be added to ossec:
Once having ossec-lua we can start adding utils to the standard install without having to preform C everyplace. Here are some areas that I see:
I have gotten ossec-lua to compile on windows using mingw and will create a second pull request to make that complete.
This will also need decimation updates.