Skip to content

Commit

Permalink
7 new skeletons for FRONTEND added
Browse files Browse the repository at this point in the history
  • Loading branch information
@trisulnsm
trisulnsm committed Jan 5, 2017
1 parent c858028 commit e2c3b33
Show file tree
Hide file tree
Showing 6 changed files with 396 additions and 0 deletions.
74 changes: 74 additions & 0 deletions lua/skeletons/input_filter.lua
View file
@@ -0,0 +1,74 @@
--
-- input_filter.lua skeleton
--
-- TYPE: FRONTEND SCRIPT
-- PURPOSE: Input filter to drive the Trisul pipeline
-- DESCRIPTION: Custom input for packets, flows, or alerts
--
--
--
--
TrisulPlugin = {


-- the ID block, you can skip the fields marked 'optional '
--
id = {
name = "CSV netflow input",
description = "read flow records from CSV", -- optional
author = "Unleash", -- optional
version_major = 1, -- optional
version_minor = 0, -- optional
},

-- COMMON FUNCTIONS: onload, onunload, onmessage
--
-- WHEN CALLED : your LUA script is loaded into Trisul
onload = function()
-- your code
end,

-- WHEN CALLED : your LUA script is unloaded / detached from Trisul
onunload = function()
-- your code
end,

-- any messages you want to handle for state management
message_subscriptions = {},

-- WHEN CALLED: when another plugin sends you a message
onmessage = function(msgid, msg)

end,




-- input_filter block
--
inputfilter = {



-- WHEN CALLED: when Trisul platform wants a new packet or flow
-- step block : to handle packets and flows
-- read the next line from the file and do engine:updateXXX(..) to add metrics
step = function(packet, engine)
-- your lua code here
end,



-- WHEN CALLED: when Trisul platform wants a new packet or flows
-- step_alert block : to feed alerts into the pipeline
-- need to return a table { } with alert information; see the docs
step_alert = function()
-- your lua code here
-- return a table { }

end,



},
}
59 changes: 59 additions & 0 deletions lua/skeletons/new_alert_group.lua
View file
@@ -0,0 +1,59 @@
--
-- new_alert_group.lua skeleton
--
-- TYPE: FRONTEND SCRIPT
-- PURPOSE: Create a new alert group
-- DESCRIPTION: You can create your own alert groups for your specific case
--
--
--
--
TrisulPlugin = {


-- the ID block, you can skip the fields marked 'optional '
--
id = {
name = "My IOC hits",
description = "Alerts when my private IOCs match ", -- optional
author = "Unleash", -- optional
version_major = 1, -- optional
version_minor = 0, -- optional
},

-- COMMON FUNCTIONS: onload, onunload, onmessage
--
-- WHEN CALLED : your LUA script is loaded into Trisul
onload = function()
-- your code
end,

-- WHEN CALLED : your LUA script is unloaded / detached from Trisul
onunload = function()
-- your code
end,

-- any messages you want to handle for state management
message_subscriptions = {},

-- WHEN CALLED: when another plugin sends you a message
onmessage = function(msgid, msg)

end,


-- alertgroup block
--
alertgroup = {

-- table control
-- WHEN CALLED: specify details of your new alert group
-- you can use 'trisulctl_probe testbench guid' to get a new GUID
control = {
guid = "{a973e25d-4434-4f0a-9656-9d2c0247eaf8}",
name = "My IOC Hit",
description = "When my IOC hits ",
},

},
}
78 changes: 78 additions & 0 deletions lua/skeletons/new_counter_group.lua
View file
@@ -0,0 +1,78 @@
--
-- new_counter_group.lua skeleton
--
-- TYPE: FRONTEND SCRIPT
-- PURPOSE: Create a new counter group
-- DESCRIPTION: Use this to create your own Metrics counter group with associated
-- meters and key mappings
--
--
--
TrisulPlugin = {


-- the ID block, you can skip the fields marked 'optional '
--
id = {
name = "Packet Length",
description = "Meter packet lengths ", -- optional
author = "Unleash", -- optional
version_major = 1, -- optional
version_minor = 0, -- optional
},

-- COMMON FUNCTIONS: onload, onunload, onmessage
--
-- WHEN CALLED : your LUA script is loaded into Trisul
onload = function()
-- your code
end,

-- WHEN CALLED : your LUA script is unloaded / detached from Trisul
onunload = function()
-- your code
end,

-- any messages you want to handle for state management
message_subscriptions = {},

-- WHEN CALLED: when another plugin sends you a message
onmessage = function(msgid, msg)

end,


-- countergroup block
--
countergroup = {

-- WHEN CALLED: specify details of your new counter group
-- you can use 'trisulctl_probe testbench guid' to get a new GUID
control = {
guid = "{a973e25d-4434-4f0a-9656-9d2c0247eaf8}",
name = "Host TCP",
description = "Count volume and TCP flags in all packets",
bucketsize = 30,
},

-- meters table
-- id, type of meter, toppers to track, Name, units, units-short
--
meters = {
{ 0, T.K.vartype.RATE_COUNTER, 10, "Packets", "bytes", "Bps" },
{ 1, T.K.vartype.COUNTER, 10, "Resets", "packets", "Pkts" },
},


-- key mapping
-- maps keys used by you into user friendly names for Trisul display
keyinfo = {
{"0-100","small pkt"},
{"101-500","medium pkt"},
{"501-1500","large pkt"},
{"1501+","jumbo frame"},
}


},
}
59 changes: 59 additions & 0 deletions lua/skeletons/new_resource_group.lua
View file
@@ -0,0 +1,59 @@
--
-- new_resource_group.lua skeleton
--
-- TYPE: FRONTEND SCRIPT
-- PURPOSE: Create a new resource group
-- DESCRIPTION: You can create your own resource groups for your specific case
--
--
--
--
TrisulPlugin = {


-- the ID block, you can skip the fields marked 'optional '
--
id = {
name = "SHA256 Hashes",
description = "logs SHA hash Resources ", -- optional
author = "Unleash", -- optional
version_major = 1, -- optional
version_minor = 0, -- optional
},

-- COMMON FUNCTIONS: onload, onunload, onmessage
--
-- WHEN CALLED : your LUA script is loaded into Trisul
onload = function()
-- your code
end,

-- WHEN CALLED : your LUA script is unloaded / detached from Trisul
onunload = function()
-- your code
end,

-- any messages you want to handle for state management
message_subscriptions = {},

-- WHEN CALLED: when another plugin sends you a message
onmessage = function(msgid, msg)

end,


-- resourcegroup block
--
resourcegroup = {

-- table control
-- WHEN CALLED: specify details of your new resource group
-- you can use 'trisulctl_probe testbench guid' to get a new GUID
control = {
guid = "{a973e25d-4434-4f0a-9656-9d2c0247eaf8}",
name = "SHA256 file hashes",
description = "File hash resources ",
},

},
}
60 changes: 60 additions & 0 deletions lua/skeletons/packet_storage.lua
View file
@@ -0,0 +1,60 @@
--
-- packet_storage.lua skeleton
--
-- TYPE: FRONTEND SCRIPT
-- PURPOSE: Fine grained control of PCAP storage
-- DESCRIPTION: For each flow determine how you want to store packets
--
--
--
--
TrisulPlugin = {


-- the ID block, you can skip the fields marked 'optional '
--
id = {
name = "Dont store backsup",
description = "Ignore flows to subnet 10.200 between 10PM and 1AM", -- optional
author = "Unleash", -- optional
version_major = 1, -- optional
version_minor = 0, -- optional
},

-- COMMON FUNCTIONS: onload, onunload, onmessage
--
-- WHEN CALLED : your LUA script is loaded into Trisul
onload = function()
-- your code
end,

-- WHEN CALLED : your LUA script is unloaded / detached from Trisul
onunload = function()
-- your code
end,

-- any messages you want to handle for state management
message_subscriptions = {},

-- WHEN CALLED: when another plugin sends you a message
onmessage = function(msgid, msg)

end,


-- packet_storage block;
--
packet_storage = {

-- WHEN CALLED: a new flow is first seen
-- specify packet (pcap) storage policy for this flow
--
filter = function( engine, timestamp, flow )
-- your lua code
-- return a number from -1..6 representing how to handle
-- packet storage for this flow. See docs
return -1
end,

},
}

0 comments on commit e2c3b33

Please sign in to comment.