DNS --- .. role:: example-rule-emphasis DNS事务详情通过``suricata.dns``库暴露给Lua脚本,例如:: local dns = require("suricata.dns") 初始化设置 ^^^^^ 若需创建日志脚本,请按以下方式初始化缓冲区:: function init (args) local needs = {} needs["protocol"] = "dns" return needs end 若脚本用于规则匹配,请从:ref:`lua-detection`列出的可用DNS缓冲区中选择,并遵循以下模式: 用于规则匹配时,规则必须**挂钩**到DNS事务状态。可用状态为``request_complete``和``response_complete``。例如: .. container:: example-rule alert dns::example-rule-emphasis:`request_complete` any any -> any any (... 脚本初始化如下:: function init (args) return {} end 事务处理 ~~~~~~~~~~~ DNS基于事务模型,使用前需获取当前事务:: local tx, err = dns.get_tx() if tx == err then print(err) end 其他所有函数均为事务表的方法。 事务方法 ~~~~~~~~~~~~~~~~~~~ ``answers()`` ^^^^^^^^^^^^^ 以表结构返回``answers``响应段。 示例:: local tx = dns.get_tx() local answers = tx:answers() if answers ~= nil then for n, t in pairs(answers) do rrname = t["rrname"] rrtype = t["type"] ttl = t["ttl"] print ("ANSWER: " .. ts .. " " .. rrname .. " [**] " .. rrtype .. " [**] " .. ttl .. " [**] " .. srcip .. ":" .. sp .. " -> " .. dstip .. ":" .. dp) end end ``authorities()`` ^^^^^^^^^^^^^^^^^ 以表结构返回``authorities``响应段。 示例:: local tx = dns.get_tx() local authorities = tx:authorities(); if authorities ~= nil then for n, t in pairs(authorities) do rrname = t["rrname"] rrtype = t["type"] ttl = t["ttl"] print ("AUTHORITY: " .. ts .. " " .. rrname .. " [**] " .. rrtype .. " [**] " .. ttl .. " [**] " .. srcip .. ":" .. sp .. " -> " .. dstip .. ":" .. dp) end end ``queries()`` ^^^^^^^^^^^^^ 以表结构返回请求或响应的``queries``段。 示例:: local tx = dns.get_tx() local queries = tx:queries(); if queries ~= nil then for n, t in pairs(queries) do rrname = t["rrname"] rrtype = t["type"] print ("QUERY: " .. ts .. " " .. rrname .. " [**] " .. rrtype .. " [**] " .. "TODO" .. " [**] " .. srcip .. ":" .. sp .. " -> " .. dstip .. ":" .. dp) end end ``rcode()`` ^^^^^^^^^^^ 以整型返回``rcode``值。 示例:: local tx = dns.get_tx() local rcode = tx:rcode() print (rcode) ``rcode_string()`` ^^^^^^^^^^^^^^^^^^ 以字符串返回``rcode``值。 示例:: local tx = dns.get_tx() local rcode_string = tx:rcode_string(); print (rcode_string) ``recursion_desired()`` ^^^^^^^^^^^^^^^^^^^^^^^ 以布尔值返回递归请求(RD)标志状态。 示例:: local tx = dns.get_tx() if tx:recursion_desired() == true then print ("RECURSION DESIRED") end ``rrname()`` ^^^^^^^^^^^^ 从首个查询对象返回资源名称。 示例:: local tx = dns.get_tx() local rrname = tx:rrname() print(rrname) ``txid()`` ^^^^^^^^^^ 返回DNS消息中的事务ID。 示例:: local tx = dns.get_tx() local txid = tx:txid() print(txid)