[][src]Crate suricata_ipc

suricata-rs

Provide access to suricata via a library-like interface. Allows packets to be sent to suricata and alerts received.


struct Packet {
    data: Vec<u8>,
    timestamp: std::time::SystemTime,
}

impl AsIpcPacket for Packet {
    fn timestamp(&self) -> &std::time::SystemTime {
        &self.timestamp
    }
    fn data(&self) -> &[u8] {
        self.data.as_slice()
    }
}

fn main() {
    let resources = PathBuf::from(env!("CARGO_MANIFEST_DIR"))
        .join("resources");
    let config = Config::default();
    let rules = Rules::from_path(resources.join("test.rules")).expect("Could not parse rules");
    let cache: IntelCache<Rule> = rules.into();
    cache.materialize_rules(config.rule_path.clone()).expect("Failed to materialize rules");

    smol::run(async move {
        let mut ids = Ids::new(config).await.expect("Failed to create ids");
        let ids_alerts = ids.take_messages().expect("No alerts");

        let packets: Vec<Packet> = vec![];
        ids.send(packets.as_slice()).expect("Failed to send packets");

        let alerts: Result<Vec<_>, Error> = ids_alerts.try_collect().await;
        let alerts: Result<Vec<_>, Error> = alerts.expect("Failed to receive alerts")
            .into_iter().flat_map(|v| v).collect();
        let alerts = alerts.expect("Failed to parse alerts");

        for eve in alerts {
            println!("Eve={:?}", eve);
            if let Some(intel) = cache.observed(eve) {
                if let Observed::Alert { rule, message: _, ts: _} = intel {
                    println!("Rule={:?}", rule);
                }
            }
        }
    })
}

Modules

prelude

Structs

Ids
IdsProcess