Provide access to suricata via a library-like interface. Allows packets to be sent to suricata
and alerts received.
struct Packet {
data: Vec<u8>,
timestamp: std::time::SystemTime,
}
impl AsIpcPacket for Packet {
fn timestamp(&self) -> &std::time::SystemTime {
&self.timestamp
}
fn data(&self) -> &[u8] {
self.data.as_slice()
}
}
fn main() {
let resources = PathBuf::from(env!("CARGO_MANIFEST_DIR"))
.join("resources");
let config = Config::default();
let rules = Rules::from_path(resources.join("test.rules")).expect("Could not parse rules");
let cache: IntelCache<Rule> = rules.into();
cache.materialize_rules(config.rule_path.clone()).expect("Failed to materialize rules");
smol::block_on(async move {
let mut ids = Ids::new(config).await.expect("Failed to create ids");
let readers: Vec<EveReader<EveMessage>> = ids.take_readers();
let readers = futures::stream::select_all(readers.into_iter());
let packets: Vec<Packet> = vec![];
ids.send(packets.as_slice()).expect("Failed to send packets");
let alerts: Result<Vec<_>, Error> = readers.try_collect().await;
let alerts = alerts.expect("Failed to parse alerts");
for eve_msgs in alerts {
for eve in eve_msgs {
println!("Eve={:?}", eve);
if let Some(intel) = cache.observed(eve) {
if let Observed::Alert { rule, message: _, ts: _} = intel {
println!("Rule={:?}", rule);
}
}
}
}
})
}