6.5. Rule set example

6.5.1. Introduction

This tutorial introduces a set of Haka script files located at <haka_install_path>/share/haka/sample/ruleset and which could be ran using the hakapcap tool and a capture.pcap file:

$ cd <haka_install_path>/share/haka/sample/ruleset
$ hakapcap config.lua capture.pcap

This rule set can also be used for live analysis of traffic with haka tool, but it’s preferable to adjust some rules or config first.

6.5.2. config.lua main file

This script is just a placeholder to include all other relevants files.

require("functions")

require("ipv4/dissector")
require("ipv4/security")
require("ipv4/compliance")

require("tcp/dissector")
require("tcp/security")
require("tcp/rules")

require("http/dissector")
require("http/security")
require("http/compliance")
require("http/policy")

The functions.lua file is a placeholder to put all Lua utils functions.

6.5.3. Protocol directories

A directory has been created for ipv4, tcp, dns and http protocols. Each directory contains one or more Haka policy files. Each one contains a mandatory dissector.lua file which loads the required dissectors. There is some other files to enforce protocols controls and security/rules files. Every file will be used as long as it’s called from the main Haka file. You can read those file as an example of how to make a ruleset made of security, filtering and compliance rules.