5. Alerting¶
This section introduces the Haka alerting API.
- haka.alert{param1=value1, param2=value2[, ...]} → alert¶
Parameters: - start_time (haka.time) – Start time of this alert.
- end_time (haka.time) – End time of this alert.
- description (string) – Description.
- severity (string) – One of 'low', 'medium' or 'high'.
- confidence (string or number) – 'low', 'medium', 'high' or any user number.
- completion (string) – State of the attack 'failed' or 'successful'.
- method (table) – Attach method.
- method.description (string) – Description of the method of the attack.
- method.ref (table of strings) – List of external reference for this method.
- sources (table) – List of AlertAddress, AlertService...
- targets (table) – List of AlertAddress, AlertService...
- ref (table) – List of alert references
Returns: - alert (Alert) – Alert reference.
Raise an alert. All parameters are optional.
- haka.alert.address(object1, object2[, ...]) → address¶
- haka.alert.service(object1, object2[, ...]) → service¶
Parameters: - object1,object2,... – Any object that can be converted to a string.
Returns: - address (AlertAddress) – Address object.
- service (AlertService) – Service object.
Create an object to describe a source or a target.
- object AlertAddress¶
- object AlertService¶
Example:
haka.alert{
start_time = pkt.raw.timestamp,
description = "packet received",
severity = 'medium',
confidence = 'high',
completion = 'failed',
method = {
description = "Packet sent on the network",
ref = { "cve:2O13-XXX", "http://intranet/vulnid?id=115", "cwe:809" }
},
sources = { haka.alert.address(pkt.src, "evil.host.fqdn") },
targets = { haka.alert.address(pkt.dst), haka.alert.service("tcp/22", "ssh") }
}
- object Alert¶
Alert object.
- <alert>:update{param1=value1, param2=value2[, ...]}¶
Parameters: - param1,param2,... – Same names/values of alert (see haka.alert())
Update an existing alert.
Example:
local my_alert = haka.alert{ severity = 'low', sources = { haka.alert.address(pkt.src) } } my_alert:update{ completion = 'failed' }