output-lua.c

Go to the documentation of this file.

/* Copyright (C) 2014-2022 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */
 
/**
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
 *
 */
 
#include "suricata-common.h"
#include "output-lua.h"
 
#include "util-lua-builtins.h"
#include "util-debug.h"
#include "output.h"
#include "app-layer-htp.h"
#include "app-layer-ssl.h"
#include "app-layer-ssh.h"
#include "app-layer-parser.h"
#include "util-time.h"
#include "util-lua.h"
#include "util-lua-common.h"
#include "util-lua-http.h"
#include "util-lua-dns.h"
#include "util-lua-ja3.h"
#include "util-lua-tls.h"
#include "util-lua-ssh.h"
#include "util-lua-hassh.h"
#include "util-lua-smtp.h"
 
#define MODULE_NAME "LuaLog"
 
/** \brief structure containing global config
 *  The OutputLuaLogInitSub which is run per script
 *  can access this to get global config info through
 *  it's parent_ctx->data ptr.
 */
typedef struct LogLuaMasterCtx_ {
    /** \brief Path to script directory. */
    char script_dir[PATH_MAX];
 
    /** \brief Lua search path for Lua modules. */
    char path[PATH_MAX];
 
    /** \brief Lua search path for C modules. */
    char cpath[PATH_MAX];
} LogLuaMasterCtx;
 
typedef struct LogLuaCtx_ {
    SCMutex m;
    lua_State *luastate;
    int deinit_once;
} LogLuaCtx;
 
typedef struct LogLuaThreadCtx_ {
    LogLuaCtx *lua_ctx;
} LogLuaThreadCtx;
 
static TmEcode LuaLogThreadInit(ThreadVars *t, const void *initdata, void **data);
static TmEcode LuaLogThreadDeinit(ThreadVars *t, void *data);
 
/** \internal
 *  \brief TX logger for lua scripts
 *
 * A single call to this function will run one script on a single
 * transaction.
 *
 * NOTE: The flow (f) also referenced by p->flow is locked.
 */
static int LuaTxLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *alstate, void *txptr, uint64_t tx_id)
{
    SCEnter();
 
    LogLuaThreadCtx *td = (LogLuaThreadCtx *)thread_data;
 
    SCMutexLock(&td->lua_ctx->m);
 
    LuaStateSetThreadVars(td->lua_ctx->luastate, tv);
    LuaStateSetPacket(td->lua_ctx->luastate, (Packet *)p);
    LuaStateSetTX(td->lua_ctx->luastate, txptr, tx_id);
    LuaStateSetFlow(td->lua_ctx->luastate, f);
 
    /* prepare data to pass to script */
    lua_getglobal(td->lua_ctx->luastate, "log");
    lua_newtable(td->lua_ctx->luastate);
    LuaPushTableKeyValueInt(td->lua_ctx->luastate, "tx_id", (int)(tx_id));
 
    int retval = lua_pcall(td->lua_ctx->luastate, 1, 0, 0);
    if (retval != 0) {
        SCLogInfo("failed to run script: %s", lua_tostring(td->lua_ctx->luastate, -1));
    }
 
    SCMutexUnlock(&td->lua_ctx->m);
    SCReturnInt(0);
}
 
/** \internal
 *  \brief Streaming logger for lua scripts
 *
 *  Hooks into the Streaming Logger API. Gets called for each chunk of new
 *  streaming data.
 */
static int LuaStreamingLogger(ThreadVars *tv, void *thread_data, const Flow *f,
        const uint8_t *data, uint32_t data_len, uint64_t tx_id, uint8_t flags)
{
    SCEnter();
 
    void *txptr = NULL;
    LuaStreamingBuffer b = { data, data_len, flags };
 
    SCLogDebug("flags %02x", flags);
 
    if (flags & OUTPUT_STREAMING_FLAG_TRANSACTION) {
        if (f && f->alstate)
            txptr = AppLayerParserGetTx(f->proto, f->alproto, f->alstate, tx_id);
    }
 
    LogLuaThreadCtx *td = (LogLuaThreadCtx *)thread_data;
 
    SCMutexLock(&td->lua_ctx->m);
 
    LuaStateSetThreadVars(td->lua_ctx->luastate, tv);
    if (flags & OUTPUT_STREAMING_FLAG_TRANSACTION)
        LuaStateSetTX(td->lua_ctx->luastate, txptr, tx_id);
    LuaStateSetFlow(td->lua_ctx->luastate, (Flow *)f);
    LuaStateSetStreamingBuffer(td->lua_ctx->luastate, &b);
 
    /* prepare data to pass to script */
    lua_getglobal(td->lua_ctx->luastate, "log");
    lua_newtable(td->lua_ctx->luastate);
 
    if (flags & OUTPUT_STREAMING_FLAG_TRANSACTION)
        LuaPushTableKeyValueInt(td->lua_ctx->luastate, "tx_id", (int)(tx_id));
 
    int retval = lua_pcall(td->lua_ctx->luastate, 1, 0, 0);
    if (retval != 0) {
        SCLogInfo("failed to run script: %s", lua_tostring(td->lua_ctx->luastate, -1));
    }
 
    SCMutexUnlock(&td->lua_ctx->m);
 
    SCReturnInt(TM_ECODE_OK);
}
 
/** \internal
 *  \brief Packet Logger for lua scripts, for alerts
 *
 *  A single call to this function will run one script for a single
 *  packet. If it is called, it means that the registered condition
 *  function has returned true.
 *
 *  The script is called once for each alert stored in the packet.
 *
 *  NOTE: p->flow is UNlocked
 */
static int LuaPacketLoggerAlerts(ThreadVars *tv, void *thread_data, const Packet *p)
{
    LogLuaThreadCtx *td = (LogLuaThreadCtx *)thread_data;
 
    char timebuf[64];
    CreateTimeString(p->ts, timebuf, sizeof(timebuf));
 
    if (!(PacketIsIPv4(p)) && !(PacketIsIPv6(p))) {
        /* decoder event */
        goto not_supported;
    }
 
    /* loop through alerts stored in the packet */
    SCMutexLock(&td->lua_ctx->m);
    uint16_t cnt;
    for (cnt = 0; cnt < p->alerts.cnt; cnt++) {
        const PacketAlert *pa = &p->alerts.alerts[cnt];
        if (unlikely(pa->s == NULL)) {
            continue;
        }
 
        lua_getglobal(td->lua_ctx->luastate, "log");
 
        void *txptr = NULL;
        if (p->flow && p->flow->alstate && (pa->flags & PACKET_ALERT_FLAG_TX))
            txptr = AppLayerParserGetTx(
                    p->flow->proto, p->flow->alproto, p->flow->alstate, pa->tx_id);
 
        LuaStateSetThreadVars(td->lua_ctx->luastate, tv);
        LuaStateSetPacket(td->lua_ctx->luastate, (Packet *)p);
        LuaStateSetTX(td->lua_ctx->luastate, txptr, pa->tx_id);
        LuaStateSetFlow(td->lua_ctx->luastate, p->flow);
        LuaStateSetPacketAlert(td->lua_ctx->luastate, (PacketAlert *)pa);
 
        /* prepare data to pass to script */
        //lua_newtable(td->lua_ctx->luastate);
 
        int retval = lua_pcall(td->lua_ctx->luastate, 0, 0, 0);
        if (retval != 0) {
            SCLogInfo("failed to run script: %s", lua_tostring(td->lua_ctx->luastate, -1));
        }
    }
    SCMutexUnlock(&td->lua_ctx->m);
not_supported:
    SCReturnInt(0);
}
 
static bool LuaPacketConditionAlerts(ThreadVars *tv, void *data, const Packet *p)
{
    return (p->alerts.cnt > 0);
}
 
/** \internal
 *  \brief Packet Logger for lua scripts, for packets
 *
 *  A single call to this function will run one script for a single
 *  packet. If it is called, it means that the registered condition
 *  function has returned true.
 *
 *  The script is called once for each packet.
 *
 *  NOTE: p->flow is UNlocked
 */
static int LuaPacketLogger(ThreadVars *tv, void *thread_data, const Packet *p)
{
    LogLuaThreadCtx *td = (LogLuaThreadCtx *)thread_data;
 
    char timebuf[64];
 
    if ((!(PacketIsIPv4(p))) && (!(PacketIsIPv6(p)))) {
        goto not_supported;
    }
 
    CreateTimeString(p->ts, timebuf, sizeof(timebuf));
 
    /* loop through alerts stored in the packet */
    SCMutexLock(&td->lua_ctx->m);
    lua_getglobal(td->lua_ctx->luastate, "log");
 
    LuaStateSetThreadVars(td->lua_ctx->luastate, tv);
    LuaStateSetPacket(td->lua_ctx->luastate, (Packet *)p);
    LuaStateSetFlow(td->lua_ctx->luastate, p->flow);
 
    /* prepare data to pass to script */
    lua_newtable(td->lua_ctx->luastate);
 
    int retval = lua_pcall(td->lua_ctx->luastate, 1, 0, 0);
    if (retval != 0) {
        SCLogInfo("failed to run script: %s", lua_tostring(td->lua_ctx->luastate, -1));
    }
    SCMutexUnlock(&td->lua_ctx->m);
not_supported:
    SCReturnInt(0);
}
 
static bool LuaPacketCondition(ThreadVars *tv, void *data, const Packet *p)
{
    return true;
}
 
/** \internal
 *  \brief File API Logger function for Lua scripts
 *
 *  Executes a script once for one file.
 *
 * NOTE p->flow is locked at this point
 */
static int LuaFileLogger(ThreadVars *tv, void *thread_data, const Packet *p, const File *ff,
        void *tx, const uint64_t tx_id, uint8_t dir)
{
    SCEnter();
    LogLuaThreadCtx *td = (LogLuaThreadCtx *)thread_data;
 
    if ((!(PacketIsIPv4(p))) && (!(PacketIsIPv6(p))))
        return 0;
 
    BUG_ON(ff->flags & FILE_LOGGED);
 
    SCLogDebug("ff %p", ff);
 
    SCMutexLock(&td->lua_ctx->m);
 
    LuaStateSetThreadVars(td->lua_ctx->luastate, tv);
    LuaStateSetPacket(td->lua_ctx->luastate, (Packet *)p);
    LuaStateSetTX(td->lua_ctx->luastate, tx, tx_id);
    LuaStateSetFlow(td->lua_ctx->luastate, p->flow);
    LuaStateSetFile(td->lua_ctx->luastate, (File *)ff);
 
    /* get the lua function to call */
    lua_getglobal(td->lua_ctx->luastate, "log");
 
    int retval = lua_pcall(td->lua_ctx->luastate, 0, 0, 0);
    if (retval != 0) {
        SCLogInfo("failed to run script: %s", lua_tostring(td->lua_ctx->luastate, -1));
    }
    SCMutexUnlock(&td->lua_ctx->m);
    return 0;
}
 
/** \internal
 *  \brief Flow API Logger function for Lua scripts
 *
 *  Executes a script once for one flow
 *
 *  Note: flow 'f' is locked
 */
static int LuaFlowLogger(ThreadVars *tv, void *thread_data, Flow *f)
{
    SCEnter();
    LogLuaThreadCtx *td = (LogLuaThreadCtx *)thread_data;
 
    SCLogDebug("f %p", f);
 
    SCMutexLock(&td->lua_ctx->m);
 
    LuaStateSetThreadVars(td->lua_ctx->luastate, tv);
    LuaStateSetFlow(td->lua_ctx->luastate, f);
 
    /* get the lua function to call */
    lua_getglobal(td->lua_ctx->luastate, "log");
 
    int retval = lua_pcall(td->lua_ctx->luastate, 0, 0, 0);
    if (retval != 0) {
        SCLogInfo("failed to run script: %s", lua_tostring(td->lua_ctx->luastate, -1));
    }
    SCMutexUnlock(&td->lua_ctx->m);
    return 0;
}
 
 
 
static int LuaStatsLogger(ThreadVars *tv, void *thread_data, const StatsTable *st)
{
    SCEnter();
    LogLuaThreadCtx *td = (LogLuaThreadCtx *)thread_data;
 
    SCMutexLock(&td->lua_ctx->m);
 
    lua_State *luastate = td->lua_ctx->luastate;
    /* get the lua function to call */
    lua_getglobal(td->lua_ctx->luastate, "log");
 
    /* create lua array, which is really just a table. The key is an int (1-x),
     * the value another table with named fields: name, tm_name, value, pvalue.
     * { 1, { name=<name>, tmname=<tm_name>, value=<value>, pvalue=<pvalue>}}
     * { 2, { name=<name>, tmname=<tm_name>, value=<value>, pvalue=<pvalue>}}
     * etc
     */
    lua_newtable(luastate);
    uint32_t u = 0;
    for (; u < st->nstats; u++) {
        lua_pushinteger(luastate, u + 1);
 
        lua_newtable(luastate);
 
        lua_pushstring(luastate, "name");
        lua_pushstring(luastate, st->stats[u].name);
        lua_settable(luastate, -3);
 
        lua_pushstring(luastate, "tmname");
        lua_pushstring(luastate, st->stats[u].tm_name);
        lua_settable(luastate, -3);
 
        lua_pushstring(luastate, "value");
        lua_pushinteger(luastate, st->stats[u].value);
        lua_settable(luastate, -3);
 
        lua_pushstring(luastate, "pvalue");
        lua_pushinteger(luastate, st->stats[u].pvalue);
        lua_settable(luastate, -3);
 
        lua_settable(luastate, -3);
    }
 
    int retval = lua_pcall(td->lua_ctx->luastate, 1, 0, 0);
    if (retval != 0) {
        SCLogInfo("failed to run script: %s", lua_tostring(td->lua_ctx->luastate, -1));
    }
    SCMutexUnlock(&td->lua_ctx->m);
    return 0;
 
}
 
typedef struct LogLuaScriptOptions_ {
    AppProto alproto;
    int packet;
    int alerts;
    int file;
    int streaming;
    int tcp_data;
    int http_body;
    int flow;
    int stats;
} LogLuaScriptOptions;
 
/** \brief Setup or clear Lua module search paths.
 *
 * If search paths are provided by the configuration, set them up,
 * otherwise clear the default search paths.
 */
static void LuaSetPaths(lua_State *L, LogLuaMasterCtx *ctx)
{
    lua_getglobal(L, "package");
 
    if (strlen(ctx->path) > 0) {
        lua_pushstring(L, ctx->path);
    } else {
        lua_pushstring(L, "");
    }
    lua_setfield(L, -2, "path");
 
    if (strlen(ctx->cpath) > 0) {
        lua_pushstring(L, ctx->cpath);
    } else {
        lua_pushstring(L, "");
    }
    lua_setfield(L, -2, "cpath");
 
    /* Pop package. */
    lua_pop(L, 1);
}
 
/** \brief load and evaluate the script
 *
 *  This function parses the script, checks if all the required functions
 *  are defined and runs the 'init' function. The init function will inform
 *  us what the scripts needs are.
 *
 *  \param filename filename of lua script file
 *  \param options struct to pass script requirements/options back to caller
 *  \retval errcode 0 ok, -1 error
 */
static int LuaScriptInit(const char *filename, LogLuaScriptOptions *options, LogLuaMasterCtx *ctx)
{
    lua_State *luastate = LuaGetState();
    if (luastate == NULL)
        goto error;
    luaL_openlibs(luastate);
    SCLuaRequirefBuiltIns(luastate);
    LuaSetPaths(luastate, ctx);
 
    int status = luaL_loadfile(luastate, filename);
    if (status) {
        SCLogError("couldn't load file: %s", lua_tostring(luastate, -1));
        goto error;
    }
 
    /* prime the script (or something) */
    if (lua_pcall(luastate, 0, 0, 0) != 0) {
        SCLogError("couldn't prime file: %s", lua_tostring(luastate, -1));
        goto error;
    }
 
    lua_getglobal(luastate, "init");
    if (lua_type(luastate, -1) != LUA_TFUNCTION) {
        SCLogError("no init function in script");
        goto error;
    }
 
    if (lua_pcall(luastate, 0, 1, 0) != 0) {
        SCLogError("couldn't run script 'init' function: %s", lua_tostring(luastate, -1));
        goto error;
    }
 
    /* process returns from script */
    if (lua_gettop(luastate) == 0) {
        SCLogError("init function in script should return table, nothing returned");
        goto error;
    }
    if (lua_type(luastate, 1) != LUA_TTABLE) {
        SCLogError("init function in script should return table, returned is not table");
        goto error;
    }
 
    lua_pushnil(luastate);
    const char *k, *v;
    while (lua_next(luastate, -2)) {
        k = lua_tostring(luastate, -2);
        if (k == NULL)
            continue;
 
        v = lua_tostring(luastate, -1);
        lua_pop(luastate, 1);
        if (v == NULL)
            continue;
 
        SCLogDebug("k='%s', v='%s'", k, v);
 
        if (strcmp(k,"protocol") == 0 && strcmp(v, "http") == 0)
            options->alproto = ALPROTO_HTTP1;
        else if (strcmp(k,"protocol") == 0 && strcmp(v, "dns") == 0)
            options->alproto = ALPROTO_DNS;
        else if (strcmp(k,"protocol") == 0 && strcmp(v, "tls") == 0)
            options->alproto = ALPROTO_TLS;
        else if (strcmp(k,"protocol") == 0 && strcmp(v, "ssh") == 0)
            options->alproto = ALPROTO_SSH;
        else if (strcmp(k,"protocol") == 0 && strcmp(v, "smtp") == 0)
            options->alproto = ALPROTO_SMTP;
        else if (strcmp(k, "type") == 0 && strcmp(v, "packet") == 0)
            options->packet = 1;
        else if (strcmp(k, "filter") == 0 && strcmp(v, "alerts") == 0)
            options->alerts = 1;
        else if (strcmp(k, "type") == 0 && strcmp(v, "file") == 0)
            options->file = 1;
        else if (strcmp(k, "type") == 0 && strcmp(v, "streaming") == 0)
            options->streaming = 1;
        else if (strcmp(k, "type") == 0 && strcmp(v, "flow") == 0)
            options->flow = 1;
        else if (strcmp(k, "filter") == 0 && strcmp(v, "tcp") == 0)
            options->tcp_data = 1;
        else if (strcmp(k, "type") == 0 && strcmp(v, "stats") == 0)
            options->stats = 1;
        else {
            SCLogError("unknown key and/or value: k='%s', v='%s'", k, v);
            goto error;
        }
    }
 
    if (((options->alproto != ALPROTO_UNKNOWN)) + options->packet + options->file > 1) {
        SCLogError("invalid combination of 'needs' in the script");
        goto error;
    }
 
    lua_getglobal(luastate, "setup");
    if (lua_type(luastate, -1) != LUA_TFUNCTION) {
        SCLogError("no setup function in script");
        goto error;
    }
 
    lua_getglobal(luastate, "log");
    if (lua_type(luastate, -1) != LUA_TFUNCTION) {
        SCLogError("no log function in script");
        goto error;
    }
 
    lua_getglobal(luastate, "deinit");
    if (lua_type(luastate, -1) != LUA_TFUNCTION) {
        SCLogError("no deinit function in script");
        goto error;
    }
 
    LuaReturnState(luastate);
    return 0;
error:
    if (luastate)
        LuaReturnState(luastate);
    return -1;
}
 
/** \brief setup a luastate for use at runtime
 *
 *  This loads the script, primes it and then runs the 'setup' function.
 *
 *  \retval state Returns the set up luastate on success, NULL on error
 */
static lua_State *LuaScriptSetup(const char *filename, LogLuaMasterCtx *ctx)
{
    lua_State *luastate = LuaGetState();
    if (luastate == NULL) {
        SCLogError("luaL_newstate failed");
        goto error;
    }
 
    luaL_openlibs(luastate);
    SCLuaRequirefBuiltIns(luastate);
    LuaSetPaths(luastate, ctx);
 
    int status = luaL_loadfile(luastate, filename);
    if (status) {
        SCLogError("couldn't load file: %s", lua_tostring(luastate, -1));
        goto error;
    }
 
    /* prime the script */
    if (lua_pcall(luastate, 0, 0, 0) != 0) {
        SCLogError("couldn't prime file: %s", lua_tostring(luastate, -1));
        goto error;
    }
 
    lua_getglobal(luastate, "setup");
 
    /* register functions common to all */
    LuaRegisterFunctions(luastate);
    LuaRegisterJa3Functions(luastate);
    LuaRegisterTlsFunctions(luastate);
    LuaRegisterSshFunctions(luastate);
    LuaRegisterHasshFunctions(luastate);
    LuaRegisterSmtpFunctions(luastate);
 
    if (lua_pcall(luastate, 0, 0, 0) != 0) {
        SCLogError("couldn't run script 'setup' function: %s", lua_tostring(luastate, -1));
        goto error;
    }
 
    SCLogDebug("lua_State %p is set up", luastate);
    return luastate;
error:
    if (luastate)
        LuaReturnState(luastate);
    return NULL;
}
 
static void LogLuaSubFree(OutputCtx *oc) {
    if (oc->data)
        SCFree(oc->data);
    SCFree(oc);
}
 
/** \brief initialize output for a script instance
 *
 *  Runs script 'setup' function.
 */
static OutputInitResult OutputLuaLogInitSub(SCConfNode *conf, OutputCtx *parent_ctx)
{
    OutputInitResult result = { NULL, false };
    if (conf == NULL)
        return result;
 
    LogLuaCtx *lua_ctx = SCCalloc(1, sizeof(LogLuaCtx));
    if (unlikely(lua_ctx == NULL))
        return result;
 
    OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
    if (unlikely(output_ctx == NULL)) {
        SCFree(lua_ctx);
        return result;
    }
 
    SCMutexInit(&lua_ctx->m, NULL);
 
    BUG_ON(parent_ctx == NULL);
    LogLuaMasterCtx *mc = parent_ctx->data;
    BUG_ON(mc == NULL);
 
    const char *dir = mc->script_dir;
    char path[PATH_MAX] = "";
    int ret = snprintf(path, sizeof(path),"%s%s%s", dir, strlen(dir) ? "/" : "", conf->val);
    if (ret < 0 || ret == sizeof(path)) {
        SCLogError("failed to construct lua script path");
        goto error;
    }
    SCLogDebug("script full path %s", path);
 
    SCMutexLock(&lua_ctx->m);
    lua_ctx->luastate = LuaScriptSetup(path, mc);
    SCMutexUnlock(&lua_ctx->m);
    if (lua_ctx->luastate == NULL)
        goto error;
 
    SCLogDebug("lua_ctx %p", lua_ctx);
 
    output_ctx->data = lua_ctx;
    output_ctx->DeInit = LogLuaSubFree;
 
    result.ctx = output_ctx;
    result.ok = true;
    return result;
error:
    SCMutexDestroy(&lua_ctx->m);
    SCFree(lua_ctx);
    SCFree(output_ctx);
    return result;
}
 
static void LogLuaMasterFree(OutputCtx *oc)
{
    if (oc->data)
        SCFree(oc->data);
 
    OutputModule *om, *tom;
    TAILQ_FOREACH_SAFE(om, &oc->submodules, entries, tom) {
        SCFree(om);
    }
    SCFree(oc);
}
 
/** \internal
 *  \brief initialize output instance for lua module
 *
 *  Parses nested script list, primes them to find out what they
 *  inspect, then fills the OutputCtx::submodules list with the
 *  proper Logger function for the data type the script needs.
 */
static OutputInitResult OutputLuaLogInit(SCConfNode *conf)
{
    OutputInitResult result = { NULL, false };
    const char *dir = SCConfNodeLookupChildValue(conf, "scripts-dir");
    if (dir == NULL)
        dir = "";
 
    SCConfNode *scripts = SCConfNodeLookupChild(conf, "scripts");
    if (scripts == NULL) {
        /* No "outputs" section in the configuration. */
        SCLogInfo("scripts not defined");
        return result;
    }
 
    /* global output ctx setup */
    OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
    if (unlikely(output_ctx == NULL)) {
        return result;
    }
    output_ctx->DeInit = LogLuaMasterFree;
    output_ctx->data = SCCalloc(1, sizeof(LogLuaMasterCtx));
    if (unlikely(output_ctx->data == NULL)) {
        SCFree(output_ctx);
        return result;
    }
    LogLuaMasterCtx *master_config = output_ctx->data;
    strlcpy(master_config->script_dir, dir, sizeof(master_config->script_dir));
 
    const char *lua_path = SCConfNodeLookupChildValue(conf, "path");
    if (lua_path && strlen(lua_path) > 0) {
        strlcpy(master_config->path, lua_path, sizeof(master_config->path));
    }
 
    const char *lua_cpath = SCConfNodeLookupChildValue(conf, "cpath");
    if (lua_cpath && strlen(lua_cpath) > 0) {
        strlcpy(master_config->cpath, lua_cpath, sizeof(master_config->cpath));
    }
 
    TAILQ_INIT(&output_ctx->submodules);
 
    /* check the enables scripts and set them up as submodules */
    SCConfNode *script;
    TAILQ_FOREACH(script, &scripts->head, next) {
        SCLogInfo("enabling script %s", script->val);
        LogLuaScriptOptions opts;
        memset(&opts, 0x00, sizeof(opts));
 
        char path[PATH_MAX] = "";
        snprintf(path, sizeof(path),"%s%s%s", dir, strlen(dir) ? "/" : "", script->val);
        SCLogDebug("script full path %s", path);
 
        int r = LuaScriptInit(path, &opts, master_config);
        if (r != 0) {
            SCLogError("couldn't initialize script");
            goto error;
        }
 
        /* create an OutputModule for this script, based
         * on it's needs. */
        OutputModule *om = SCCalloc(1, sizeof(*om));
        if (om == NULL) {
            SCLogError("calloc() failed");
            goto error;
        }
 
        om->name = MODULE_NAME;
        om->conf_name = script->val;
        om->InitSubFunc = OutputLuaLogInitSub;
        om->ThreadInit = LuaLogThreadInit;
        om->ThreadDeinit = LuaLogThreadDeinit;
 
        if (opts.alproto == ALPROTO_HTTP1 && opts.streaming) {
            om->StreamingLogFunc = LuaStreamingLogger;
            om->stream_type = STREAMING_HTTP_BODIES;
            om->alproto = ALPROTO_HTTP1;
            AppLayerHtpEnableRequestBodyCallback();
            AppLayerHtpEnableResponseBodyCallback();
        } else if (opts.alproto == ALPROTO_HTTP1) {
            om->TxLogFunc = LuaTxLogger;
            om->alproto = ALPROTO_HTTP1;
            om->ts_log_progress = -1;
            om->tc_log_progress = -1;
            AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP1);
        } else if (opts.alproto == ALPROTO_TLS) {
            om->TxLogFunc = LuaTxLogger;
            om->alproto = ALPROTO_TLS;
            om->tc_log_progress = TLS_STATE_SERVER_HANDSHAKE_DONE;
            om->ts_log_progress = TLS_STATE_CLIENT_HANDSHAKE_DONE;
            AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_TLS);
        } else if (opts.alproto == ALPROTO_DNS) {
            om->TxLogFunc = LuaTxLogger;
            om->alproto = ALPROTO_DNS;
            om->ts_log_progress = -1;
            om->tc_log_progress = -1;
            AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_DNS);
            AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_DNS);
        } else if (opts.alproto == ALPROTO_SSH) {
            om->TxLogFunc = LuaTxLogger;
            om->alproto = ALPROTO_SSH;
            om->TxLogCondition = SSHTxLogCondition;
            AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_SSH);
        } else if (opts.alproto == ALPROTO_SMTP) {
            om->TxLogFunc = LuaTxLogger;
            om->alproto = ALPROTO_SMTP;
            om->ts_log_progress = -1;
            om->tc_log_progress = -1;
            AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_SMTP);
        } else if (opts.packet && opts.alerts) {
            om->PacketLogFunc = LuaPacketLoggerAlerts;
            om->PacketConditionFunc = LuaPacketConditionAlerts;
        } else if (opts.packet && opts.alerts == 0) {
            om->PacketLogFunc = LuaPacketLogger;
            om->PacketConditionFunc = LuaPacketCondition;
        } else if (opts.file) {
            om->FileLogFunc = LuaFileLogger;
            AppLayerHtpNeedFileInspection();
        } else if (opts.streaming && opts.tcp_data) {
            om->StreamingLogFunc = LuaStreamingLogger;
            om->stream_type = STREAMING_TCP_DATA;
        } else if (opts.flow) {
            om->FlowLogFunc = LuaFlowLogger;
        } else if (opts.stats) {
            om->StatsLogFunc = LuaStatsLogger;
        } else {
            SCLogError("failed to setup thread module");
            SCFree(om);
            goto error;
        }
 
        TAILQ_INSERT_TAIL(&output_ctx->submodules, om, entries);
    }
 
    result.ctx = output_ctx;
    result.ok = true;
    return result;
 
error:
    if (output_ctx->DeInit)
        output_ctx->DeInit(output_ctx);
 
    int failure_fatal = 0;
    if (SCConfGetBool("engine.init-failure-fatal", &failure_fatal) != 1) {
        SCLogDebug("ConfGetBool could not load the value.");
    }
    if (failure_fatal) {
        FatalError("Error during setup of lua output. Details should be "
                   "described in previous error messages. Shutting down...");
    }
 
    return result;
}
 
/** \internal
 *  \brief Run the scripts 'deinit' function
 */
static void OutputLuaLogDoDeinit(LogLuaCtx *lua_ctx)
{
    lua_State *luastate = lua_ctx->luastate;
 
    lua_getglobal(luastate, "deinit");
    if (lua_type(luastate, -1) != LUA_TFUNCTION) {
        SCLogError("no deinit function in script");
        return;
    }
    //LuaPrintStack(luastate);
 
    if (lua_pcall(luastate, 0, 0, 0) != 0) {
        SCLogError("couldn't run script 'deinit' function: %s", lua_tostring(luastate, -1));
        return;
    }
    LuaReturnState(luastate);
}
 
/** \internal
 *  \brief Initialize the thread storage for lua
 *
 *  Currently only stores a pointer to the global LogLuaCtx
 */
static TmEcode LuaLogThreadInit(ThreadVars *t, const void *initdata, void **data)
{
    LogLuaThreadCtx *td = SCCalloc(1, sizeof(*td));
    if (unlikely(td == NULL))
        return TM_ECODE_FAILED;
 
    if (initdata == NULL) {
        SCLogDebug("Error getting context for LuaLog. \"initdata\" argument NULL");
        SCFree(td);
        return TM_ECODE_FAILED;
    }
 
    LogLuaCtx *lua_ctx = ((OutputCtx *)initdata)->data;
    SCLogDebug("lua_ctx %p", lua_ctx);
    td->lua_ctx = lua_ctx;
    *data = (void *)td;
    return TM_ECODE_OK;
}
 
/** \internal
 *  \brief Deinit the thread storage for lua
 *
 *  Calls OutputLuaLogDoDeinit if no-one else already did.
 */
static TmEcode LuaLogThreadDeinit(ThreadVars *t, void *data)
{
    LogLuaThreadCtx *td = (LogLuaThreadCtx *)data;
    if (td == NULL) {
        return TM_ECODE_OK;
    }
 
    SCMutexLock(&td->lua_ctx->m);
    if (td->lua_ctx->deinit_once == 0) {
        OutputLuaLogDoDeinit(td->lua_ctx);
        td->lua_ctx->deinit_once = 1;
    }
    SCMutexUnlock(&td->lua_ctx->m);
 
    /* clear memory */
    memset(td, 0, sizeof(*td));
 
    SCFree(td);
    return TM_ECODE_OK;
}
 
void LuaLogRegister(void) {
    /* register as separate module */
    OutputRegisterModule(MODULE_NAME, "lua", OutputLuaLogInit);
}