18.3.10. Rule

Rule details for an alert are exposed to Lua scripts with the suricata.rule library, for example:

local rule = require("suricata.rule")

18.3.10.1. Rule Setup

For use in Suricata Lua rules, no additional setup is required.

18.3.10.2. Output Setup

For use in Suricata Lua output scripts, some additional setup is required:

function init(args)
    return {
        type = "packet",
        filter = "alerts",
    }
end

18.3.10.3. Getting a Rule Instance

To obtain a rule object, use the get_rule() function on the rule library:

local sig = rule.get_rule()

18.3.10.4. Rule Methods

18.3.10.4.1. action()

Returns the action of the rule, for example: alert, pass.

18.3.10.4.2. class_description()

Returns the classification description.

18.3.10.4.3. gid()

Returns the generator ID of the rule.

18.3.10.4.4. rev()

Returns the revision of the rule.

18.3.10.4.5. msg()

Returns the rule message (msg).

18.3.10.4.6. priority

Returns the priority of the rule as a number.

18.3.10.4.7. sid()

Returns the signature ID of the rule.