Fixes issues with unexpected XXX alerts where impacted server was not reported

Added Lua getFlowProtoClientIP/getFlowProtoServerIP calls in flows
2026-05-03 17:30:11 +00:00 · 2020-11-25 15:51:08 +01:00 · 2020-11-25 15:51:08 +01:00 · 06161556ac
commit 06161556ac
parent fbbbe4f4ad
19 changed files with 143 additions and 44 deletions
--- a/scripts/plugins/alerts/security/unexpected_ntp/user_scripts/flow/unexpected_ntp.lua
+++ b/scripts/plugins/alerts/security/unexpected_ntp/user_scripts/flow/unexpected_ntp.lua
@ -57,11 +57,17 @@ end

 function script.hooks.protocolDetected(now, conf)
   if(table.len(conf.items) > 0) then
-      ok = 0
-      server_ip =  flow.getServerKey()
+      local ok = 0
+      local flow_info = flow.getInfo()
+      local client_ip, server_ip

-      -- the string format returned by flow.geServerKey() is "x.x.x.x@0", :sub(1, -3) deletes "@0"
-      server_ip = server_ip:sub(1, -3)
+      if(flow_info["cli.protocol_server"]) then
+	 client_ip = flow_info["srv.ip"]
+	 server_ip = flow_info["cli.ip"]
+      else
+	 client_ip = flow_info["cli.ip"]
+	 server_ip = flow_info["srv.ip"]
+      end

      for _, ntp_ip in pairs(conf.items) do
 	 if server_ip == ntp_ip then
@ -70,11 +76,7 @@ function script.hooks.protocolDetected(now, conf)
      end

      if ok == 0 then
-         local unexpected_ntp_type = flow_consts.status_types.status_unexpected_ntp.create(
-            server_ip,
-            flow_info["srv.ip"],
-            flow_info["cli.ip"]
-         )
+         local unexpected_ntp_type = flow_consts.status_types.status_unexpected_ntp.create(client_ip, server_ip)

         alerts_api.trigger_status(unexpected_ntp_type, alert_consts.alert_severities.error, 0, 100, 100)
      end