vrr/ntopng
2
0
Fork 0
mirror of https://github.com/ntop/ntopng.git synced 2026-05-02 00:40:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Reworks attacker/victim in alerts

Browse source
This commit is contained in:
Simone Mainardi 2021-01-07 19:03:42 +01:00
parent 740ba4b267
commit 1aaf92e843
21 changed files with 50 additions and 93 deletions
Download patch file Download diff file Expand all files Collapse all files

8
scripts/plugins/alerts/security/blacklisted/user_scripts/flow/blacklisted.lua
View file

@ -30,18 +30,14 @@ function script.hooks.protocolDetected(now)
local flow_info = flow.getInfo()
local info = flow.getBlacklistedInfo()
local flow_score = 100
local cli_score, srv_score, attacker, victim
local cli_score, srv_score
if info["blacklisted.srv"] then
cli_score = flow_consts.max_score
srv_score = 5
attacker = flow_info["srv.ip"]
victim = flow_info["cli.ip"]
else
cli_score = 5
srv_score = 10
attacker = flow_info["cli.ip"]
victim = flow_info["srv.ip"]
end
local alert = alert_consts.alert_types.alert_flow_blacklisted.new(
@ -49,8 +45,6 @@ function script.hooks.protocolDetected(now)
)
alert:set_severity(alert_severities.error)
alert:set_attacker(attacker)
alert:set_victim(victim)
alert:trigger_status(cli_score, srv_score, flow_score)
end

16
scripts/plugins/alerts/security/blacklisted_country/user_scripts/flow/country_check.lua
View file

@ -55,25 +55,21 @@ function script.hooks.protocolDetected(now, conf)
local srv_country = flow.getServerCountry()
local is_blacklisted = false
local flow_score = 60
local cli_score, srv_score, attacker, victim
local cli_score, srv_score = 0, 0
local info = {cli_blacklisted = false, srv_blacklisted = false}
if(cli_country and blacklisted_countries[cli_country]) then
info.cli_blacklisted = true
is_blacklisted = true
cli_score = 60
srv_score = 10
attacker = flow_info["cli.ip"]
victim = flow_info["srv.ip"]
cli_score = cli_score + 60
srv_score = srv_score + 10
end
if(srv_country and blacklisted_countries[srv_country]) then
info.srv_blacklisted = true
is_blacklisted = true
cli_score = 10
srv_score = 60
attacker = flow_info["srv.ip"]
victim = flow_info["cli.ip"]
cli_score = cli_score + 10
srv_score = srv_score + 60
end
if(is_blacklisted) then
@ -89,8 +85,6 @@ function script.hooks.protocolDetected(now, conf)
)
alert:set_severity(alert_severities.error)
alert:set_attacker(attacker)
alert:set_victim(victim)
alert:trigger_status(cli_score, srv_score, flow_score)
end

8
scripts/plugins/alerts/security/device_application_not_allowed/user_scripts/flow/device_protocol_not_allowed.lua
View file

@ -30,7 +30,7 @@ function script.hooks.protocolDetected(now)
if(flow.isDeviceProtocolNotAllowed()) then
local proto_info = flow.getDeviceProtoAllowedInfo()
local flow_score = 80
local cli_score, srv_score, attacker, victim
local cli_score, srv_score
local flow_info = flow.getInfo()
local alert_info = {
@ -43,15 +43,11 @@ function script.hooks.protocolDetected(now)
alert_info["devproto_forbidden_id"] = proto_info["cli.disallowed_proto"]
cli_score = 80
srv_score = 5
attacker = flow_info["cli.ip"]
victim = flow_info["srv.ip"]
else
alert_info["devproto_forbidden_peer"] = "srv"
alert_info["devproto_forbidden_id"] = proto_info["srv.disallowed_proto"]
cli_score = 5
srv_score = 80
attacker = flow_info["srv.ip"]
victim = flow_info["cli.ip"]
end
local alert = alert_consts.alert_types.alert_device_protocol_not_allowed.new(
@ -62,8 +58,6 @@ function script.hooks.protocolDetected(now)
)
alert:set_severity(alert_severities.error)
alert:set_attacker(attacker)
alert:set_victim(victim)
alert:trigger_status(cli_score, srv_score, flow_score)
end

2
scripts/plugins/alerts/security/unexpected_dhcp/locales/en.lua
View file

@ -17,5 +17,5 @@ return {
-- ####################### Alert strings
alert_unexpected_dhcp_title = "Unexpected DHCP found"
alert_unexpected_dhcp_title = "Unexpected DHCP Server Found"
}

2
scripts/plugins/alerts/security/unexpected_dhcp/user_scripts/flow/unexpected_dhcp.lua
View file

@ -84,8 +84,6 @@ function script.hooks.protocolDetected(now, conf)
)
alert:set_severity(alert_severities.error)
alert:set_attacker(server_ip)
alert:set_victim(client_ip)
alert:trigger_status(0, 100, 100)
end

2
scripts/plugins/alerts/security/unexpected_dns/locales/en.lua
View file

@ -17,5 +17,5 @@ return {
-- ####################### Alert strings
alert_unexpected_dns_title = "Unexpected DNS found"
alert_unexpected_dns_title = "Unexpected DNS Server Found"
}

2
scripts/plugins/alerts/security/unexpected_dns/user_scripts/flow/unexpected_dns.lua
View file

@ -83,8 +83,6 @@ function script.hooks.protocolDetected(now, conf)
)
alert:set_severity(alert_severities.error)
alert:set_attacker(server_ip)
alert:set_victim(client_ip)
alert:trigger_status(0, 100, 100)
end

2
scripts/plugins/alerts/security/unexpected_ntp/locales/en.lua
View file

@ -17,5 +17,5 @@ return {
-- ####################### Alert strings
alert_unexpected_ntp_title = "Unexpected NTP server found"
alert_unexpected_ntp_title = "Unexpected NTP Server Found"
}

4
scripts/plugins/alerts/security/unexpected_ntp/user_scripts/flow/unexpected_ntp.lua
View file

@ -82,9 +82,7 @@ function script.hooks.protocolDetected(now, conf)
)
alert:set_severity(alert_severities.error)
alert:set_attacker(server_ip)
alert:set_victim(client_ip)
alert:trigger_status(0, 100, 100)
end
end

2
scripts/plugins/alerts/security/unexpected_smtp/locales/en.lua
View file

@ -17,5 +17,5 @@ return {
-- ####################### Alert strings
alert_unexpected_smtp_title = "Unexpected SMTP server found"
alert_unexpected_smtp_title = "Unexpected SMTP Server Found"
}

2
scripts/plugins/alerts/security/unexpected_smtp/user_scripts/flow/unexpected_smtp.lua
View file

@ -73,8 +73,6 @@ function script.hooks.protocolDetected(now, conf)
)
alert:set_severity(alert_severities.error)
alert:set_attacker(server_ip)
alert:set_victim(client_ip)
alert:trigger_status(0, 100, 100)
end