Added detection of periodic flows and exported it as flow risk in both flows and alerts

2026-05-03 01:10:10 +00:00 · 2022-12-30 19:48:26 +01:00 · 2022-12-30 19:48:26 +01:00 · 21101c43f1
commit 21101c43f1
parent fab8158bdd
10 changed files with 74 additions and 34 deletions
--- a/scripts/lua/get_flows_data.lua
+++ b/scripts/lua/get_flows_data.lua
@ -76,21 +76,21 @@ for key, value in ipairs(flows_stats) do
   local info = ""
   -- use an italic font to indicate extra information added after sorting
   local italic = true
-   
+
   if(not isEmptyString(flows_info["info"])) then
      info = flows_info["info"]
-      italic = false   
+      italic = false
   elseif(not isEmptyString(flows_info["icmp"])) then
      flows_info["info"] = icmp_utils.get_icmp_type(value.icmp.type, true)
-      
+
      if(value.icmp.entropy ~= nil) then
 	 local e = value.icmp.entropy
 	 local diff = e.max - e.min
-	 	 
+
 	 if(icmp_utils.is_suspicious_entropy(e.min, e.max)) then
 	    flows_info["info"] = flows_info["info"] .. " <span class=\"badge bg-warning\">".. i18n("suspicious_payload") .."</span>"
 	 end
-      end  
+      end
   elseif(flows_info["proto.ndpi"] == "SIP") then
      info = getSIPInfo(flows_info)
   elseif(starts(flows_info["proto.ndpi"], "RTP")) then
@ -105,28 +105,28 @@ for key, value in ipairs(flows_stats) do
 	 info = noHtml(info)
 	 info = info:gsub('"', '')
 	 local alt_info = info
-	 
+
 	 if italic then
 	    info = string.format("<i>%s</i>", info)
 	 end
 	 info = shortenString(info)
-	 
+
 	 -- Add extra icons to info column
 	 if (flows_info["protos.dns.last_query_type"] or flows_info["protos.dns.last_return_code"]) then
 	    local dns_info = format_dns_query_info({ last_query_type = flows_info["protos.dns.last_query_type"], last_return_code = flows_info["protos.dns.last_return_code"]})
-	    
+
 	    if(dns_info.last_query_type ~= 0) then
 	       info = dns_info.last_query_type .. " " .. dns_info.last_return_code .. " " .. info
 	    else
 	       info = dns_info.last_query_type .. info
 	    end
 	 end
-	 
+
 	 if flows_info["protos.http.last_return_code"] or flows_info["protos.http.last_method"] then
 	    local http_info = format_http_info({ last_return_code = flows_info["protos.http.last_return_code"], last_method = flows_info["protos.http.last_method"]})
 	    info = (http_info.last_return_code or '') .. " " .. http_info.last_method .. " " .. info
 	 end
-	 
+
 	 flows_info["info"] = "<span data-bs-toggle='tooltip' title='"..alt_info.."'>"..info.."</span>"
      end
   end
@ -322,6 +322,7 @@ for _key, value in ipairs(flows_stats) do -- pairsByValues(vals, funct) do

   local app = getApplicationLabel(value["proto.ndpi"])

+
   if(value["verdict.pass"] == false) then
      app = "<strike>"..app.."</strike>"
    end
@ -367,6 +368,24 @@ end
      record["column_score"] = format_utils.formatValue(value.score.flow_score)
   end

+   if(value.periodic_flow) then
+      info = info .. " <A HREF='".. ntop.getHttpPrefix() .."/lua/pro/enterprise/network_maps.lua?map=periodicity_map&page=table"
+
+      if(info_cli.ip ~= nil) then
+	 local k
+
+	 if(value["cli.serialize_by_mac"] and (value["cli.mac"] ~= nil)) then
+	    k = value["cli.mac"]
+	 else
+	    k = value["cli.ip"]
+	 end
+	 
+	 info = info .. "&host=".. k .. "&l7proto=".. value["proto.ndpi"]
+      end
+
+      info = info .. "'><span class='badge bg-warning text-dark'>"..i18n("periodic_flow").."</span></h1></A>"
+   end
+
   record["column_info"] = info

   formatted_res[#formatted_res + 1] = record
--- a/scripts/lua/modules/alert_keys/flow_alert_keys.lua
+++ b/scripts/lua/modules/alert_keys/flow_alert_keys.lua
@ -94,7 +94,8 @@ local flow_alert_keys = {
   flow_alert_ndpi_risky_asn                       = 85,
   flow_alert_ndpi_risky_domain                    = 86,
   flow_alert_custom_lua_script                    = 87,
-
+   flow_alert_ndpi_periodic_flow                   = 88,
+   
   -- NOTE: for flow alerts not not go beyond the size of Bitmap alert_map inside Flow.h (currently 128)
 }

--- a/scripts/lua/modules/alert_store/flow_alert_store.lua
+++ b/scripts/lua/modules/alert_store/flow_alert_store.lua
@ -541,7 +541,6 @@ function flow_alert_store:_add_additional_request_filters()

   self:add_filter_condition_list(self:format_query_json_value('proto.l7_error_code'), error_code, 'string')
   self:add_filter_condition_list(self:format_query_json_value('proto.confidence'), confidence, 'string')
-
 end

 -- ##############################################
@ -564,13 +563,13 @@ function flow_alert_store:_get_additional_available_filters()
      l7proto    = tag_utils.defined_tags.l7proto,
      info       = tag_utils.defined_tags.info,

-      cli_host_pool_id       = tag_utils.defined_tags.cli_host_pool_id,
-      srv_host_pool_id       = tag_utils.defined_tags.srv_host_pool_id,
+      cli_host_pool_id  = tag_utils.defined_tags.cli_host_pool_id,
+      srv_host_pool_id  = tag_utils.defined_tags.srv_host_pool_id,
      cli_network       = tag_utils.defined_tags.cli_network,
      srv_network       = tag_utils.defined_tags.srv_network,

-      l7_error_id     = tag_utils.defined_tags.l7_error_id,
-      confidence      = tag_utils.defined_tags.confidence,
+      l7_error_id       = tag_utils.defined_tags.l7_error_id,
+      confidence        = tag_utils.defined_tags.confidence,
      traffic_direction = tag_utils.defined_tags.traffic_direction,

      probe_ip = tag_utils.defined_tags.probe_ip,
--- a/scripts/lua/modules/lua_utils_get.lua
+++ b/scripts/lua/modules/lua_utils_get.lua
@ -222,7 +222,11 @@ function getApplicationLabel(name, maxlen)
  -- Do not convert to upper case, keep the nDPI case
  --name = name:gsub("^%l", string.upper)

-  return(icon.." "..shortenString(name, maxlen))
+  if(icon == "") then
+     return(shortenString(name, maxlen))
+  else
+     return(icon.." "..shortenString(name, maxlen))
+  end
 end

 -- #################################