Added detection of periodic flows and exported it as flow risk in both flows and alerts

2026-05-01 00:19:33 +00:00 · 2022-12-30 19:48:26 +01:00 · 2022-12-30 19:48:26 +01:00 · 21101c43f1
commit 21101c43f1
parent fab8158bdd
10 changed files with 74 additions and 34 deletions
--- a/scripts/lua/modules/alert_keys/flow_alert_keys.lua
+++ b/scripts/lua/modules/alert_keys/flow_alert_keys.lua
@ -94,7 +94,8 @@ local flow_alert_keys = {
   flow_alert_ndpi_risky_asn                       = 85,
   flow_alert_ndpi_risky_domain                    = 86,
   flow_alert_custom_lua_script                    = 87,
-
+   flow_alert_ndpi_periodic_flow                   = 88,
+   
   -- NOTE: for flow alerts not not go beyond the size of Bitmap alert_map inside Flow.h (currently 128)
 }

--- a/scripts/lua/modules/alert_store/flow_alert_store.lua
+++ b/scripts/lua/modules/alert_store/flow_alert_store.lua
@ -541,7 +541,6 @@ function flow_alert_store:_add_additional_request_filters()

   self:add_filter_condition_list(self:format_query_json_value('proto.l7_error_code'), error_code, 'string')
   self:add_filter_condition_list(self:format_query_json_value('proto.confidence'), confidence, 'string')
-
 end

 -- ##############################################
@ -564,13 +563,13 @@ function flow_alert_store:_get_additional_available_filters()
      l7proto    = tag_utils.defined_tags.l7proto,
      info       = tag_utils.defined_tags.info,

-      cli_host_pool_id       = tag_utils.defined_tags.cli_host_pool_id,
-      srv_host_pool_id       = tag_utils.defined_tags.srv_host_pool_id,
+      cli_host_pool_id  = tag_utils.defined_tags.cli_host_pool_id,
+      srv_host_pool_id  = tag_utils.defined_tags.srv_host_pool_id,
      cli_network       = tag_utils.defined_tags.cli_network,
      srv_network       = tag_utils.defined_tags.srv_network,

-      l7_error_id     = tag_utils.defined_tags.l7_error_id,
-      confidence      = tag_utils.defined_tags.confidence,
+      l7_error_id       = tag_utils.defined_tags.l7_error_id,
+      confidence        = tag_utils.defined_tags.confidence,
      traffic_direction = tag_utils.defined_tags.traffic_direction,

      probe_ip = tag_utils.defined_tags.probe_ip,
--- a/scripts/lua/modules/lua_utils_get.lua
+++ b/scripts/lua/modules/lua_utils_get.lua
@ -222,7 +222,11 @@ function getApplicationLabel(name, maxlen)
  -- Do not convert to upper case, keep the nDPI case
  --name = name:gsub("^%l", string.upper)

-  return(icon.." "..shortenString(name, maxlen))
+  if(icon == "") then
+     return(shortenString(name, maxlen))
+  else
+     return(icon.." "..shortenString(name, maxlen))
+  end
 end

 -- #################################