Handle special cases for engaged alerts with the new filtering engine

2026-05-06 03:45:26 +00:00 · 2021-07-01 15:37:43 +02:00 · 2021-07-01 15:37:43 +02:00 · 24f9364c36
commit 24f9364c36
parent b90132423f
2 changed files with 95 additions and 22 deletions
--- a/scripts/lua/modules/alert_store/alert_store.lua
+++ b/scripts/lua/modules/alert_store/alert_store.lua
@ -263,31 +263,72 @@ end

 --@brief Filter (engaged) alerts in lua) evaluating self:_where conditions
 function alert_store:eval_alert_cond(alert, cond)
-   local verdict = true -- pass

-   if not alert[cond.field] then -- field not defined, pass
-      return verdict
+   -- Special case: l7_proto
+   if cond.field == 'l7_proto' and cond.value ~= 0 then
+      -- Search also in l7_master_proto, unless value is 0 (Unknown)
+      if cond.op == 'neq' then
+         return tag_utils.eval_op(alert['l7_proto'], cond.op, cond.value) and 
+                tag_utils.eval_op(alert['l7_master_proto'], cond.op, cond.value)
+      else
+         return tag_utils.eval_op(alert['l7_proto'], cond.op, cond.value) or 
+                tag_utils.eval_op(alert['l7_master_proto'], cond.op, cond.value)
+      end
+
+   -- Special case: ip (with vlan)
+   elseif cond.field == 'ip' then
+      local host = hostkey2hostinfo(cond.value)
+
+      if not isEmptyString(host["host"]) then
+         if isEmptyString(host["vlan"]) then
+            return tag_utils.eval_op(alert['ip'], cond.op, host["host"])
+         else
+            if cond.op == 'neq' then
+               return tag_utils.eval_op(alert['ip'], cond.op, host["host"]) or
+                      tag_utils.eval_op(alert['vlan_id'], cond.op, host["vlan"])
+            else
+               return tag_utils.eval_op(alert['ip'], cond.op, host["host"]) and
+                      tag_utils.eval_op(alert['vlan_id'], cond.op, host["vlan"])
+            end
+         end
+      end
+
+   -- Special case: role (host)
+   elseif cond.field == 'host_role' then
+      if cond.value == 'attacker' then
+         return tag_utils.eval_op(alert['is_attacker'], cond.op, 1)
+      elseif cond.value == 'victim' then
+         return tag_utils.eval_op(alert['is_victim'], cond.op, 1)
+      else -- 'no_attacker_no_victim'
+         return tag_utils.eval_op(alert['is_attacker'], cond.op, 0) and
+                tag_utils.eval_op(alert['is_victim'], cond.op, 0)
+      end
+
+   -- Special case: role (flow)
+   elseif cond.field == 'flow_role' then
+      if cond.value == 'attacker' then
+         return tag_utils.eval_op(alert['is_cli_attacker'], cond.op, 1) or
+                tag_utils.eval_op(alert['is_srv_attacker'], cond.op, 1)
+      elseif cond.value == 'victim' then
+         return tag_utils.eval_op(alert['is_cli_victim'], cond.op, 1) or
+                tag_utils.eval_op(alert['is_srv_victim'], cond.op, 1)
+      else -- 'no_attacker_no_victim'
+         return tag_utils.eval_op(alert['is_cli_attacker'], cond.op, 0) and
+                tag_utils.eval_op(alert['is_srv_attacker'], cond.op, 0) and
+                tag_utils.eval_op(alert['is_cli_victim'], cond.op, 0) and
+                tag_utils.eval_op(alert['is_srv_victim'], cond.op, 0)
+      end
+
+   -- Special case: role_cli_srv)
+   elseif cond.field == 'role_cli_srv' then
+      if role_cli_srv == 'client' then
+         return tag_utils.eval_op(alert['is_client'], cond.op, 1)
+      else -- 'server'
+         return tag_utils.eval_op(alert['is_server'], cond.op, 1)
+      end
   end

-   if not cond.value then -- handle special conditions with no simple value
-      return verdict
-   end
-
-   if cond.op == 'eq' then
-      return alert[cond.field] == cond.value
-   elseif cond.op == 'neq' then
-      return alert[cond.field] ~= cond.value
-   elseif cond.op == 'lt' then
-      return alert[cond.field] < cond.value
-   elseif cond.op == 'gt' then
-      return alert[cond.field] > cond.value
-   elseif cond.op == 'gte' then
-      return alert[cond.field] >= cond.value
-   elseif cond.op == 'lte' then
-      return alert[cond.field] <= cond.value
-   end 
-
-   return verdict
+   return tag_utils.eval_op(alert[cond.field], cond.op, cond.value)
 end

 -- ##############################################
--- a/scripts/lua/modules/tag_utils.lua
+++ b/scripts/lua/modules/tag_utils.lua
@ -22,6 +22,38 @@ tag_utils.tag_operators = {
    ["lte"] = "<=",
 }

+-- ##############################################
+
+--@brief Evaluate operator
+function tag_utils.eval_op(v1, op, v2)
+   local default_verdict = true
+
+   -- Convert boolean for compatibility
+   if type(v1) == 'boolean' then
+      if v1 then v1 = 1 else v1 = 0 end
+   end
+
+   if not v1 or not v2 then
+      return default_verdict
+   end
+
+   if op == 'eq' then
+      return v1 == v2
+   elseif op == 'neq' then
+      return v1 ~= v2
+   elseif op == 'lt' then
+      return v1 < v2
+   elseif op == 'gt' then
+      return v1 > v2
+   elseif op == 'gte' then
+      return v1 >= v2
+   elseif op == 'lte' then
+      return v1 <= v2
+   end 
+
+   return default_verdict
+end
+
 -- #####################################

 -- This table is done to convert tags to their where