vrr/ntopng
2
0
Fork 0
mirror of https://github.com/ntop/ntopng.git synced 2026-04-29 15:39:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Added UDP portscan

Browse source
This commit is contained in:
Luca Deri 2023-10-10 20:07:22 +02:00
parent 36b2bc1ad5
commit 2588b52328
9 changed files with 210 additions and 137 deletions
Download patch file Download diff file Expand all files Collapse all files

222
scripts/lua/modules/vulnerability_scan/vs_utils.lua
View file

@ -109,13 +109,13 @@ local function get_report_path(scan_type, ip, all)
local base_dir = dirs.workingdir .. "/-1/vulnerability_scan"
ntop.mkdir(base_dir)
local ret = ""
if (not all or all == nil) then
ret = base_dir .. "/"..ip.."_"..scan_type..".txt"
else
ret = base_dir .. "/*.txt"
end
return(ret)
end
@ -133,7 +133,7 @@ end
-- ##############################################
local function format_port_list_to_string(ports)
local function format_port_list_to_string(ports)
local scan_ports = ""
if (ports ~= nil and #ports > 0) then
@ -147,11 +147,11 @@ local function format_port_list_to_string(ports)
end
return scan_ports
end
-- ##############################################
local function find_port(port, port_list)
local function find_port(port, port_list)
local found = false
for _,item in ipairs(port_list) do
if (item == port) then
@ -184,7 +184,7 @@ local function check_ports_diffences(num_old_ports, old_ports, num_new_ports, ne
for _, item in ipairs(old_ports) do
local is_open = find_port(item, new_ports)
if (not is_open) then
closed_ports[#closed_ports+1] = item
closed_ports[#closed_ports+1] = item
diff = true
end
end
@ -192,7 +192,7 @@ local function check_ports_diffences(num_old_ports, old_ports, num_new_ports, ne
for _, item in ipairs(new_ports) do
local is_open = find_port(item, old_ports)
if (not is_open) then
open_ports[#open_ports+1] = item
open_ports[#open_ports+1] = item
diff = true
end
end
@ -205,7 +205,7 @@ local function check_ports_diffences(num_old_ports, old_ports, num_new_ports, ne
rsp.open_ports_num = #open_ports
rsp.closed_ports = closed_ports
rsp.closed_ports_num = #closed_ports
if (#open_ports ~= 0 and #closed_ports == 0) then
rsp.case = 'new_ports'
elseif (#open_ports == 0 and #closed_ports ~= 0) then
@ -214,7 +214,7 @@ local function check_ports_diffences(num_old_ports, old_ports, num_new_ports, ne
rsp.case = 'ports_open_and_closed'
end
end
else
else
rsp.trigger = false
end
@ -287,16 +287,16 @@ local function check_differences(host, host_name, scan_type, old_data, new_data)
end
end
if (new_data.tcp_ports.num_ports ~= 0) then
tcp_new_ports = split(new_data.tcp_ports.ports, ",")
if (debug_print) then
tprint(tcp_new_ports)
end
end
local ports_differences = check_ports_diffences(#tcp_old_ports, tcp_old_ports,
local ports_differences = check_ports_diffences(#tcp_old_ports, tcp_old_ports,
#tcp_new_ports, tcp_new_ports)
if num_cve_solved > 0 then
@ -332,7 +332,7 @@ local function check_differences(host, host_name, scan_type, old_data, new_data)
tprint("IS IT TRIGGERED: ")
tprint(ports_differences.trigger)
end
if table.empty(rsp) then
rsp = nil
@ -347,7 +347,7 @@ end
-- ##############################################
function vs_utils.cleanup_port(is_tcp, line)
function vs_utils.cleanup_port(is_tcp, line)
local splitted_line = {}
local regex = "([^/udp]+)"
@ -368,14 +368,14 @@ function vs_utils.cleanup_nmap_result(scan_result, scan_type)
scan_result = scan_result:gsub("|", "")
scan_result = scan_result:gsub("_", "")
scan_result = lines(scan_result)
scan_result = lines(scan_result)
for i=1,4 do
table.remove(scan_result, 1)
end
table.remove(scan_result, #scan_result)
local num_open_ports = 0
local num_vulnerabilities = 0
local cve = {}
@ -387,19 +387,18 @@ function vs_utils.cleanup_nmap_result(scan_result, scan_type)
if(string.find(l, "open") ~= nil) then
local t = string.find(l, "/tcp ") or 0
local u = string.find(l, "/udp ") or 0
if (t > 0) then
num_open_ports = num_open_ports + 1
tcp_ports[#tcp_ports+1] = vs_utils.cleanup_port(true, l)
end
if (t > 0) then
num_open_ports = num_open_ports + 1
tcp_ports[#tcp_ports+1] = vs_utils.cleanup_port(true, l)
end
if(u > 0) then
num_open_ports = num_open_ports + 1
udp_ports[#udp_ports+1] = vs_utils.cleanup_port(false, l)
end
if(u > 0) then
num_open_ports = num_open_ports + 1
udp_ports[#udp_ports+1] = vs_utils.cleanup_port(false, l)
end
end
if(string.sub(l, 1, 2) == " [") then
local c = string.split(string.sub(l,3), "]")
@ -427,14 +426,14 @@ function vs_utils.cleanup_nmap_vulners_result(scan_result, scan_type)
scan_result = scan_result:gsub("|_", "")
scan_result = scan_result:gsub("|", "")
scan_result = lines(scan_result)
scan_result = lines(scan_result)
for i=1,4 do
table.remove(scan_result, 1)
end
table.remove(scan_result, #scan_result)
local num_open_ports = 0
local num_vulnerabilities = 0
local cve = {}
@ -444,7 +443,7 @@ function vs_utils.cleanup_nmap_vulners_result(scan_result, scan_type)
if(string.find(l, "open") ~= nil) then
local t = string.find(l, "/tcp ") or 0
local u = string.find(l, "/udp ") or 0
if((t > 0) or (u > 0)) then
num_open_ports = num_open_ports + 1
end
@ -467,7 +466,7 @@ end
-- **********************************************************
-- Function to save host configuration
local function isAlreadyPresent(item)
local function isAlreadyPresent(item)
local hosts_details = vs_utils.retrieve_hosts_to_scan()
for _,value in ipairs(hosts_details) do
@ -480,7 +479,7 @@ end
-- **********************************************************
local function compare(a,b)
local function compare(a,b)
local a_array = split(a,"|")
local a_has_score = false
@ -498,7 +497,7 @@ local function compare(a,b)
if (a_has_score and b_has_score) then
return a > b
else
else
return a_array[1] > b_array[1]
end
end
@ -512,13 +511,13 @@ local function get_cve_with_score(cve)
if(cve ~= nil) then
for _,cve_id in ipairs(cve) do
local score = cve_utils.getCVEscore(cve_id)
local cve_formatted = cve
if(score ~= nil) then
if(max_score < score) then
max_score = score
end
if(max_score < score) then
max_score = score
end
cve_formatted = string.format("%s|%s",cve_id,score)
end
cve_with_score_list[#cve_with_score_list+1] = cve_formatted
@ -526,9 +525,9 @@ local function get_cve_with_score(cve)
end
if next(cve_with_score_list) then
table.sort(cve_with_score_list, compare)
table.sort(cve_with_score_list, compare)
end
return cve_with_score_list, max_score
end
@ -537,10 +536,10 @@ end
-- Function to save host configuration
function vs_utils.save_host_to_scan(scan_type, host, scan_result, last_scan_time, last_duration,
is_ok_last_scan, ports, scan_frequency, num_open_ports,
num_vulnerabilities_found, cve, id, is_edit, udp_ports, tcp_ports)
num_vulnerabilities_found, cve, id, is_edit, udp_ports, tcp_ports)
local checks = require "checks"
local trigger_alert = checks.isCheckEnabled("active_monitoring", "vulnerability_scan")
or checks.isCheckEnabled("system", "vulnerability_scan")
or checks.isCheckEnabled("system", "vulnerability_scan")
local host_hash_key = vs_utils.get_host_hash_key(host, scan_type)
local old_data_string = ntop.getHashCache(host_to_scan_key, host_hash_key)
local old_data = json.decode(old_data_string)
@ -557,24 +556,24 @@ function vs_utils.save_host_to_scan(scan_type, host, scan_result, last_scan_time
if already_scanned then
if(debug_print) then
tprint("ALREADY PRESENT-> CHECKING DIFF")
end
if(debug_print) then
tprint("ALREADY PRESENT-> CHECKING DIFF")
end
local host_info_to_cache = check_differences(host, host_name,
scan_type,
{
vulnerabilities = old_data.num_vulnerabilities_found,
ports = old_data.num_open_ports,
cve = old_data.cve,
tcp_ports = {num_ports = old_data.tcp_ports, ports = old_data.tcp_ports_list },
},
{
vulnerabilities = num_vulnerabilities_found,
ports = num_open_ports,
cve = cve,
tcp_ports = tcp_ports
})
local host_info_to_cache = check_differences(host, host_name,
scan_type,
{
vulnerabilities = old_data.num_vulnerabilities_found,
ports = old_data.num_open_ports,
cve = old_data.cve,
tcp_ports = {num_ports = old_data.tcp_ports, ports = old_data.tcp_ports_list },
},
{
vulnerabilities = num_vulnerabilities_found,
ports = num_open_ports,
cve = cve,
tcp_ports = tcp_ports
})
if host_info_to_cache then
ntop.rpushCache(scanned_hosts_changes_key, json.encode(host_info_to_cache))
end
@ -582,7 +581,7 @@ function vs_utils.save_host_to_scan(scan_type, host, scan_result, last_scan_time
end
local epoch_id = 0
if isEmptyString(id) then
if isEmptyString(id) then
local key = "ntopng.prefs.last_host_id"
local res = ntop.incrCache(key)
epoch_id = res
@ -594,7 +593,7 @@ function vs_utils.save_host_to_scan(scan_type, host, scan_result, last_scan_time
is_ok_last_scan = vs_utils.scan_status.not_scanned
end
local cve_formatted, max_score_cve = get_cve_with_score(cve)
local new_item = {
host = host,
@ -608,9 +607,9 @@ function vs_utils.save_host_to_scan(scan_type, host, scan_result, last_scan_time
id = epoch_id,
is_ok_last_scan = is_ok_last_scan
}
if tcp_ports ~= nil then
new_item.tcp_ports = tcp_ports.num_ports
new_item.tcp_ports_list = tcp_ports.ports
end
@ -640,7 +639,7 @@ function vs_utils.save_host_to_scan(scan_type, host, scan_result, last_scan_time
new_item.is_ok_last_scan = vs_utils.scan_status.ok
end
end
if not isEmptyString(scan_frequency) then
@ -654,20 +653,20 @@ function vs_utils.save_host_to_scan(scan_type, host, scan_result, last_scan_time
local result = handle:write(scan_result)
handle:close()
end
if not isEmptyString(id) and is_edit then
vs_utils.delete_host_to_scan_by_id(id)
end
local result = 1 -- success
if(not isAlreadyPresent(new_item)) then
--saved_hosts[#saved_hosts+1] = new_item
--saved_hosts[#saved_hosts+1] = new_item
ntop.setHashCache(host_to_scan_key, host_hash_key, json.encode(new_item))
elseif not isEmptyString(id) then
-- edit case
ntop.setHashCache(host_to_scan_key, host_hash_key, json.encode(new_item))
else
else
result = 2 --aleready_present
end
@ -675,13 +674,13 @@ function vs_utils.save_host_to_scan(scan_type, host, scan_result, last_scan_time
vs_utils.notify_end_periodicity()
--ntop.setCache(host_to_scan_key, json.encode(saved_hosts))
return result, new_item.id
end
function vs_utils.update_ts_counters()
function vs_utils.update_ts_counters()
local hosts_details = vs_utils.retrieve_hosts_to_scan()
local count_cve = 0
@ -689,8 +688,8 @@ function vs_utils.update_ts_counters()
local open_ports_count = 0
local hosts_count = 0
for _,item in ipairs(hosts_details) do
for _,item in ipairs(hosts_details) do
hosts_count = hosts_count + 1
if item.num_open_ports ~= nil then
@ -718,7 +717,7 @@ function vs_utils.update_ts_counters()
end
function vs_utils.notify_end_periodicity()
function vs_utils.notify_end_periodicity()
local periodicity_scan_in_progress = ntop.getCache(host_to_scan_periodicity_key) == "1"
@ -728,22 +727,22 @@ function vs_utils.notify_end_periodicity()
if(item.is_periodicity and item.is_ok_last_scan == vs_utils.scan_status.scheduled) then
return
end
end
end
ntop.setCache(host_to_scan_periodicity_key, "0")
local periodicity = ntop.getCache(host_to_scan_periodicity_key.."type")
for _,item in ipairs(hosts_details) do
local host_hash_key = vs_utils.get_host_hash_key(item.host, item.scan_type)
local host_hash_value_string = ntop.getHashCache(host_to_scan_key, host_hash_key)
if(not isEmptyString(host_hash_value_string)) then
local host_hash_value = json.decode(host_hash_value_string)
host_hash_value.is_periodicity = false
ntop.setHashCache(host_to_scan_key, host_hash_key, json.encode(host_hash_value))
end
end
@ -856,20 +855,20 @@ function vs_utils.delete_host_to_scan(host, scan_type, all)
local elems = {}
while(true) do
local e = ntop.lpopCache(host_scan_queue_key)
if(e == nil) then
break
else
local r = json.decode(e)
if(not((r.scan_type == "cve") and (r.host == "127.0.0.1"))) then
if(not((r.scan_type == "cve") and (r.host == "127.0.0.1"))) then
table.insert(elems, e)
end
end
end
for _,i in pairs(elems) do
ntop.lpushCache(host_scan_queue_key, i)
end
end
end
return true
@ -879,7 +878,7 @@ end
-- Function to delete host to scan by id
function vs_utils.delete_host_to_scan_by_id(id)
local hosts_details = vs_utils.retrieve_hosts_to_scan()
local host_to_delete = {}
local id_number = tonumber(id)
@ -896,7 +895,7 @@ function vs_utils.delete_host_to_scan_by_id(id)
local path_to_s_result = get_report_path(host_to_delete.scan_type, host_to_delete.host, false)
os.remove(path_to_s_result)
ntop.delHashCache(host_to_scan_key, host_hash_key)
return true
end
@ -945,16 +944,16 @@ end
function vs_utils.discover_open_ports(host)
function vs_utils.discover_open_ports(host)
local result,duration,scan_result,num_open_ports,num_vulnerabilities_found, cve, udp_ports, tcp_ports, scan_ports, network_alert_store,now
local scan_module = vs_utils.load_module("tcp_openports")
local scan_module = vs_utils.load_module("tcp_portscan")
now,result,duration,scan_result,num_open_ports,num_vulnerabilities_found, cve, udp_ports, tcp_ports = scan_module:scan_host(host, ports)
-- FIX ME -> only tcp for now
return format_port_list_to_string(tcp_ports)
return format_port_list_to_string(tcp_ports)
end
-- **********************************************************
@ -964,7 +963,7 @@ function vs_utils.scan_host(scan_type, host, ports, scan_id)
if debug_print then
if (ports ~= nil) then
traceError(TRACE_NORMAL,TRACE_CONSOLE,"Scanning Host ".. host .. " on Ports: " .. ports .. "\n")
else
else
traceError(TRACE_NORMAL,TRACE_CONSOLE,"Scanning Host ".. host.."\n")
end
end
@ -979,7 +978,7 @@ function vs_utils.scan_host(scan_type, host, ports, scan_id)
local scan_module = vs_utils.load_module(scan_type)
local now,result,duration,scan_result,num_open_ports,num_vulnerabilities_found, cve, udp_ports, tcp_ports = scan_module:scan_host(host, ports)
-- FIX HERE UDP ports
if(tcp_ports ~= nil) then
tcp_ports = {ports = format_port_list_to_string(tcp_ports), num_ports = #tcp_ports}
@ -997,7 +996,7 @@ function vs_utils.scan_host(scan_type, host, ports, scan_id)
if (isAlreadyPresent({host= host, scan_type= scan_type})) then
vs_utils.save_host_to_scan(scan_type, host, result, now, duration, scan_result,
ports_scan_param, nil, num_open_ports, num_vulnerabilities_found, cve, scan_id, false, udp_ports, tcp_ports)
ports_scan_param, nil, num_open_ports, num_vulnerabilities_found, cve, scan_id, false, udp_ports, tcp_ports)
end
return true
end
@ -1053,24 +1052,24 @@ end
-- periodicity can be set to "1day" "1week" "disabled"
function vs_utils.schedule_periodic_scan(periodicity)
local host_to_scan_list = vs_utils.retrieve_hosts_to_scan()
if (#host_to_scan_list > 0 ) then
local is_already_running = ntop.getCache(host_to_scan_periodicity_key) == "1"
local is_already_running = ntop.getCache(host_to_scan_periodicity_key) == "1"
if not is_already_running then
local is_scanning_almost_one = false
for _,scan_info in ipairs(host_to_scan_list) do
local frequency = scan_info.scan_frequency
for _,scan_info in ipairs(host_to_scan_list) do
local frequency = scan_info.scan_frequency
if(frequency == periodicity) then
vs_utils.schedule_host_scan(scan_info.scan_type, scan_info.host, scan_info.ports, scan_info.id, true)
is_scanning_almost_one = true
end
end
if(frequency == periodicity) then
vs_utils.schedule_host_scan(scan_info.scan_type, scan_info.host, scan_info.ports, scan_info.id, true)
is_scanning_almost_one = true
end
end
if is_scanning_almost_one then
ntop.setCache(host_to_scan_periodicity_key , "1")
@ -1165,7 +1164,7 @@ end
-- **********************************************************
-- Update all scan frequencies
function vs_utils.update_all_periodicity(scan_frequency)
function vs_utils.update_all_periodicity(scan_frequency)
local host_to_scan_list = vs_utils.retrieve_hosts_to_scan()
for _,value in ipairs(host_to_scan_list) do
@ -1180,7 +1179,7 @@ function vs_utils.update_all_periodicity(scan_frequency)
ntop.setHashCache(host_to_scan_key, host_hash_key, json.encode(host_hash_value))
end
end
return true
end
@ -1193,10 +1192,10 @@ end
-- **********************************************************
function vs_utils.format_port_label(port, service_name, protocol)
function vs_utils.format_port_label(port, service_name, protocol)
if (isEmptyString(service_name)) then
return string.format("%s/%s",port,protocol)
else
else
return string.format("%s/%s (%s)",port,protocol,service_name)
end
end
@ -1218,7 +1217,7 @@ function vs_utils.retrieve_detected_ports(host)
if (l4_proto == 'tcp') then
tcp_ports_detected[#tcp_ports_detected+1] = id_port
end
end
end
host_in_mem = true
end
@ -1226,7 +1225,7 @@ function vs_utils.retrieve_detected_ports(host)
end
-- Search port in ports list
local function find_port(port_to_find, port_list)
local function find_port(port_to_find, port_list)
for _, port in ipairs(port_list) do
if(port_to_find == tonumber(port)) then
return true
@ -1251,7 +1250,7 @@ function vs_utils.compare_ports(vs_scan_port_string_list, ntopng_ports)
not_found_a_port = true
ports_unused[#ports_unused+1] = vs_port
end
end
local diff_case
@ -1278,11 +1277,8 @@ function vs_utils.compare_ports(vs_scan_port_string_list, ntopng_ports)
end
return ports_unused, filtered_ports, diff_case
end
-- **********************************************************
return vs_utils