From 378232f808cd2ce0551fb5420ca728684065e5ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicol=C3=B2=20Maio?= Date: Fri, 3 Feb 2023 11:36:19 +0100 Subject: [PATCH] Update alert score threshold with flows info (#6714) (#7197) --- scripts/locales/en.lua | 2 +- scripts/lua/modules/alert_consts.lua | 2 +- .../host/host_alert_score_threshold.lua | 43 +++++++++++++++++++ 3 files changed, 45 insertions(+), 2 deletions(-) diff --git a/scripts/locales/en.lua b/scripts/locales/en.lua index d35665c3ff..16be53e32c 100644 --- a/scripts/locales/en.lua +++ b/scripts/locales/en.lua @@ -851,7 +851,7 @@ local lang = { ["scan_detected"] = "%{entity} is a scanner [%{value} > %{threshold} scan attempts]", ["score_number_anomaly"] = "%{role} Score: %{score} [Expected Range: %{lower_bound} ... %{upper_bound} ][Cybersecurity Score: %{cat_sec}% | Network Score: %{cat_net}%][Flow Alerts: ][Past Host Alerts: ][Engaged Host Alerts: ]", ["score_number_anomaly_threshold"] = "%{metric} exceeded by %{entity} [%{value} > %{threshold}]", - ["score_threshold"] = "Score exceeded by %{entity} as %{cli_or_srv} [%{value} > %{threshold}]", + ["score_threshold"] = "Score exceeded by %{entity} as %{cli_or_srv} [%{value} > %{threshold}] %{flows_info}", ["shell_script_executed"] = "Shell script '%{script_exec_comm}' executed in response of an alert: '%{alert_type}'", ["slow_periodic_activity"] = "Periodic activity \"%{script}\" running for too long [more than %{max_duration}] or executed too late (blocked in queue).", ["slow_purge"] = "Hash table idle entries purging on %{iface} is too slow. This could lead to high memory utilization, data accuracy loss and missing alerts. [%{idle}%% > %{max_idle}%%]", diff --git a/scripts/lua/modules/alert_consts.lua b/scripts/lua/modules/alert_consts.lua index 7179b879a8..fbf5f6c59f 100644 --- a/scripts/lua/modules/alert_consts.lua +++ b/scripts/lua/modules/alert_consts.lua @@ -161,7 +161,7 @@ end -- ############################################## function alert_consts.formatHostAlert(ifid, host, vlan) - return hostinfo2label({host = host, vlan = vlan}) + return hostinfo2label({host = host, vlan = vlan}, vlan) end -- ############################################## diff --git a/scripts/lua/modules/alert_definitions/host/host_alert_score_threshold.lua b/scripts/lua/modules/alert_definitions/host/host_alert_score_threshold.lua index 4b25dda7de..cb742a6ae4 100644 --- a/scripts/lua/modules/alert_definitions/host/host_alert_score_threshold.lua +++ b/scripts/lua/modules/alert_definitions/host/host_alert_score_threshold.lua @@ -51,9 +51,51 @@ function host_alert_score_threshold.format(ifid, alert, alert_type_params) local host = alert_consts.formatHostAlert(ifid, alert["ip"], alert["vlan_id"]) local threshold = alert_type_params["threshold"] or 0 local as_cli_or_srv = i18n("client") + local as_cli = true if alert_type_params["is_client_alert"] == false then as_cli_or_srv = i18n("server") + as_cli = false + end + + local flows_info_href = '(check live: )' + local ifName = _GET["ifid"] + if ntop.isClickHouseEnabled() then + + local extra_params = { + ifid = { + value = ifName, + operator = "eq" + }, + epoch_begin = { + value = _GET["epoch_begin"], + operator = "eq" + }, + epoch_end = { + value = _GET["epoch_end"], + operator = "eq" + } + } + if alert["vlan_id"] ~= 0 then + extra_params.vlan_id = { + value = alert["vlan_id"], + operator = "eq" + } + end + + if as_cli then + extra_params.cli_ip = { + value = alert["ip"], + operator = "eq" + } + else + extra_params.srv_ip = { + value = alert["ip"], + operator = "eq" + } + end + + flows_info_href = flows_info_href..' (check historical: )' end if (tonumber(alert_type_params["value"]) > tonumber(threshold)) and (threshold > 0) then @@ -63,6 +105,7 @@ function host_alert_score_threshold.format(ifid, alert, alert_type_params) cli_or_srv = as_cli_or_srv, value = alert_type_params["value"], threshold = threshold, + flows_info = flows_info_href }) end end