vrr/ntopng
2
0
Fork 0
mirror of https://github.com/ntop/ntopng.git synced 2026-04-29 15:39:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Added vulnerability issues alert (#7717)

Browse source
This commit is contained in:
Matteo Biscosi 2023-08-04 13:23:40 +00:00
parent 864203abb2
commit 3ca4ad98ae
5 changed files with 157 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

85
scripts/lua/modules/vulnerability_scan/vs_utils.lua
View file

@ -40,7 +40,7 @@ require "lua_utils" -- used by tprint (debug)
local host_to_scan_key = "ntopng.prefs.host_to_scan"
local host_scan_queue_key = "ntopng.vs_scan_queue"
local scanned_hosts_changes_key = "ntopng.alerts.scanned_hosts_changes"
local json = require("dkjson")
local format_utils = require("format_utils")
@ -98,6 +98,60 @@ end
-- ##############################################
-- This function checks the differences between an old and a new host scan
-- and return a table containing those differences
local function check_differences(host, scan_type, old_data, new_data)
local rsp = {}
-- security checks
if host == nil or scan_type == nil then
return nil
end
if tonumber(old_data.ports or 0) ~= tonumber(new_data.ports or 0) then
rsp["num_ports"] = {
old_num_ports = old_data.ports or 0,
new_num_ports = new_data.ports or 0
}
end
local num_cve_solved = 0
local num_new_cve_issues = 0
-- Checking the solved vulnerabilities
for _, cve in ipairs(old_data.cve or {}) do
-- If the new table does not contains the cve it means that it is solved
if not (table.contains(new_data.cve or {}, cve)) then
num_cve_solved = num_cve_solved + 1
end
end
-- Checking the new vulnerabilities
for _, cve in ipairs(new_data.cve or {}) do
-- If the new table does not contains the cve it means that it is solved
if not (table.contains(old_data.cve or {}, cve)) then
num_new_cve_issues = num_new_cve_issues + 1
end
end
if num_cve_solved > 0 then
rsp["num_cve_solved"] = num_cve_solved
end
if num_new_cve_issues > 0 then
rsp["num_new_cve_issues"] = num_new_cve_issues
end
if table.empty(rsp) then
rsp = nil
else
rsp["host"] = host
rsp["scan_type"] = scan_type
end
return rsp
end
-- ##############################################
-- remove the first/last few lines that contain nmap information that change at each scan
function vs_utils.cleanup_nmap_result(scan_result, scan_type)
scan_result = scan_result:gsub("|", "")
@ -157,9 +211,11 @@ function vs_utils.save_host_to_scan(scan_type, host, scan_result, last_scan_time
local saved_hosts = {}
if not isEmptyString(saved_hosts_string) then
saved_hosts = json.decode(saved_hosts_string)
local checks = require "checks"
local trigger_alert = checks.isCheckEnabled("system", "vulnerability_scan") or false
saved_hosts = json.decode(saved_hosts_string) or {}
local index_to_remove = 0
for index,value in ipairs(saved_hosts) do
if value.host == host and value.scan_type == scan_type then
index_to_remove = index
@ -167,9 +223,30 @@ function vs_utils.save_host_to_scan(scan_type, host, scan_result, last_scan_time
end
if index_to_remove ~= 0 then
table.remove(saved_hosts, index_to_remove)
-- In case the alert needs to be triggered, save the differences in order to lessen
-- the info dropped on redis
if trigger_alert then
local old_data = saved_hosts[index_to_remove]
local host_info_to_cache = check_differences(host,
scan_type,
{
vulnerabilities = old_data.num_vulnerabilities_found,
ports = old_data.num_open_ports,
cve = old_data.cve,
},
{
vulnerabilities = num_vulnerabilities_found,
ports = num_open_ports,
cve = cve,
})
if host_info_to_cache then
ntop.rpushCache(scanned_hosts_changes_key, json.encode(host_info_to_cache))
end
end
table.remove(saved_hosts, index_to_remove)
end
end
local new_item = {
host = host,