Fixes ASes and Networks alert behavior

2026-05-06 03:45:26 +00:00 · 2021-06-23 15:12:58 +02:00 · 2021-06-23 15:12:58 +02:00 · 462eaa384b
commit 462eaa384b
parent 8dcce12ff8
8 changed files with 97 additions and 59 deletions
--- a/scripts/lua/modules/alert_definitions/flow/alert_behavior_anomaly.lua
+++ b/scripts/lua/modules/alert_definitions/flow/alert_behavior_anomaly.lua
@ -29,17 +29,20 @@ alert_behavior_anomaly.meta = {
 -- @param lower_bound The lower bound of the measurement
 -- @param upper_bound The upper bound of the measurement
 -- @return A table with the alert built
-function alert_behavior_anomaly:init(entity, type_of_behaviour, value, upper_bound, lower_bound, href)
+function alert_behavior_anomaly:init(entity, type_of_behavior, value, upper_bound, lower_bound, 
+   ts_schema, page_path, timeserie_id --[[ This last 3 params are used to build up the href to the timeseries lately, if available ]])
   -- Call the parent constructor
   self.super:init()

   self.alert_type_params = {
-         entity = entity,
-         type_of_behaviour = type_of_behaviour,
-         value = value,
-         upper_bound = upper_bound,
-         lower_bound = lower_bound,
-         href = href,
+      entity = entity,
+      type_of_behavior = type_of_behavior,
+      value = value,
+      upper_bound = upper_bound,
+      lower_bound = lower_bound,
+      ts_schema = ts_schema,
+      page_path = page_path,
+      timeserie_id = timeserie_id,
   }
 end

@ -51,14 +54,35 @@ end
 -- @param alert_type_params Table `alert_type_params` as built in the `:init` method
 -- @return A human-readable string
 function alert_behavior_anomaly.format(ifid, alert, alert_type_params)
+   local href = ""
+   local type_of_behavior = ""
+   
+   -- Name of the behavior type, e.g. Score
+   if alert_type_params.type_of_behavior then
+      type_of_behavior = i18n("alert_behaviors." .. alert_type_params.type_of_behavior)
+   end
+
+   -- Generating the href for the timeserie
+   if ntop.isEnterpriseL() then
+      if alert_type_params["ts_schema"] and alert_type_params["page_path"] and alert_type_params["timeserie_id"] then
+         local alert_time = tonumber(alert.tstamp)
+         -- 10 minutes before and 10 minutes after the alert
+         local curr_time = '&epoch_begin=' .. tonumber(alert_time - 600) .. '&epoch_end=' .. tonumber(alert_time + 600)
+
+         href = alert_type_params["page_path"] .. "?" .. alert_type_params["timeserie_id"] .. 
+               "&page=historical&ts_schema=" .. alert_type_params["ts_schema"] .. "%3A" .. alert_type_params.type_of_behavior ..
+               "&zoom=30m" .. curr_time
+      end
+   end
+
   return(i18n("alerts_dashboard.unexpected_behavior_anomaly_description",
 		{
 		   entity = alert_type_params.entity or "",
-		   type_of_behaviour = alert_type_params.type_of_behaviour or "",
+		   type_of_behavior = type_of_behavior,
 		   value = alert_type_params.value or 0,
 		   lower_bound = alert_type_params.lower_bound or 0,
 		   upper_bound = alert_type_params.upper_bound or 0,
-         href = alert_type_params.href or "",
+         href = href,
 		}))
 end

--- a/scripts/lua/modules/alert_utils.lua
+++ b/scripts/lua/modules/alert_utils.lua
@ -777,39 +777,4 @@ function alert_utils.notify_ntopng_stop()
   return(notify_ntopng_status(false))
 end

-function alert_utils.formatBehaviorAlert(params, anomalies, stats, id, subtype, name)
-   -- Cycle throught the behavior stats
-   for anomaly_type, anomaly_table in pairs(anomalies) do
-      local lower_bound = stats[anomaly_type]["lower_bound"]
-      local upper_bound = stats[anomaly_type]["upper_bound"]
-      local value = stats[anomaly_type]["value"]
-      
-      if anomaly_table["formatter"] then
-         value = anomaly_table["formatter"](value)
-         lower_bound = anomaly_table["formatter"](lower_bound)
-         upper_bound = anomaly_table["formatter"](upper_bound)
-      end
-
-      local alert = alert_consts.alert_types.alert_behavior_anomaly.new(
-         i18n(subtype .. "_id", {id = name or id}),
-         i18n("alert_behaviors." .. anomaly_type),
-         value,
-         lower_bound,
-         upper_bound,
-         anomaly_table["href"]
-      )
-
-      alert:set_score_warning()
-      alert:set_granularity(params.granularity)
-      alert:set_subtype(subtype .. "_" .. id)
-
-      -- Trigger an alert if an anomaly is found
-      if anomaly_table["anomaly"] == true then
-         alert:trigger(params.alert_entity, nil, params.cur_alerts)
-      else
-         alert:release(params.alert_entity, nil, params.cur_alerts)
-      end
-   end
-end
-
 return alert_utils
--- a/scripts/lua/modules/alerts_api.lua
+++ b/scripts/lua/modules/alerts_api.lua
@ -606,6 +606,45 @@ function alerts_api.handlerPeerBehaviour(params, stats, tot_anomalies, host_ip,
   end
 end

+-- #####################################
+
+function alerts_api.formatBehaviorAlert(params, anomalies, stats, id, subtype, name)
+  -- Cycle throught the behavior stats
+  for anomaly_type, anomaly_table in pairs(anomalies) do
+     local lower_bound = stats[anomaly_type]["lower_bound"]
+     local upper_bound = stats[anomaly_type]["upper_bound"]
+     local value = stats[anomaly_type]["value"]
+     
+     if anomaly_table["formatter"] then
+        value = anomaly_table["formatter"](value)
+        lower_bound = anomaly_table["formatter"](lower_bound)
+        upper_bound = anomaly_table["formatter"](upper_bound)
+     end
+
+     local alert = alert_consts.alert_types.alert_behavior_anomaly.new(
+        i18n(subtype .. "_id", {id = name or id}),
+        anomaly_type,
+        value,
+        lower_bound,
+        upper_bound,
+        anomaly_table["ts_schema"],
+        anomaly_table["page_path"],
+        anomaly_table["timeserie_id"]
+     )
+
+     alert:set_score_warning()
+     alert:set_granularity(params.granularity)
+     alert:set_subtype(subtype .. "_" .. id)
+
+     -- Trigger an alert if an anomaly is found
+     if anomaly_table["anomaly"] == true then
+        alert:trigger(params.alert_entity, nil, params.cur_alerts)
+     else
+        alert:release(params.alert_entity, nil, params.cur_alerts)
+     end
+  end
+end
+
 -- ##############################################

 -- An alert check function which checks for anomalies.
--- a/scripts/lua/modules/graph_utils.lua
+++ b/scripts/lua/modules/graph_utils.lua
@ -1087,8 +1087,8 @@ if ntop.isPro() then
      {schema="iface:score_anomalies",       label=i18n("graphs.iface_score_anomalies")},
      {schema="iface:score_behavior",        label=i18n("graphs.iface_score_behavior"), split_directions = true --[[ split RX and TX directions ]], metrics_labels = {i18n("graphs.score"), i18n("graphs.lower_bound"), i18n("graphs.upper_bound")}},
      {schema="iface:traffic_anomalies",     label=i18n("graphs.iface_traffic_anomalies")},
-      {schema="iface:traffic_rx_behavior",   label=i18n("graphs.iface_traffic_rx_behavior"), split_directions = true --[[ split RX and TX directions ]], value_formatter = {"fbits"}, metrics_labels = {i18n("graphs.traffic_rcvd"), i18n("graphs.lower_bound"), i18n("graphs.upper_bound")}},
-      {schema="iface:traffic_tx_behavior",   label=i18n("graphs.iface_traffic_tx_behavior"), split_directions = true --[[ split RX and TX directions ]], value_formatter = {"fbits"}, metrics_labels = {i18n("graphs.traffic_sent"), i18n("graphs.lower_bound"), i18n("graphs.upper_bound")}},
+      {schema="iface:traffic_rx_behavior",   label=i18n("graphs.iface_traffic_rx_behavior"), split_directions = true --[[ split RX and TX directions ]], value_formatter = {"NtopUtils.fbits"}, metrics_labels = {i18n("graphs.traffic_rcvd"), i18n("graphs.lower_bound"), i18n("graphs.upper_bound")}},
+      {schema="iface:traffic_tx_behavior",   label=i18n("graphs.iface_traffic_tx_behavior"), split_directions = true --[[ split RX and TX directions ]], value_formatter = {"NtopUtils.fbits"}, metrics_labels = {i18n("graphs.traffic_sent"), i18n("graphs.lower_bound"), i18n("graphs.upper_bound")}},
   }

   default_timeseries = table.merge(pro_timeseries, default_timeseries)