From 5f30641db39ddb3555ba67bd0bc4b7753e8a3aa0 Mon Sep 17 00:00:00 2001
From: Luca Deri <deri@ntop.org>
Date: Tue, 28 Oct 2025 22:07:31 +0100
Subject: [PATCH] Localized scan realtime alert message and improved message

---
 scripts/locales/en.lua                        | 11 ++++++++--
 .../host/host_alert_scan_realtime.lua         | 15 ++++++++-----
 src/Host.cpp                                  |  3 +--
 src/host_alerts/ScanRealtimeAlert.cpp         | 22 ++++++++++---------
 4 files changed, 32 insertions(+), 19 deletions(-)

diff --git a/scripts/locales/en.lua b/scripts/locales/en.lua
index c36ceab4f4..707eef3b6f 100644
--- a/scripts/locales/en.lua
+++ b/scripts/locales/en.lua
@@ -1217,6 +1217,13 @@ local lang = {
       ["score_as_client"] = "Score Behaviour as Client",
       ["score_as_server"] = "Score Behaviour as Server",
     },
+    ["scan_realtime"] = {
+       ["incomplete_flows"] = "Too many TCP 3WH Incomplete/UDP Unidirectional Flows Scan",
+       ["rx_only_scan"] = "RX-only Host Scan",
+       ["syn_scan"] = "TCP SYN Scan",
+       ["fin_scan"] = "TCP FIN Scan",
+       ["rst_scan"] = "TCP RST Scan",
+    }
   },
   ["alert_behaviors"] = {
     ["l7_traffic_behavior"] = "Traffic RX + TX",
@@ -3140,9 +3147,9 @@ local lang = {
     ["rst_scan_title"] = "RST Scan",
     ["rx_only_host_scan_description"] = "Trigger an alert when a server host RX-only is under scan attack.",
     ["rx_only_host_scan_title"] = "RX-only Host Scan",
-    ["scan_detection_description"] = "Trigger an alert when a scan (host/port) is detected when the number of incomplete TCP/UDP flows exceeds the specified threshold.",
+    ["scan_detection_description"] = "Trigger an alert when a scan (host/port) is detected. The alert is triggered whenever an excessive number of unidirectional (i.e. without a reponse) flows is detected.",
     ["scan_realtime_title"] = "Scan (Realtime)",
-    ["scan_realtime_description"] = "Collection of Scan checks. Trigger an alert when a host is scanning a network. This check works with live traffic, no database required.",
+    ["scan_realtime_description"] = "Collection of Scan checks. Trigger an alert when a host is scanning a network. This check works with live traffic (ClickHouse not required).",
     ["scan_detection_title"] = "Scan Detection",
     ["snmp_flood_description"] = "Trigger an alert when the number of sent/received SNMP Flows/sec exceeds the threshold",
     ["snmp_flood_title"] = "SNMP Flood",
diff --git a/scripts/lua/modules/alert_definitions/host/host_alert_scan_realtime.lua b/scripts/lua/modules/alert_definitions/host/host_alert_scan_realtime.lua
index 068fdcd392..4c67b3b8a7 100644
--- a/scripts/lua/modules/alert_definitions/host/host_alert_scan_realtime.lua
+++ b/scripts/lua/modules/alert_definitions/host/host_alert_scan_realtime.lua
@@ -12,17 +12,22 @@ local classes = require "classes"
 local alert = require "alert"
 local mitre = require "mitre_utils"
 
+local dirs = ntop.getDirs()
+package.path = dirs.installdir .. "/scripts/lua/modules/i18n/?.lua;" .. package.path
+local i18n = require "i18n"
+
 -- ##############################################
 
 local host_alert_scan_realtime = classes.class(alert)
 
 local alert_table = {
-  [0] = "Incomplete Flows Scan",
-  [1] = "RX-only Host Scan",
-  [2] = "SYN Scan",
-  [3] = "FIN Scan",
-  [4] = "RST Scan"
+   [0] = i18n("alert.scan_realtime.incomplete_flows"),
+   [1] = i18n("alert.scan_realtime.rx_only_scan"),
+   [2] = i18n("alert.scan_realtime.syn_scan"),
+   [3] = i18n("alert.scan_realtime.fin_scan"),
+   [4] = i18n("alert.scan_realtime.rst_scan"),
 }
+
 -- ##############################################
 
 host_alert_scan_realtime.meta = {
diff --git a/src/Host.cpp b/src/Host.cpp
index 0ab006178f..0870d6088e 100644
--- a/src/Host.cpp
+++ b/src/Host.cpp
@@ -929,8 +929,7 @@ void Host::lua(lua_State *vm, AddressTree *ptree, bool host_details,
 
     lua_push_int32_table_entry(vm, "num_contacted_peers_with_tcp_udp_flows_no_response",
 			       getNumContactedPeersAsClientTCPUDPNoTX());
-    lua_push_int32_table_entry(
-			       vm, "num_incoming_peers_that_sent_tcp_udp_flows_no_response",
+    lua_push_int32_table_entry(vm, "num_incoming_peers_that_sent_tcp_udp_flows_no_response",
 			       getNumContactsFromPeersAsServerTCPUDPNoTX());
 
     if(device_ip)
diff --git a/src/host_alerts/ScanRealtimeAlert.cpp b/src/host_alerts/ScanRealtimeAlert.cpp
index 165d19b602..a209dd1022 100644
--- a/src/host_alerts/ScanRealtimeAlert.cpp
+++ b/src/host_alerts/ScanRealtimeAlert.cpp
@@ -22,13 +22,15 @@
 #include "host_alerts_includes.h"
 
 ndpi_serializer* ScanRealtimeAlert::getAlertJSON(ndpi_serializer* serializer) {
-    #ifdef NTOPNG_PRO
-        if (serializer == NULL) return NULL;
-        ndpi_serialize_start_of_list(serializer, "alerts");
-        for(ScanAlertType alert : alerts)
-            ndpi_serialize_string_uint64(serializer, "alerts_addr", alert);
-        ndpi_serialize_end_of_list(serializer);
-    #endif
-    
-    return serializer;
-}
\ No newline at end of file
+#ifdef NTOPNG_PRO
+  if (serializer == NULL) return NULL;
+  ndpi_serialize_start_of_list(serializer, "alerts");
+
+  for(ScanAlertType alert : alerts)
+    ndpi_serialize_string_uint64(serializer, "alerts_addr", alert);
+  
+  ndpi_serialize_end_of_list(serializer);
+#endif
+  
+  return serializer;
+}