Implements Local Hosts BlackList Check #6858

2026-05-06 03:45:26 +00:00 · 2022-09-09 22:50:40 +02:00 · 2022-09-09 22:50:40 +02:00 · 7992446d9e
commit 7992446d9e
parent ceaa36104f
7 changed files with 123 additions and 9 deletions
--- a/scripts/lua/modules/alert_definitions/other/alert_local_host_blacklisted.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_local_host_blacklisted.lua
@ -0,0 +1,52 @@
+--
+-- (C) 2019-22 - ntop.org
+--
+
+-- ##############################################
+
+local other_alert_keys = require "other_alert_keys"
+-- Import the classes library.
+local classes = require "classes"
+-- Make sure to import the Superclass!
+local alert = require "alert"
+local alert_entities = require "alert_entities"
+
+-- ##############################################
+
+local alert_local_host_blacklisted = classes.class(alert)
+
+-- ##############################################
+
+alert_local_host_blacklisted.meta = {
+   alert_key = other_alert_keys.alert_local_host_blacklisted,
+   i18n_title = "alerts_dashboard.local_host_blacklisted",
+   icon = "fas fa-fw fa-sticky-note",
+   entities = {
+      alert_entities.system
+   },
+}
+
+-- ##############################################
+
+-- @brief Prepare an alert table used to generate the alert
+-- @param list_name The name of the succeeded list as string
+-- @param host      IP address of the host found on blacklist
+-- @return A table with the alert built
+function alert_local_host_blacklisted:init(list_name, host)
+   -- Call the parent constructor
+   self.super:init()
+
+   self.alert_type_params = {
+      name = list_name, host = host
+   }
+end
+
+-- #######################################################
+
+function alert_local_host_blacklisted.format(ifid, alert, alert_type_params)
+   return i18n("category_lists.local_host_blacklisted", {name = alert_type_params.name, host = alert_type_params.host})
+end
+
+-- #######################################################
+
+return alert_local_host_blacklisted
--- a/scripts/lua/modules/alert_keys/other_alert_keys.lua
+++ b/scripts/lua/modules/alert_keys/other_alert_keys.lua
@ -91,7 +91,8 @@ local other_alert_keys = {
   alert_network_score_per_host         =  OTHER_BASE_KEY + 78,
   alert_dhcp_storm                     =  OTHER_BASE_KEY + 79,
   alert_snmp_interface_errors          =  OTHER_BASE_KEY + 80,
-   alert_snmp_device_traffic_change    =  OTHER_BASE_KEY + 81,
+   alert_snmp_device_traffic_change     =  OTHER_BASE_KEY + 81,
+   alert_local_host_blacklisted         =  OTHER_BASE_KEY + 82,
 }

 -- ##############################################
--- a/scripts/lua/modules/lists_utils.lua
+++ b/scripts/lua/modules/lists_utils.lua
@ -251,6 +251,9 @@ local function initListCacheDir()
   ntop.mkdir(os_utils.fixPath(string.format("%s/category_lists", dirs.workingdir)))
 end

+-- ##############################################
+
+
 local function getListCacheFile(list_name, downloading)
   local f = string.format("%s/category_lists/%s.txt", dirs.workingdir, list_name)

@ -290,6 +293,8 @@ local function getNextListUpdate(list)
   return next_update
 end

+-- ##############################################
+
 -- Returns true if the given list should be updated
 function shouldUpdate(list_name, list, now)
   local list_file
@ -363,12 +368,8 @@ local function checkListsUpdate(timeout)
            list.status.num_errors = 0
            needs_reload = true

-            local alert = alert_consts.alert_types.alert_list_download_succeeded.new(
-               list_name
-            )
-
+            local alert = alert_consts.alert_types.alert_list_download_succeeded.new(list_name)
            alert:set_score_notice()
-
            alert:store(alerts_api.systemEntity(list_name))

            msg = msg .. "OK"
@ -490,6 +491,15 @@ local function loadListItem(host, category, user_custom_categories, list, num_li
               if (list and list.name) then
                  if not ntop.loadCustomCategoryIp(host, category, list.name) then
                     loadWarning(string.format("Failure loading IP '%s' category '%s' in list '%s'", host, category, list.name))
+		  else
+		     if((category == CUSTOM_CATEGORY_MALWARE) and ntop.isLocalAddress(host)) then
+			local alert = alert_consts.alert_types.alert_local_host_blacklisted.new(list.name, host)
+			
+			alert:set_score_error()
+			alert:store(alerts_api.systemEntity(list.name, host))
+
+			-- loadWarning(string.format("Found local IP '%s' in malware list '%s'", host, list.name))
+		     end
                  end
               end