Fixes flow risks no longer triggering

2026-05-03 09:20:10 +00:00 · 2021-02-18 11:20:17 +01:00 · 2021-02-18 11:20:17 +01:00 · 823c6ddc81
commit 823c6ddc81
parent e3dab26574
1 changed files with 0 additions and 70 deletions
--- a/scripts/plugins/alerts/security/flow_risks/user_scripts/flow/flow_risks.lua
+++ b/scripts/plugins/alerts/security/flow_risks/user_scripts/flow/flow_risks.lua
@ -30,51 +30,7 @@ local script = {
      i18n_title = "flow_callbacks_config.flow_risk",
      i18n_description = "flow_callbacks_config.flow_risk_description",
   },
--------------------------------------------------------
-      -- Old item list, not currently used --      
--[[
-      groups = {
-	 {
-	    elements = {
-	       { 1, i18n("flow_risk.ndpi_url_possible_xss") },
-	       { 2, i18n("flow_risk.ndpi_url_possible_sql_injection") },
-	       { 3, i18n("flow_risk.ndpi_url_possible_rce_injection") },
-	       { 4, i18n("flow_risk.ndpi_binary_application_transfer") },
-	       { 5, i18n("flow_risk.ndpi_known_protocol_on_non_standard_port") },
-	       -- { 6, i18n("flow_risk.ndpi_tls_selfsigned_certificate") }, -- handled in tls_certificate_selfsigned.lua
-	       -- { 7, i18n("flow_risk.ndpi_tls_obsolete_version") },       -- handled in tls_old_protocol_version.lua
-	       -- { 8, i18n("flow_risk.ndpi_tls_weak_cipher") },            -- handled in tls_certificate_expired.lua
-	       -- { 9, i18n("flow_risk.ndpi_tls_certificate_expired") },    -- handled in tls_certificate_expired.lua 
-	       -- { 10, i18n("flow_risk.ndpi_tls_certificate_mismatch") },  -- handled in tls_certificate_mismatch.lua TODO: migrate to flow risk
-	       { 11, i18n("flow_risk.ndpi_http_suspicious_user_agent") },
-	       { 12, i18n("flow_risk.ndpi_http_numeric_ip_host") },
-	       { 13, i18n("flow_risk.ndpi_http_suspicious_url") },
-	       { 14, i18n("flow_risk.ndpi_http_suspicious_header") },
-	       { 15, i18n("flow_risk.ndpi_tls_not_carrying_https") },
-	       { 16, i18n("flow_risk.ndpi_suspicious_dga_domain") },
-	       { 17, i18n("flow_risk.ndpi_malformed_packet") },
-	       { 18, i18n("flow_risk.ndpi_ssh_obsolete_client_version_or_cipher") },
-	       { 19, i18n("flow_risk.ndpi_ssh_obsolete_server_version_or_cipher") },
-	       { 20, i18n("flow_risk.ndpi_smb_insecure_version") },
-	       { 21, i18n("flow_risk.ndpi_tls_suspicious_esni_usage") },
-	       { 22, i18n("flow_risk.ndpi_unsafe_protocol") },
-	       { 23, i18n("flow_risk.ndpi_dns_suspicious_traffic") },
-	       { 24, i18n("flow_risk.ndpi_tls_missing_sni") },   
-	    }
-	 }
-      }
-   },

-   default_value = {
-      items = {
-	 1,2,3,4,5,
-	 -- 6,7,8,9,10,
-	 11,12,13,14,15,16,17,18,19,20,
-	 21,22,23,24
-      },
-   },
-]]
-------------------------------------------------------
   filter = {
      default_filters = {},
      default_fields = {
@ -136,14 +92,8 @@ local handlers = {

 -- #################################################################

-- Indicate risks that are enabled (i.e., configured to generate alerts from the UI)
-local enabled_risks
-
-- #################################################################
-
 function script.setup()
   -- Reset enabled risks. They will be lazily re-initialized inside protocolDetected hook below
-   enabled_risks = nil

   return true -- OK
 end
@ -153,29 +103,11 @@ end
 function script.hooks.protocolDetected(now, conf)
   -- If the flow has any of the nDPI risks...
   if flow.hasRisk() then
-      -- Lazily initialize enabled_risks, if not already initialized
-      if not enabled_risks then
-	 enabled_risks = {}
-
-	 if conf and conf.items then
-	    -- Iterate configuration items, i.e., enabled risks, and
-	    -- add their ids to the enabled_risks table
-	    for _, risk_id in pairs(conf.items) do
-	       -- Risk ids arrive as strings inside items, so the tonumber conversion is needed
-	       enabled_risks[tonumber(risk_id)] = true
-	    end
-	 end
-      end
-
      -- Iterate all the currently detected flow risks
      local all_risks = flow.getRiskInfo()

      for risk_str, risk_id in pairsByValues(all_risks, asc) do
 	 -- If the risk is not among those enabled, just skip it
-	 if not enabled_risks[risk_id] then
-	    goto continue
-	 end
-
 	 local handler
 	 if handlers[risk_id] then
 	    -- There's a dedicated handler implemented for this risk_id. Let's load it as a module
@ -189,8 +121,6 @@ function script.hooks.protocolDetected(now, conf)
 	    -- Handler expect three params, namely flow-, client- and server-scores
 	    handler.handle_risk(risk_id, table.unpack(risk2scores[risk_id] or DEFAULT_SCORES))
 	 end
-
-	 ::continue::
      end
   end
 end