diff --git a/scripts/locales/en.lua b/scripts/locales/en.lua
index 0a14479e51..842d919319 100644
--- a/scripts/locales/en.lua
+++ b/scripts/locales/en.lua
@@ -510,9 +510,9 @@ local lang = {
},
},
["alert_behaviors"] = {
- ["score_behavior"] = "Score Behavior",
- ["traffic_tx_behavior"] = "Traffic TX Behavior",
- ["traffic_rx_behavior"] = "Traffic RX Behavior",
+ ["score_behavior"] = "Score",
+ ["traffic_tx_behavior"] = "Traffic TX",
+ ["traffic_rx_behavior"] = "Traffic RX",
},
["alert_entities"] = {
["am_host"] = "Active Monitoring",
@@ -542,7 +542,7 @@ local lang = {
["device_has_disconnected"] = "The device %{device} has disconnected from the network.",
["flow_flood_attacker"] = "%{entity}%{host_category} is a flow flooder [%{value} > %{threshold} client flows/sec for ~3 sec]",
["flow_flood_victim"] = "%{entity}%{host_category} is under flow flood attack [%{value} > %{threshold} server flows/sec for ~3 sec]",
- ["flow_number_anomaly"] = "Detected %{role} flow number anomaly for host %{host}",
+ ["flow_number_anomaly"] = "%{role} Flows: %{value}[Expected Range: %{lower_bound} ... %{upper_bound}]",
["host_alert_dangerous_host"] = "Score limit exceeded by %{entity}. Dangerous host [Score: %{score}][Duration: %{duration} mins]",
["host_alert_dns_server_contacts"] = "Too many DNS servers contacted by %{entity} [%{value} > %{threshold} servers]",
["host_alert_dns_traffic"] = "DNS traffic exceeded by %{entity} [%{value} %{op} %{threshold}]",
@@ -589,7 +589,7 @@ local lang = {
["proto_time_quotas"] = "%{proto} time",
["remote_to_local_insecure_proto"] = "Remote to Local Insecure Protocol [Category: %{ndpi_category}][Breed: %{ndpi_breed}]",
["remote_to_remote"] = "Remote %{entity}%{host_category} contacted a remote host",
- ["score_number_anomaly"] = "Detected score anomaly as %{role} [Score: %{score}][Lower Bound: %{lower_bound}][Upper Bound: %{upper_bound}][Cybersecurity Score: %{security}% | Network Score: %{network}%]",
+ ["score_number_anomaly"] = "%{role} Score: %{score}[Expected Range: %{lower_bound} ... %{upper_bound}]",
["shell_script_executed"] = "Shell script '%{script_exec_comm}' executed in response of an alert: '%{alert_type}'",
["slow_periodic_activity"] = "Periodic activity \"%{script}\" running for too long [more than %{max_duration}] or executed too late (blocked in queue).",
["slow_purge"] = "Hash table idle entries purging on %{iface} is too slow. This could lead to high memory utilization, data accuracy loss and missing alerts. [%{idle}%% > %{max_idle}%%]",
@@ -838,7 +838,7 @@ local lang = {
["total_alerts"] = "Total Alerts",
["trailing_msg"] = "Time Window",
["trailing_msg_compact"] = "Window",
- ["unexpected_behavior_anomaly_description"] = "%{entity} [%{type_of_behaviour}][Value: %{value}][Expected Range: %{lower_bound} ... %{upper_bound}]",
+ ["unexpected_behavior_anomaly_description"] = "%{entity} %{href} [%{type_of_behaviour}: %{value} | Expected Range: %{lower_bound} ... %{upper_bound}]",
["unexpected_host_behavior_description"] = "%{host} [%{type_of_behaviour}][Value: %{value}][Expected Range: %{lower_bound} ... %{upper_bound}]",
["unexpected_host_behaviour_act_flows_title"] = "Unexpected Host Active Flows Behaviour",
["unexpected_host_behaviour_contacts_title"] = "Unexpected Host Contacts Behaviour",
diff --git a/scripts/lua/modules/alert_definitions/host/host_alert_flow_anomaly.lua b/scripts/lua/modules/alert_definitions/host/host_alert_flow_anomaly.lua
index e61057892c..9e0d6a62e0 100644
--- a/scripts/lua/modules/alert_definitions/host/host_alert_flow_anomaly.lua
+++ b/scripts/lua/modules/alert_definitions/host/host_alert_flow_anomaly.lua
@@ -46,28 +46,26 @@ end
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function host_alert_flow_anomaly.format(ifid, alert, alert_type_params)
- local alert_consts = require("alert_consts")
- local json = json.decode(alert.json)
- local is_both = alert_type_params["is_both"]
- local is_client_alert = alert_type_params["is_client_alert"]
- local role
- local host = alert_consts.formatHostAlert(ifid, alert["ip"], alert["vlan_id"])
+ local is_both = alert_type_params["is_both"]
+ local is_client_alert = alert_type_params["is_client_alert"]
+ local role
- if(is_both) then
- role = "client and server"
- elseif(is_client_alert) then
- role = "client"
- else
- role = "server"
- end
+ tprint(alert_type_params)
- return i18n("alert_messages.flow_number_anomaly", {
- role = role,
- host = host,
- value = alert_type_params["value"],
- lower_bound = alert_type_params["lower_bound"],
- upper_bound = alert_type_params["upper_bound"],
- })
+ if(is_both) then
+ role = i18n("client_and_server")
+ elseif(is_client_alert) then
+ role = i18n("client")
+ else
+ role = i18n("server")
+ end
+
+return i18n("alert_messages.flow_number_anomaly", {
+ role = role,
+ value = alert_type_params["value"],
+ lower_bound = alert_type_params["lower_bound"],
+ upper_bound = alert_type_params["upper_bound"],
+})
end
-- #######################################################
diff --git a/scripts/lua/modules/alert_definitions/host/host_alert_score_anomaly.lua b/scripts/lua/modules/alert_definitions/host/host_alert_score_anomaly.lua
index 24a2464945..7c6caee2ba 100644
--- a/scripts/lua/modules/alert_definitions/host/host_alert_score_anomaly.lua
+++ b/scripts/lua/modules/alert_definitions/host/host_alert_score_anomaly.lua
@@ -81,18 +81,13 @@ function host_alert_score_anomaly.format(ifid, alert, alert_type_params)
local is_both = alert_type_params["is_both"]
local role
local host = alert_consts.formatHostAlert(ifid, alert["ip"], alert["vlan_id"])
- local sec_cat = 0
- local net_cat = 0
if(is_both) then
role = i18n("client_and_server")
- net_cat, sec_cat = get_problematic_category(alert_type_params, true)
elseif(is_client_alert) then
role = i18n("client")
- net_cat, sec_cat = get_problematic_category(alert_type_params, nil, "client")
else
role = i18n("server")
- net_cat, sec_cat = get_problematic_category(alert_type_params, nil, "server")
end
return i18n("alert_messages.score_number_anomaly", {
@@ -101,8 +96,6 @@ function host_alert_score_anomaly.format(ifid, alert, alert_type_params)
score = alert_type_params["value"],
lower_bound = alert_type_params["lower_bound"],
upper_bound = alert_type_params["upper_bound"],
- network = net_cat,
- security = sec_cat,
})
end