Fixes #4709 unexpected new device plugin (#4728)

* Added unexpected new device plugin, needs review

* Fixes #4709 unexpected new device plugin

Co-authored-by: matteo <biscosi@ntop.org>

scripts/plugins/alerts/security/unexpected_new_device/alert_definitions/alert_unexpected_new_device.lua

@@ -0,0 +1,63 @@
+--
+-- (C) 2020 - ntop.org
+--
+
+local dirs = ntop.getDirs()
+local alert_keys = require "alert_keys"
+local alert_creators = require "alert_creators"
+
+
+-- #######################################################
+
+local function formatUnexpectedNewDevice(ifid, alert, info)
+  -- Pro description
+  if(ntop.isPro()) then
+    package.path = dirs.installdir .. "/pro/scripts/lua/modules/?.lua;" .. package.path
+    local snmp_location = require "snmp_location"
+
+    has_snmp_location = snmp_location.host_has_snmp_location(info.mac)
+    -- The host has an snmp location
+    if has_snmp_location then
+      local access_port = snmp_location.get_host_access_port(info.mac)
+
+      if access_port then
+        return(i18n("unexpected_new_device.status_unexpected_new_device_description_pro", {
+          device = info.device,
+          host_url = getMacUrl(alert.alert_entity_val),
+          snmp_url = snmpDeviceUrl(access_port.snmp_device_ip),
+          device_ip = access_port.snmp_device_ip,
+        }))
+      end
+    end
+  end
+  
+  -- Non enterprise software or the host hasn't an snmp location
+  return(i18n("unexpected_new_device.status_unexpected_new_device_description", {
+    device = info.device,
+    url = getMacUrl(alert.alert_entity_val),
+  }))
+end
+
+-- ##############################################
+
+local function createUnexpectedNewDevice(alert_severity, device, mac)
+  local unexpected_new_device_type = {
+    alert_severity = alert_severity,
+    alert_type_params = {
+       device = device,
+       mac = mac,
+    },
+  }
+
+  return unexpected_new_device_type
+end
+
+-- #######################################################
+
+return {
+  alert_key = alert_keys.ntopng.alert_unexpected_new_device,
+  i18n_title = "unexpected_new_device.alert_unexpected_new_device_title",
+  i18n_description = formatUnexpectedNewDevice,
+  icon = "fas fa-exclamation",
+  creator = createUnexpectedNewDevice,
+}

scripts/plugins/alerts/security/unexpected_new_device/locales/en.lua

@@ -0,0 +1,22 @@
+--
+-- (C) 2020 - ntop.org
+--
+
+return {
+   unexpected_new_device_title = "Unexpected Device Connected",
+   unexpected_new_device_description = "Trigger an alert when an unexpected device connects to the network.",
+
+   -- ####################### Input builder strings
+
+   description = "Comma separated values of allowed MAC Addresses. Example: FF:FF:FF:FF:FF:FF",
+   title = "Allowed MAC Addresses",
+
+   -- ####################### Status strings
+
+   status_unexpected_new_device_description = "Unexpected mac address device <a href=\"%{url}\">%{device}</a> connected to the network.",
+   status_unexpected_new_device_description_pro = "Unexpected mac address device <a href=\"%{host_url}\">%{device}</a> connected to the network. Snmp infos: <a href=\"%{snmp_url}\">%{device_ip}</a>",
+
+   -- ####################### Alert strings
+
+   alert_unexpected_new_device_title = "Unexpected Device Connected"
+}

scripts/plugins/alerts/security/unexpected_new_device/manifest.lua

@@ -0,0 +1,10 @@
+--
+-- (C) 2019-20 - ntop.org
+--
+
+return {
+  title = "Unexpected Device Connected",
+  description = "Trigger an alert when an unexpected device connects to the network.",
+  author = "ntop",
+  dependencies = {},
+}

scripts/plugins/alerts/security/unexpected_new_device/user_scripts/interface/unexpected_new_device.lua

@@ -0,0 +1,119 @@
+--
+-- (C) 2019-20 - ntop.org
+--
+
+local alert_consts = require "alert_consts"
+local alerts_api = require "alerts_api"
+local alert_utils = require "alert_utils"
+local user_scripts = require("user_scripts")
+local callback_utils = require "callback_utils"
+
+local UNEXPECTED_DEV_CONN_PLUGINS_ENABLED_CACHE_KEY = "ntopng.cache.user_scripts.unexpected_new_device_plugins_enabled"
+
+-- #################################################################
+
+local script
+
+-- #################################################################
+
+local function getSavedDeviceNameKey(mac)
+   return "ntopng.cache.devnames." .. mac
+end
+
+-- #################################################################
+
+local function setSavedDeviceName(mac, name)
+   local key = getSavedDeviceNameKey(mac)
+   ntop.setCache(key, name)
+end
+
+-- #################################################################
+
+function getSavedDeviceName(mac)
+   local key = getSavedDeviceNameKey(mac)
+   return ntop.getCache(key)
+end
+
+-- #################################################################
+
+local function check_allowed_mac(params)
+   -- Saving the mac address list into a local variable and swapping keys with value due to performance issues 
+   local mac_list = {}
+
+   for key, mac in ipairs(params.user_script_config.items) do
+      mac_list[mac] = 1
+   end
+
+   -- Retrieving the if id 
+   local ifid = interface.getId()
+   local seen_devices_hash = getFirstSeenDevicesHashKey(ifid)
+   -- Retrieving the list of the addresses already seen
+   local seen_devices = ntop.getHashAllCache(seen_devices_hash) or {}
+
+   -- Loop throught all the devices and check if their mac address was already seen before
+   -- if not checks the mac address permitted list and throw an alarm
+   callback_utils.foreachDevice( getInterfaceName(ifid), 
+                                 function(devicename, devicestats, devicebase)
+      -- note: location is always lan when capturing from a local interface
+      if (not devicestats.special_mac) and (devicestats.location == "lan") then
+         local mac = devicestats.mac
+
+         -- First time we see a device
+         if not seen_devices[mac] then
+            seen_devices[mac] = 1
+            -- Add the mac address to the already seen addresses
+            ntop.setHashCache(seen_devices_hash, mac, tostring(os.time()))
+
+            local device = getDeviceName(mac)
+            setSavedDeviceName(mac, device)
+
+            -- Check if the new mac address is expected or not
+            if not mac_list[mac] then
+               alerts_api.store(
+                  alerts_api.macEntity(mac),
+                  alert_consts.alert_types.alert_unexpected_new_device.create(
+                     alert_consts.alert_severities.warning,
+                     device,
+                     mac
+                  )
+               )
+            end
+         end
+      end
+   end)
+end
+
+-- #################################################################
+
+script = {
+   -- Script category
+   category = user_scripts.script_categories.network,
+
+   default_enabled = true,
+
+   -- This script is only for alerts generation
+   is_alert = true,
+
+   -- Specify the default value whe clicking on the "Reset Default" button
+   default_value = {
+	  items = {},
+   },
+
+   hooks = {
+      min = check_allowed_mac,
+   },
+
+   gui = {
+	i18n_title        = "unexpected_new_device.unexpected_new_device_title",
+	i18n_description  = "unexpected_new_device.unexpected_new_device_description",
+
+	input_builder     = "items_list",
+	item_list_type    = "mac_address",
+	input_title       = i18n("unexpected_new_device.title"),
+	input_description = i18n("unexpected_new_device.description"),
+   },
+}
+
+-- #################################################################
+
+return script