vrr/ntopng
2
0
Fork 0
mirror of https://github.com/ntop/ntopng.git synced 2026-05-02 00:40:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Syn/flow flood alerts now use their own alert type

Browse source
This commit is contained in:
emanuele-f 2019-08-26 17:35:44 +02:00
parent a3821b5327
commit b0ba13f0bc
13 changed files with 102 additions and 54 deletions
Download patch file Download diff file Expand all files Collapse all files

80
scripts/lua/modules/alert_consts.lua
View file

@ -29,50 +29,10 @@ alert_consts.alert_severities = {
}
}
-- ##############################################
alert_consts.CONST_DEFAULT_PACKETS_DROP_PERCENTAGE_ALERT = 5
-- ##############################################
local function formatSynFlood(ifid, engine, entity_type, entity_value, entity_info, alert_key, alert_info)
if entity_info.anomalies ~= nil then
if (alert_key == "syn_flood_attacker") and (entity_info.anomalies.syn_flood_attacker ~= nil) then
local anomaly_info = entity_info.anomalies.syn_flood_attacker
return firstToUpper(formatAlertEntity(ifid, entity_type, entity_value, entity_info)).." is a SYN Flooder ("..
(anomaly_info.last_trespassed_hits).." SYN sent in "..secondsToTime(anomaly_info.over_threshold_duration_sec)..")"
elseif (alert_key == "syn_flood_victim") and (entity_info.anomalies.syn_flood_victim ~= nil) then
local anomaly_info = entity_info.anomalies.syn_flood_victim
return firstToUpper(formatAlertEntity(ifid, entity_type, entity_value, entity_info)).." is under SYN flood attack ("..
(anomaly_info.last_trespassed_hits).." SYN received in "..secondsToTime(anomaly_info.over_threshold_duration_sec)..")"
end
end
return ""
end
-- ##############################################
local function formatFlowsFlood(ifid, engine, entity_type, entity_value, entity_info, alert_key, alert_info)
if entity_info.anomalies ~= nil then
if (alert_key == "flows_flood_attacker") and (entity_info.anomalies.flows_flood_attacker) then
local anomaly_info = entity_info.anomalies.flows_flood_attacker
return firstToUpper(formatAlertEntity(ifid, entity_type, entity_value, entity_info)).." is a Flooder ("..
(anomaly_info.last_trespassed_hits).." flows sent in "..secondsToTime(anomaly_info.over_threshold_duration_sec)..")"
elseif (alert_key == "flows_flood_victim") and (entity_info.anomalies.flows_flood_victim) then
local anomaly_info = entity_info.anomalies.flows_flood_victim
return firstToUpper(formatAlertEntity(ifid, entity_type, entity_value, entity_info)).." is under flood attack ("..
(anomaly_info.last_trespassed_hits).." flows received in "..secondsToTime(anomaly_info.over_threshold_duration_sec)..")"
end
end
return ""
end
-- ##############################################
local function formatAlertEntity(ifid, entity_type, entity_value)
require "flow_utils"
local value
@ -138,6 +98,46 @@ end
-- ##############################################
local function formatSynFlood(ifid, alert, threshold_info)
local entity = formatAlertEntity(ifid, alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
if(alert.alert_subtype == "syn_flood_attacker") then
return i18n("alert_messages.syn_flood_attacker", {
entity = firstToUpper(entity),
value = string.format("%u", math.ceil(threshold_info.value)),
threshold = threshold_info.threshold,
})
else
return i18n("alert_messages.syn_flood_victim", {
entity = firstToUpper(entity),
value = string.format("%u", math.ceil(threshold_info.value)),
threshold = threshold_info.threshold,
})
end
end
-- ##############################################
local function formatFlowsFlood(ifid, alert, threshold_info)
local entity = formatAlertEntity(ifid, alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
if(alert.alert_subtype == "flow_flood_attacker") then
return i18n("alert_messages.flow_flood_attacker", {
entity = firstToUpper(entity),
value = string.format("%u", math.ceil(threshold_info.value)),
threshold = threshold_info.threshold,
})
else
return i18n("alert_messages.flow_flood_victim", {
entity = firstToUpper(entity),
value = string.format("%u", math.ceil(threshold_info.value)),
threshold = threshold_info.threshold,
})
end
end
-- ##############################################
local function formatMisconfiguredApp(ifid, alert, threshold_info)
local entity = formatAlertEntity(ifid, alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])