vrr/ntopng
2
0
Fork 0
mirror of https://github.com/ntop/ntopng.git synced 2026-05-02 00:40:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'host-user-scripts' into dev

Browse source
This commit is contained in:
Simone Mainardi 2021-04-03 10:18:09 +02:00
commit b12fc91a6b
346 changed files with 6355 additions and 2946 deletions
Download patch file Download diff file Expand all files Collapse all files

76
scripts/lua/modules/alert_definitions/flow/alert_blacklisted_country.lua Normal file
View file

@ -0,0 +1,76 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
local flow_alert_keys = require "flow_alert_keys"
local alert_severities = require "alert_severities"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_blacklisted_country = classes.class(alert)
-- ##############################################
alert_blacklisted_country.meta = {
alert_key = flow_alert_keys.flow_alert_blacklisted_country,
i18n_title = "alerts_dashboard.blacklisted_country",
icon = "fas fa-exclamation",
has_victim = true,
has_attacker = true,
-- Default values
default = {
-- Default severity, must be one of `alert_severities` and can overridden from the UI
severity = alert_severities.error,
-- Fitlters to be applied on the alert, e.g., cli_port=23
filters = {},
}
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param alert_severity A severity as defined in `alert_severities`
-- @param cli_country ISO 3166-1 alpha-2 client country code
-- @param srv_country ISO 3166-1 alpha-2 server country code
-- @param cli_blacklisted Boolean indicating whether the client belongs to a blacklisted country
-- @param srv_blacklisted Boolean indicating whether the server belongs to a blacklisted country
-- @return A table with the alert built
function alert_blacklisted_country:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_blacklisted_country.format(ifid, alert, alert_type_params)
if not alert_type_params then
return i18n("alerts_dashboard.blacklisted_country")
end
if alert_type_params["cli_blacklisted"] and alert_type_params["srv_blacklisted"] then
return(i18n("alerts_dashboard.client_and_server_countries_blacklisted", {
cli_country = alert_type_params["cli_country"],
srv_country = alert_type_params["srv_country"],
}))
elseif alert_type_params["srv_blacklisted"] then
return(i18n("alerts_dashboard.server_country_blacklisted", {country = alert_type_params["srv_country"]}))
elseif alert_type_params["cli_blacklisted"] then
return(i18n("alerts_dashboard.client_country_blacklisted", {country = alert_type_params["cli_country"]}))
end
return i18n("alerts_dashboard.blacklisted_country")
end
-- #######################################################
return alert_blacklisted_country

58
scripts/lua/modules/alert_definitions/flow/alert_connection_issues.lua Normal file
View file

@ -0,0 +1,58 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
local format_utils = require "format_utils"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_connection_issues = classes.class(alert)
-- ##############################################
alert_connection_issues.meta = {
alert_key = flow_alert_keys.flow_alert_tcp_connection_issues,
i18n_title = "alerts_dashboard.connection_issues",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param alert_severity A severity as defined in `alert_severities`
-- @param tcp_stats A lua table with TCP stats obtained with flow.getTCPStats
-- @param cli2srv_pkts Number of packets sent from the client to the server
-- @param srv2cli_pkts Number of packets sent from the server to the client
-- @param is_severe A boolean indicating whether connection issues are severe
-- @param client_issues A boolean indicating if the client has connection issues
-- @param server_issues A boolean indicating if the server has connection issues
-- @return A table with the alert built
function alert_connection_issues:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_connection_issues.format(ifid, alert, alert_type_params)
local res = format_utils.formatConnectionIssues(alert_type_params)
return res
end
-- #######################################################
return alert_connection_issues

48
scripts/lua/modules/alert_definitions/flow/alert_data_exfiltration.lua Normal file
View file

@ -0,0 +1,48 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_data_exfiltration = classes.class(alert)
-- ##############################################
alert_data_exfiltration.meta = {
alert_key = flow_alert_keys.flow_alert_data_exfiltration,
i18n_title = "flow_details.data_exfiltration",
icon = "fas fa-exclamation",
status_keep_increasing_scores = true, -- Keep increasing the score so the longer the flow, the higher the score
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_data_exfiltration:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_data_exfiltration.format(ifid, alert, alert_type_params)
return i18n("flow_details.data_exfiltration")
end
-- #######################################################
return alert_data_exfiltration

80
scripts/lua/modules/alert_definitions/flow/alert_device_protocol_not_allowed.lua Normal file
View file

@ -0,0 +1,80 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_device_protocol_not_allowed = classes.class(alert)
-- ##############################################
alert_device_protocol_not_allowed.meta = {
alert_key = flow_alert_keys.flow_alert_device_protocol_not_allowed,
i18n_title = "alerts_dashboard.suspicious_device_protocol",
icon = "fas fa-exclamation",
has_victim = true,
has_attacker = true,
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param alert_severity A severity as defined in `alert_severities`
-- @param cli_devtype A string with the device type of the client
-- @param srv_devtype A string with the device type of the server
-- @param devproto_forbidden_peer A string with the forbidden peer, one of 'cli' or 'srv'
-- @param devproto_forbidden_id The nDPI ID of the forbidden application protocol
-- @return A table with the alert built
function alert_device_protocol_not_allowed:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_device_protocol_not_allowed.format(ifid, alert, alert_type_params)
local msg, devtype
if ((not alert_type_params) or (alert_type_params == "")) then
return i18n("alerts_dashboard.suspicious_device_protocol")
end
local discover = require("discover_utils")
local forbidden_proto = alert_type_params["devproto_forbidden_id"] or 0
if (alert_type_params["devproto_forbidden_peer"] == "cli") then
msg = "flow_details.suspicious_client_device_protocol"
devtype = alert_type_params["cli.devtype"]
else
msg = "flow_details.suspicious_server_device_protocol"
devtype = alert_type_params["srv.devtype"]
end
if(devtype == nil) then
return i18n("alerts_dashboard.suspicious_device_protocol")
end
local label = discover.devtype2string(devtype)
return i18n(msg, {proto=interface.getnDPIProtoName(forbidden_proto), devtype=label,
url=getDeviceProtocolPoliciesUrl("device_type="..
devtype.."&l7proto="..forbidden_proto)})
end
-- #######################################################
return alert_device_protocol_not_allowed

47
scripts/lua/modules/alert_definitions/flow/alert_dns_data_exfiltration.lua Normal file
View file

@ -0,0 +1,47 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_dns_data_exfiltration = classes.class(alert)
-- ##############################################
alert_dns_data_exfiltration.meta = {
alert_key = flow_alert_keys.flow_alert_dns_data_exfiltration,
i18n_title = "flow_details.dns_data_exfiltration",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_dns_data_exfiltration:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_dns_data_exfiltration.format(ifid, alert, alert_type_params)
return i18n("flow_details.dns_data_exfiltration")
end
-- #######################################################
return alert_dns_data_exfiltration

47
scripts/lua/modules/alert_definitions/flow/alert_dns_invalid_query.lua Normal file
View file

@ -0,0 +1,47 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_dns_invalid_query = classes.class(alert)
-- ##############################################
alert_dns_invalid_query.meta = {
alert_key = flow_alert_keys.flow_alert_dns_invalid_query,
i18n_title = "flow_details.dns_invalid_query",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_dns_invalid_query:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_dns_invalid_query.format(ifid, alert, alert_type_params)
return i18n("flow_details.dns_invalid_query")
end
-- #######################################################
return alert_dns_invalid_query

54
scripts/lua/modules/alert_definitions/flow/alert_elephant_flow.lua Normal file
View file

@ -0,0 +1,54 @@
--
-- (C) 2019-21 - ntop.org
--
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_elephant_flow = classes.class(alert)
-- ##############################################
alert_elephant_flow.meta = {
alert_key = flow_alert_keys.flow_alert_elephant_flow,
i18n_title = "flow_details.elephant_flow",
icon = "fas fa-exclamation",
}
-- #######################################################
-- @brief Prepare an alert table used to generate the alert
-- @param l2r_threshold Local-to-Remote threshold, in bytes, for a flow to be considered an elephant
-- @param r2l_threshold Remote-to-Local threshold, in bytes, for a flow to be considered an elephant
-- @return A table with the alert built
function alert_elephant_flow:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_elephant_flow.format(ifid, alert, alert_type_params)
return formatElephantAlertType(alert_type_params)
end
-- #######################################################
return alert_elephant_flow
-- #######################################################

74
scripts/lua/modules/alert_definitions/flow/alert_external.lua Normal file
View file

@ -0,0 +1,74 @@
--
-- (C) 2019-20 - ntop.org
--
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local external_alert = classes.class(alert)
-- ##############################################
external_alert.meta = {
alert_key = flow_alert_keys.flow_alert_external,
i18n_title = "alerts_dashboard.external_alert",
icon = "fas fa-eye",
status_keep_increasing_scores = true, -- Every time an external alert is set, scores are increased accordingly
}
-- #######################################################
-- @brief Prepare an alert table used to generate the alert
-- @param info A generic table decoded from a JSON originated at the external alert source
-- @return A table with the alert built
function external_alert:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
local function formatIDSAlert(alert)
local alert_consts = require "alert_consts"
local signature = (alert and alert.signature)
local category = (alert and alert.category)
local signature_info = (signature and signature:split(" "));
local maker = (signature_info and table.remove(signature_info, 1))
local scope = (signature_info and table.remove(signature_info, 1))
local msg = (signature_info and table.concat(signature_info, " "))
if maker and alert_consts.ids_rule_maker[maker] then
maker = alert_consts.ids_rule_maker[maker]
end
return i18n("flow_details.ids_alert", { scope=scope, msg=msg, maker=maker })
end
-- #######################################################
function external_alert.format(ifid, alert, alert_type_params)
local res = i18n("alerts_dashboard.external_alert")
if not alert_type_params then
return res
end
-- Available fields:
-- alert_type_params.source (e.g. suricata)
-- alert_type_params.severity_id (custom severity)
-- alert_type_params.alert (alert metadata)
if alert_type_params.source == "suricata" then
res = formatIDSAlert(alert_type_params.alert)
end
return res
end
-- #######################################################
return external_alert

80
scripts/lua/modules/alert_definitions/flow/alert_flow_blacklisted.lua Normal file
View file

@ -0,0 +1,80 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_flow_blacklisted = classes.class(alert)
-- ##############################################
alert_flow_blacklisted.meta = {
alert_key = flow_alert_keys.flow_alert_blacklisted,
i18n_title = "alerts_dashboard.blacklisted_flow",
icon = "fas fa-exclamation",
has_victim = true,
has_attacker = true,
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param info A flow info table fetched with `flow.getBlacklistedInfo()`
-- @return A table with the alert built
function alert_flow_blacklisted:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_flow_blacklisted.format(ifid, alert, alert_type_params)
local who = {}
if not alert_type_params then
return i18n("flow_details.blacklisted_flow")
end
if alert_type_params["blacklisted.cli"] then
who[#who + 1] = i18n("client")
end
if alert_type_params["blacklisted.srv"] then
who[#who + 1] = i18n("server")
end
-- if either the client or the server is blacklisted
-- then also the category is blacklisted so there's no need
-- to check it.
-- Domain is basically the union of DNS names, SSL CNs and HTTP hosts.
if #who == 0 and alert_type_params["blacklisted.cat"] then
who[#who + 1] = i18n("domain")
end
if #who == 0 then
return i18n("flow_details.blacklisted_flow")
end
local res = i18n("flow_details.blacklisted_flow_detailed", {who = table.concat(who, ", ")})
return res
end
-- #######################################################
return alert_flow_blacklisted

47
scripts/lua/modules/alert_definitions/flow/alert_flow_blocked.lua Normal file
View file

@ -0,0 +1,47 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_flow_blocked = classes.class(alert)
-- ##############################################
alert_flow_blocked.meta = {
alert_key = flow_alert_keys.flow_alert_flow_blocked,
i18n_title = "flow_details.flow_blocked_by_bridge",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_flow_blocked:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_flow_blocked.format(ifid, alert, alert_type_params)
return i18n("flow_details.flow_blocked_by_bridge")
end
-- #######################################################
return alert_flow_blocked

57
scripts/lua/modules/alert_definitions/flow/alert_flow_low_goodput.lua Normal file
View file

@ -0,0 +1,57 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
local format_utils = require("format_utils")
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_flow_low_goodput = classes.class(alert)
-- ##############################################
alert_flow_low_goodput.meta = {
alert_key = flow_alert_keys.flow_alert_low_goodput,
i18n_title = "alerts_dashboard.flow_low_goodput",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param alert_severity A severity as defined in `alert_severities`
-- @return A table with the alert built
function alert_flow_low_goodput:init(goodput_ratio)
-- Call the parent constructor
self.super:init()
self.alert_type_params = {
goodput_ratio = goodput_ratio
}
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_flow_low_goodput.format(ifid, alert, alert_type_params)
if alert_type_params and alert_type_params.goodput_ratio then
return i18n("flow_details.flow_low_goodput", { ratio = format_utils.round(alert_type_params.goodput_ratio, 2) })
end
end
-- #######################################################
return alert_flow_low_goodput

59
scripts/lua/modules/alert_definitions/flow/alert_flow_risk.lua Normal file
View file

@ -0,0 +1,59 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
local flow_risk_utils = require "flow_risk_utils"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_flow_risk = classes.class(alert)
-- ##############################################
alert_flow_risk.meta = {
alert_key = flow_alert_keys.flow_alert_flow_risk,
i18n_title = "alerts_dashboard.flow_risk",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param risk_id Integer nDPI flow risk identifier
-- @return A table with the alert built
function alert_flow_risk:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_flow_risk.format(ifid, alert, alert_type_params)
-- No need to do special formatting of flow risk here, risks are already formatted
-- inside the flow details page
local res = i18n("alerts_dashboard.flow_risk")
if((alert_type_params ~= nil) and alert_type_params.risk_id) then
res = flow_risk_utils.risk_id_2_i18n(alert_type_params.risk_id)
end
return res
end
-- #######################################################
return alert_flow_risk

55
scripts/lua/modules/alert_definitions/flow/alert_iec_invalid_transition.lua Normal file
View file

@ -0,0 +1,55 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
local json = require "dkjson"
local format_utils = require "format_utils"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_iec_invalid_transition = classes.class(alert)
-- ##############################################
alert_iec_invalid_transition.meta = {
alert_key = flow_alert_keys.flow_alert_iec_invalid_transition,
i18n_title = "alerts_dashboard.iec_invalid_transition",
icon = "fas fa-subway",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param last_error A string with the lastest influxdb error
-- @return A table with the alert built
function alert_iec_invalid_transition:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_iec_invalid_transition.format(ifid, alert, alert_type_params)
local rsp = "[TypeId: ".. alert_type_params.from .. " -> ".. alert_type_params.to .. "]"
-- tprint(rsp)
return(rsp)
end
-- #######################################################
return alert_iec_invalid_transition

61
scripts/lua/modules/alert_definitions/flow/alert_iec_unexpected_type_id.lua Normal file
View file

@ -0,0 +1,61 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
local json = require "dkjson"
local format_utils = require "format_utils"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_iec_unexpected_type_id = classes.class(alert)
-- ##############################################
alert_iec_unexpected_type_id.meta = {
alert_key = flow_alert_keys.flow_alert_iec_unexpected_type_id,
i18n_title = "alerts_dashboard.iec_unexpected_type_id",
icon = "fas fa-subway",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param last_error A string with the lastest influxdb error
-- @return A table with the alert built
function alert_iec_unexpected_type_id:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_iec_unexpected_type_id.format(ifid, alert, alert_type_params)
local rsp = "[CauseTX: "..alert_type_params.cause_tx.."][TypeId: "..alert_type_params.type_id.."][ASDU: ".. alert_type_params.asdu.."][Negative: "
-- tprint(alert_type_params)
if(alert_type_params.negatiive == false) then
rsp = rsp .. "True]"
else
rsp = rsp .. "False]"
end
return(rsp)
end
-- #######################################################
return alert_iec_unexpected_type_id

39
scripts/lua/modules/alert_definitions/flow/alert_internals.lua Normal file
View file

@ -0,0 +1,39 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_internals = classes.class(alert)
-- ##############################################
alert_internals.meta = {
alert_key = flow_alert_keys.flow_alert_internals,
i18n_title = "flow_details.not_purged",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param one_flow_param The first alert param
-- @param another_flow_param The second alert param
-- @return A table with the alert built
function alert_internals:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
return alert_internals

51
scripts/lua/modules/alert_definitions/flow/alert_known_proto_on_non_std_port.lua Normal file
View file

@ -0,0 +1,51 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_known_proto_on_non_std_port = classes.class(alert)
-- ##############################################
alert_known_proto_on_non_std_port.meta = {
alert_key = flow_alert_keys.flow_alert_known_proto_on_non_std_port,
i18n_title = "alerts_dashboard.known_proto_on_non_std_port",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param alert_severity A severity as defined in `alert_severities`
-- @param info A lua table containing flow information obtained with `flow.getInfo()`
-- @return A table with the alert built
function alert_known_proto_on_non_std_port:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_known_proto_on_non_std_port.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_known_proto_on_non_std_port

65
scripts/lua/modules/alert_definitions/flow/alert_longlived.lua Normal file
View file

@ -0,0 +1,65 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_longlived = classes.class(alert)
-- ##############################################
alert_longlived.meta = {
alert_key = flow_alert_keys.flow_alert_longlived,
i18n_title = "flow_details.longlived_flow",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param longlived_threshold Threshold, in seconds, for a flow to be considered longlived
-- @return A table with the alert built
function alert_longlived:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_longlived.format(ifid, alert, alert_type_params)
local threshold = ""
local res = i18n("flow_details.longlived_flow")
if not alert_type_params then
return res
end
if alert_type_params["longlived.threshold"] then
threshold = alert_type_params["longlived.threshold"]
end
res = string.format("%s<sup><i class='fas fa-info-circle' aria-hidden='true' title='"..i18n("flow_details.longlived_flow_descr").."'></i></sup>", res)
if threshold ~= "" then
res = string.format("%s [%s]", res, i18n("flow_details.longlived_exceeded", {amount = secondsToTime(threshold)}))
end
return res
end
-- #######################################################
return alert_longlived

47
scripts/lua/modules/alert_definitions/flow/alert_malicious_signature.lua Normal file
View file

@ -0,0 +1,47 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_malicious_signature = classes.class(alert)
-- ##############################################
alert_malicious_signature.meta = {
alert_key = flow_alert_keys.flow_alert_malicious_signature,
i18n_title = "alerts_dashboard.malicious_signature_detected",
icon = "fas fa-ban",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_malicious_signature:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_malicious_signature.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_malicious_signature

43
scripts/lua/modules/alert_definitions/flow/alert_ndpi_dns_suspicious_traffic.lua Normal file
View file

@ -0,0 +1,43 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_ndpi_dns_suspicious_traffic = classes.class(alert)
-- ##############################################
alert_ndpi_dns_suspicious_traffic.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_dns_suspicious_traffic,
i18n_title = "alerts_dashboard.ndpi_dns_suspicious_traffic_title",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_ndpi_dns_suspicious_traffic:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_ndpi_dns_suspicious_traffic.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_ndpi_dns_suspicious_traffic

43
scripts/lua/modules/alert_definitions/flow/alert_ndpi_http_numeric_ip_host.lua Normal file
View file

@ -0,0 +1,43 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_ndpi_http_numeric_ip_host = classes.class(alert)
-- ##############################################
alert_ndpi_http_numeric_ip_host.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_http_numeric_ip_host,
i18n_title = "alerts_dashboard.ndpi_http_numeric_ip_host_title",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_ndpi_http_numeric_ip_host:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_ndpi_http_numeric_ip_host.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_ndpi_http_numeric_ip_host

43
scripts/lua/modules/alert_definitions/flow/alert_ndpi_http_suspicious_header.lua Normal file
View file

@ -0,0 +1,43 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_ndpi_http_suspicious_header = classes.class(alert)
-- ##############################################
alert_ndpi_http_suspicious_header.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_http_suspicious_header,
i18n_title = "alerts_dashboard.ndpi_http_suspicious_header_title",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_ndpi_http_suspicious_header:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_ndpi_http_suspicious_header.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_ndpi_http_suspicious_header

43
scripts/lua/modules/alert_definitions/flow/alert_ndpi_http_suspicious_url.lua Normal file
View file

@ -0,0 +1,43 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_ndpi_http_suspicious_url = classes.class(alert)
-- ##############################################
alert_ndpi_http_suspicious_url.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_http_suspicious_url,
i18n_title = "alerts_dashboard.ndpi_http_suspicious_url_title",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_ndpi_http_suspicious_url:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_ndpi_http_suspicious_url.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_ndpi_http_suspicious_url

43
scripts/lua/modules/alert_definitions/flow/alert_ndpi_http_suspicious_user_agent.lua Normal file
View file

@ -0,0 +1,43 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_ndpi_http_suspicious_user_agent = classes.class(alert)
-- ##############################################
alert_ndpi_http_suspicious_user_agent.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_http_suspicious_user_agent,
i18n_title = "alerts_dashboard.ndpi_http_suspicious_user_agent_title",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_ndpi_http_suspicious_user_agent:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_ndpi_http_suspicious_user_agent.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_ndpi_http_suspicious_user_agent

43
scripts/lua/modules/alert_definitions/flow/alert_ndpi_malformed_packet.lua Normal file
View file

@ -0,0 +1,43 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_ndpi_malformed_packet = classes.class(alert)
-- ##############################################
alert_ndpi_malformed_packet.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_malformed_packet,
i18n_title = "alerts_dashboard.ndpi_malformed_packet_title",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_ndpi_malformed_packet:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_ndpi_malformed_packet.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_ndpi_malformed_packet

43
scripts/lua/modules/alert_definitions/flow/alert_ndpi_smb_insecure_version.lua Normal file
View file

@ -0,0 +1,43 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_ndpi_smb_insecure_version = classes.class(alert)
-- ##############################################
alert_ndpi_smb_insecure_version.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_smb_insecure_version,
i18n_title = "alerts_dashboard.ndpi_smb_insecure_version_title",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_ndpi_smb_insecure_version:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_ndpi_smb_insecure_version.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_ndpi_smb_insecure_version

47
scripts/lua/modules/alert_definitions/flow/alert_ndpi_ssh_obsolete.lua Normal file
View file

@ -0,0 +1,47 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_ndpi_ssh_obsolete = classes.class(alert)
-- ##############################################
alert_ndpi_ssh_obsolete.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_ssh_obsolete,
i18n_title = "alerts_dashboard.ndpi_ssh_obsolete_title",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_ndpi_ssh_obsolete:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_ndpi_ssh_obsolete.format(ifid, alert, alert_type_params)
if alert_type_params["risk_id"] == 18 then
return i18n("flow_risk.ndpi_ssh_obsolete_client_version_or_cipher")
else
return i18n("flow_risk.ndpi_ssh_obsolete_server_version_or_cipher")
end
end
-- #######################################################
return alert_ndpi_ssh_obsolete

49
scripts/lua/modules/alert_definitions/flow/alert_ndpi_suspicious_dga_domain.lua Normal file
View file

@ -0,0 +1,49 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_ndpi_suspicious_dga_domain = classes.class(alert)
-- ##############################################
alert_ndpi_suspicious_dga_domain.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_suspicious_dga_domain,
i18n_title = "alerts_dashboard.ndpi_suspicious_dga_domain_title",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_ndpi_suspicious_dga_domain:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_ndpi_suspicious_dga_domain.format(ifid, alert, alert_type_params)
if alert_type_params.dga_domain then
return i18n("alert_messages.suspicious_dga_domain", {
domain = alert_type_params["dga_domain"],
})
else
return
end
end
-- #######################################################
return alert_ndpi_suspicious_dga_domain

43
scripts/lua/modules/alert_definitions/flow/alert_ndpi_tls_missing_sni.lua Normal file
View file

@ -0,0 +1,43 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_ndpi_tls_missing_sni = classes.class(alert)
-- ##############################################
alert_ndpi_tls_missing_sni.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_tls_missing_sni,
i18n_title = "alerts_dashboard.ndpi_tls_missing_sni_title",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_ndpi_tls_missing_sni:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_ndpi_tls_missing_sni.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_ndpi_tls_missing_sni

43
scripts/lua/modules/alert_definitions/flow/alert_ndpi_tls_not_carrying_https.lua Normal file
View file

@ -0,0 +1,43 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_ndpi_tls_not_carrying_https = classes.class(alert)
-- ##############################################
alert_ndpi_tls_not_carrying_https.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_tls_not_carrying_https,
i18n_title = "alerts_dashboard.ndpi_tls_not_carrying_https_title",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_ndpi_tls_not_carrying_https:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_ndpi_tls_not_carrying_https.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_ndpi_tls_not_carrying_https

43
scripts/lua/modules/alert_definitions/flow/alert_ndpi_tls_suspicious_esni_usage.lua Normal file
View file

@ -0,0 +1,43 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_ndpi_tls_suspicious_esni_usage = classes.class(alert)
-- ##############################################
alert_ndpi_tls_suspicious_esni_usage.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_tls_suspicious_esni_usage,
i18n_title = "alerts_dashboard.ndpi_tls_suspicious_esni_usage_title",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_ndpi_tls_suspicious_esni_usage:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_ndpi_tls_suspicious_esni_usage.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_ndpi_tls_suspicious_esni_usage

43
scripts/lua/modules/alert_definitions/flow/alert_ndpi_unsafe_protocol.lua Normal file
View file

@ -0,0 +1,43 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_ndpi_unsafe_protocol = classes.class(alert)
-- ##############################################
alert_ndpi_unsafe_protocol.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_unsafe_protocol,
i18n_title = "alerts_dashboard.ndpi_unsafe_protocol_title",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_ndpi_unsafe_protocol:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_ndpi_unsafe_protocol.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_ndpi_unsafe_protocol

43
scripts/lua/modules/alert_definitions/flow/alert_ndpi_url_possible_rce_injection.lua Normal file
View file

@ -0,0 +1,43 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_ndpi_url_possible_rce_injection = classes.class(alert)
-- ##############################################
alert_ndpi_url_possible_rce_injection.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_url_possible_rce_injection,
i18n_title = "alerts_dashboard.ndpi_url_possible_rce_injection_title",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_ndpi_url_possible_rce_injection:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_ndpi_url_possible_rce_injection.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_ndpi_url_possible_rce_injection

43
scripts/lua/modules/alert_definitions/flow/alert_ndpi_url_possible_sql_injection.lua Normal file
View file

@ -0,0 +1,43 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_ndpi_url_possible_sql_injection = classes.class(alert)
-- ##############################################
alert_ndpi_url_possible_sql_injection.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_url_possible_sql_injection,
i18n_title = "alerts_dashboard.ndpi_url_possible_sql_injection_title",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_ndpi_url_possible_sql_injection:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_ndpi_url_possible_sql_injection.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_ndpi_url_possible_sql_injection

43
scripts/lua/modules/alert_definitions/flow/alert_ndpi_url_possible_xss.lua Normal file
View file

@ -0,0 +1,43 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_ndpi_url_possible_xss = classes.class(alert)
-- ##############################################
alert_ndpi_url_possible_xss.meta = {
alert_key = flow_alert_keys.flow_alert_ndpi_url_possible_xss,
i18n_title = "alerts_dashboard.ndpi_url_possible_xss_title",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_ndpi_url_possible_xss:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_ndpi_url_possible_xss.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_ndpi_url_possible_xss

47
scripts/lua/modules/alert_definitions/flow/alert_potentially_dangerous_protocol.lua Normal file
View file

@ -0,0 +1,47 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_potentially_dangerous_protocol = classes.class(alert)
-- ##############################################
alert_potentially_dangerous_protocol.meta = {
alert_key = flow_alert_keys.flow_alert_potentially_dangerous,
i18n_title = "flow_details.potentially_dangerous_protocol",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_potentially_dangerous_protocol:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_potentially_dangerous_protocol.format(ifid, alert, alert_type_params)
return i18n("flow_details.potentially_dangerous_protocol")
end
-- #######################################################
return alert_potentially_dangerous_protocol

51
scripts/lua/modules/alert_definitions/flow/alert_remote_to_local_insecure_proto.lua Normal file
View file

@ -0,0 +1,51 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
local format_utils = require "format_utils"
local json = require("dkjson")
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_remote_to_local_insecure_proto = classes.class(alert)
-- ##############################################
alert_remote_to_local_insecure_proto.meta = {
alert_key = flow_alert_keys.flow_alert_remote_to_local_insecure_proto,
i18n_title = "alerts_dashboard.remote_to_local_insecure_proto",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param one_flow_param The first alert param
-- @param another_flow_param The second alert param
-- @return A table with the alert built
function alert_remote_to_local_insecure_proto:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_remote_to_local_insecure_proto.format(ifid, alert, alert_type_params)
return i18n("alert_messages.remote_to_local_insecure_proto", {
ndpi_breed = formatBreed(alert_type_params.ndpi_breed_name),
ndpi_category = alert_type_params.ndpi_category_name,
})
end
-- #######################################################
return alert_remote_to_local_insecure_proto

46
scripts/lua/modules/alert_definitions/flow/alert_remote_to_remote.lua Normal file
View file

@ -0,0 +1,46 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
local format_utils = require "format_utils"
local json = require("dkjson")
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_remote_to_remote = classes.class(alert)
-- ##############################################
alert_remote_to_remote.meta = {
alert_key = flow_alert_keys.flow_alert_remote_to_remote,
i18n_title = "alerts_dashboard.remote_to_remote",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_remote_to_remote:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_remote_to_remote.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_remote_to_remote

69
scripts/lua/modules/alert_definitions/flow/alert_suspicious_file_transfer.lua Normal file
View file

@ -0,0 +1,69 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_suspicious_file_transfer = classes.class(alert)
-- ##############################################
alert_suspicious_file_transfer.meta = {
alert_key = flow_alert_keys.flow_alert_suspicious_file_transfer,
i18n_title = "alerts_dashboard.suspicious_file_transfer",
icon = "fas fa-file-download",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param one_flow_param The first alert param
-- @param another_flow_param The second alert param
-- @return A table with the alert built
function alert_suspicious_file_transfer:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_suspicious_file_transfer.format(ifid, alert, alert_type_params)
local res = i18n("alerts_dashboard.suspicious_file_transfer")
if alert_type_params and alert_type_params["protos.http.last_url"] then
local type_icon = ''
local extn = alert_type_params["protos.http.last_url"]:sub(-4):lower()
if extn == ".php" or extn == ".js" or extn == ".html" or extn == ".xml" or extn == ".cgi" then
type_icon = '<i class="fas fa-file-code"></i>'
elseif extn == ".png" or extn == ".jpg" then
type_icon = '<i class="fas fa-file-image"></i>'
end
res = i18n("alerts_dashboard.suspicious_file_transfer_url",
{url = shortenString(alert_type_params["protos.http.last_url"], 64),
type_icon = type_icon})
end
return res
end
-- #######################################################
return alert_suspicious_file_transfer

47
scripts/lua/modules/alert_definitions/flow/alert_suspicious_tcp_probing.lua Normal file
View file

@ -0,0 +1,47 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_suspicious_tcp_probing = classes.class(alert)
-- ##############################################
alert_suspicious_tcp_probing.meta = {
alert_key = flow_alert_keys.flow_alert_suspicious_tcp_probing,
i18n_title = "flow_details.suspicious_tcp_probing",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_suspicious_tcp_probing:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_suspicious_tcp_probing.format(ifid, alert, alert_type_params)
return i18n("flow_details.suspicious_tcp_probing")
end
-- #######################################################
return alert_suspicious_tcp_probing

47
scripts/lua/modules/alert_definitions/flow/alert_suspicious_tcp_syn_probing.lua Normal file
View file

@ -0,0 +1,47 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_suspicious_tcp_syn_probing = classes.class(alert)
-- ##############################################
alert_suspicious_tcp_syn_probing.meta = {
alert_key = flow_alert_keys.flow_alert_suspicious_tcp_syn_probing,
i18n_title = "flow_details.suspicious_tcp_syn_probing",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_suspicious_tcp_syn_probing:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_suspicious_tcp_syn_probing.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_suspicious_tcp_syn_probing

47
scripts/lua/modules/alert_definitions/flow/alert_tcp_connection_refused.lua Normal file
View file

@ -0,0 +1,47 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_tcp_connection_refused = classes.class(alert)
-- ##############################################
alert_tcp_connection_refused.meta = {
alert_key = flow_alert_keys.flow_alert_tcp_connection_refused,
i18n_title = "flow_callbacks_config.tcp_connection_refused",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_tcp_connection_refused:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_tcp_connection_refused.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_tcp_connection_refused

59
scripts/lua/modules/alert_definitions/flow/alert_tls_certificate_expired.lua Normal file
View file

@ -0,0 +1,59 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_tls_certificate_expired = classes.class(alert)
-- ##############################################
alert_tls_certificate_expired.meta = {
alert_key = flow_alert_keys.flow_alert_tls_certificate_expired,
i18n_title = "flow_details.tls_certificate_expired",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param tls_info A lua table with TLS info gererated calling `flow.getTLSInfo()`
-- @return A table with the alert built
function alert_tls_certificate_expired:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_tls_certificate_expired.format(ifid, alert, alert_type_params)
if not alert_type_params then
return
end
local crts = {}
if alert_type_params["protos.tls.notBefore"] and alert_type_params["protos.tls.notAfter"] then
crts[#crts + 1] = formatEpoch(alert_type_params["protos.tls.notBefore"])
crts[#crts + 1] = formatEpoch(alert_type_params["protos.tls.notAfter"])
return string.format("[%s]", table.concat(crts, " - "))
else
return ""
end
end
-- #######################################################
return alert_tls_certificate_expired

61
scripts/lua/modules/alert_definitions/flow/alert_tls_certificate_mismatch.lua Normal file
View file

@ -0,0 +1,61 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_tls_certificate_mismatch = classes.class(alert)
-- ##############################################
alert_tls_certificate_mismatch.meta = {
alert_key = flow_alert_keys.flow_alert_tls_certificate_mismatch,
i18n_title = "flow_details.tls_certificate_mismatch",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param tls_info A lua table with TLS info gererated calling `flow.getTLSInfo()`
-- @return A table with the alert built
function alert_tls_certificate_mismatch:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_tls_certificate_mismatch.format(ifid, alert, alert_type_params)
if not alert_type_params then
return
end
local crts = {}
if not isEmptyString(alert_type_params["tls_crt.cli"]) then
crts[#crts + 1] = string.format("[%s: %s]", i18n("flow_details.client_requested"), alert_type_params["tls_crt.cli"]:gsub(",", ", "))
end
if not isEmptyString(alert_type_params["tls_crt.srv"]) then
crts[#crts + 1] = string.format("[%s: %s]", i18n("flow_details.tls_server_names"), alert_type_params["tls_crt.srv"]:gsub(",", ", "))
end
return string.format("%s", table.concat(crts, " "))
end
-- #######################################################
return alert_tls_certificate_mismatch

63
scripts/lua/modules/alert_definitions/flow/alert_tls_certificate_selfsigned.lua Normal file
View file

@ -0,0 +1,63 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_tls_certificate_selfsigned = classes.class(alert)
-- ##############################################
alert_tls_certificate_selfsigned.meta = {
alert_key = flow_alert_keys.flow_alert_tls_certificate_selfsigned,
i18n_title = "flow_details.tls_certificate_selfsigned",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param tls_info A lua table with TLS info gererated calling `flow.getTLSInfo()`
-- @return A table with the alert built
function alert_tls_certificate_selfsigned:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_tls_certificate_selfsigned.format(ifid, alert, alert_type_params)
if not alert_type_params then
return
end
local crts = {}
crts[#crts + 1] = alert_type_params["tls_crt.issuerDN"]
if alert_type_params["protos.tls.issuerDN"] then
crts[#crts + 1] = "Issuer: "..alert_type_params["protos.tls.issuerDN"]
end
if alert_type_params["protos.tls.subjectDN"] then
crts[#crts + 1] = "Subject: "..alert_type_params["protos.tls.subjectDN"]
end
return string.format("%s", table.concat(crts, " / "))
end
-- #######################################################
return alert_tls_certificate_selfsigned

60
scripts/lua/modules/alert_definitions/flow/alert_tls_old_protocol_version.lua Normal file
View file

@ -0,0 +1,60 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_tls_old_protocol_version = classes.class(alert)
-- ##############################################
alert_tls_old_protocol_version.meta = {
alert_key = flow_alert_keys.flow_alert_tls_old_protocol_version,
i18n_title = "flow_details.tls_old_protocol_version",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param tls_version A number indicating the TLS version detected, or nil when version is not available
-- @return A table with the alert built
function alert_tls_old_protocol_version:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_tls_old_protocol_version.format(ifid, alert, alert_type_params)
local msg = ""
if(alert_type_params and alert_type_params.tls_version) then
local ver_str = ntop.getTLSVersionName(alert_type_params.tls_version)
if(ver_str == nil) then
ver_str = string.format("%u", alert_type_params.tls_version)
end
msg = msg .. " (" .. ver_str .. ")"
end
return(msg)
end
-- #######################################################
return alert_tls_old_protocol_version

47
scripts/lua/modules/alert_definitions/flow/alert_tls_unsafe_ciphers.lua Normal file
View file

@ -0,0 +1,47 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_tls_unsafe_ciphers = classes.class(alert)
-- ##############################################
alert_tls_unsafe_ciphers.meta = {
alert_key = flow_alert_keys.flow_alert_tls_unsafe_ciphers,
i18n_title = "flow_details.tls_unsafe_ciphers",
icon = "fas fa-exclamation",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_tls_unsafe_ciphers:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_tls_unsafe_ciphers.format(ifid, alert, alert_type_params)
return
end
-- #######################################################
return alert_tls_unsafe_ciphers

39
scripts/lua/modules/alert_definitions/flow/alert_udp_unidirectional.lua Normal file
View file

@ -0,0 +1,39 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_udp_unidirectional = classes.class(alert)
-- ##############################################
alert_udp_unidirectional.meta = {
alert_key = flow_alert_keys.flow_alert_udp_unidirectional,
i18n_title = "flow_details.udp_unidirectional",
icon = "fas fa-info-circle",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @return A table with the alert built
function alert_udp_unidirectional:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
return alert_udp_unidirectional

51
scripts/lua/modules/alert_definitions/flow/alert_unexpected_dhcp_server.lua Normal file
View file

@ -0,0 +1,51 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_unexpected_dhcp_server = classes.class(alert)
-- ##############################################
alert_unexpected_dhcp_server.meta = {
alert_key = flow_alert_keys.flow_alert_unexpected_dhcp_server,
i18n_title = "unexpected_dhcp.alert_unexpected_dhcp_title",
icon = "fas fa-exclamation",
has_victim = true,
has_attacker = true,
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param one_flow_param The first alert param
-- @param another_flow_param The second alert param
-- @return A table with the alert built
function alert_unexpected_dhcp_server:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_unexpected_dhcp_server.format(ifid, alert, alert_type_params)
return(i18n("unexpected_dhcp.status_unexpected_dhcp_description", { server=alert_type_params.server_ip} ))
end
-- #######################################################
return alert_unexpected_dhcp_server

51
scripts/lua/modules/alert_definitions/flow/alert_unexpected_dns_server.lua Normal file
View file

@ -0,0 +1,51 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_unexpected_dns_server = classes.class(alert)
-- ##############################################
alert_unexpected_dns_server.meta = {
alert_key = flow_alert_keys.flow_alert_unexpected_dns_server,
i18n_title = "unexpected_dns.alert_unexpected_dns_title",
icon = "fas fa-exclamation",
has_victim = true,
has_attacker = true,
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param one_flow_param The first alert param
-- @param another_flow_param The second alert param
-- @return A table with the alert built
function alert_unexpected_dns_server:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_unexpected_dns_server.format(ifid, alert, alert_type_params)
return(i18n("unexpected_dns.status_unexpected_dns_description", { server=alert_type_params.server_ip} ))
end
-- #######################################################
return alert_unexpected_dns_server

51
scripts/lua/modules/alert_definitions/flow/alert_unexpected_ntp_server.lua Normal file
View file

@ -0,0 +1,51 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_unexpected_ntp_server = classes.class(alert)
-- ##############################################
alert_unexpected_ntp_server.meta = {
alert_key = flow_alert_keys.flow_alert_unexpected_ntp_server,
i18n_title = "unexpected_ntp.alert_unexpected_ntp_title",
icon = "fas fa-exclamation",
has_victim = true,
has_attacker = true,
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param one_flow_param The first alert param
-- @param another_flow_param The second alert param
-- @return A table with the alert built
function alert_unexpected_ntp_server:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_unexpected_ntp_server.format(ifid, alert, alert_type_params)
return(i18n("unexpected_ntp.status_unexpected_ntp_description", { server=alert_type_params.server_ip} ))
end
-- #######################################################
return alert_unexpected_ntp_server

42
scripts/lua/modules/alert_definitions/flow/alert_unexpected_smtp_server.lua Normal file
View file

@ -0,0 +1,42 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_unexpected_smtp_server = classes.class(alert)
-- ##############################################
alert_unexpected_smtp_server.meta = {
alert_key = flow_alert_keys.flow_alert_unexpected_smtp_server,
i18n_title = "unexpected_smtp.alert_unexpected_smtp_title",
icon = "fas fa-exclamation",
has_victim = true,
has_attacker = true,
}
-- ##############################################
function alert_unexpected_smtp_server:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_unexpected_smtp_server.format(ifid, alert, alert_type_params)
return(i18n("unexpected_smtp.status_unexpected_smtp_description", { server=alert_type_params.server_ip} ))
end
-- #######################################################
return alert_unexpected_smtp_server

48
scripts/lua/modules/alert_definitions/flow/alert_web_mining.lua Normal file
View file

@ -0,0 +1,48 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_web_mining = classes.class(alert)
-- ##############################################
alert_web_mining.meta = {
alert_key = flow_alert_keys.flow_alert_web_mining,
i18n_title = "alerts_dashboard.web_mining",
icon = "fab fa-bitcoin",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param one_flow_param The first alert param
-- @param another_flow_param The second alert param
-- @return A table with the alert built
function alert_web_mining:init()
-- Call the parent constructor
self.super:init()
end
-- #######################################################
function alert_web_mining.format(ifid, alert, alert_type_params)
end
-- #######################################################
return alert_web_mining
--
-- (C) 2019-20 - ntop.

49
scripts/lua/modules/alert_definitions/flow/alert_zero_tcp_window.lua Normal file
View file

@ -0,0 +1,49 @@
--
-- (C) 2019-21 - ntop.org
--
-- ##############################################
local flow_alert_keys = require "flow_alert_keys"
-- Import the classes library.
local classes = require "classes"
-- Make sure to import the Superclass!
local alert = require "alert"
-- ##############################################
local alert_zero_tcp_window = classes.class(alert)
-- ##############################################
alert_zero_tcp_window.meta = {
alert_key = flow_alert_keys.flow_alert_zero_tcp_window,
i18n_title = "zero_tcp_window.zero_tcp_window_title",
icon = "fas fa-arrow-circle-up",
}
-- ##############################################
-- @brief Prepare an alert table used to generate the alert
-- @param one_flow_param The first alert param
-- @param another_flow_param The second alert param
-- @return A table with the alert built
function alert_zero_tcp_window:init(is_client, is_server)
-- Call the parent constructor
self.super:init()
end
-- #######################################################
-- @brief Format an alert into a human-readable string
-- @param ifid The integer interface id of the generated alert
-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
-- @return A human-readable string
function alert_zero_tcp_window.format(ifid, alert, alert_type_params)
return i18n("zero_tcp_window.status_zero_tcp_window_description")
end
-- #######################################################
return alert_zero_tcp_window