Added unexpected DNS plugin

2026-05-05 10:41:34 +00:00 · 2020-10-09 16:29:13 +02:00 · 2020-10-09 16:29:13 +02:00 · cff77b49cf
commit cff77b49cf
parent 16c7ed657b
5 changed files with 141 additions and 0 deletions
--- a/scripts/plugins/alerts/security/unexpected_dns/alert_definitions/alert_unexpected_dns.lua
+++ b/scripts/plugins/alerts/security/unexpected_dns/alert_definitions/alert_unexpected_dns.lua
@ -0,0 +1,21 @@
+local alert_keys = require "alert_keys"
+
+-- #################################################
+
+local function createUnexpectedDNS(alert_severity, dns_info)
+    local built = {
+        alert_severity= alert_severity,
+        alert_type_params = dns_info 
+    }
+
+    return built
+end
+
+-- #################################################
+
+return {
+    alert_key = alert_keys.ntopng.alert_unexpected_dns_server,
+    i18n_title = "unexpected_dns.alert_unexpected_dns_title",
+    icon = "fas fa-exclamation",
+    creator = createUnexpectedDNS,
+}
--- a/scripts/plugins/alerts/security/unexpected_dns/locales/en.lua
+++ b/scripts/plugins/alerts/security/unexpected_dns/locales/en.lua
@ -0,0 +1,21 @@
+--
+-- (C) 2020 - ntop.org
+--
+
+return {
+   unexpected_dns_description = "Trigger an alert when not allowed DNS server is detected",
+   unexpected_dns_title = "Unexpected DNS",
+
+-- ####################### Input builder strings
+
+   title = "Allowed DNS",
+   description = "Comma separated values of DNS IP. Example: 8.8.8.8,8.8.4.4,1.1.1.1",
+
+-- ####################### Status strings
+
+    status_unexpected_dns_description = "Unexpected DNS server found:",
+
+-- ####################### Alert strings
+
+   alert_unexpected_dns_title = "Unexpected DNS found"
+}
--- a/scripts/plugins/alerts/security/unexpected_dns/manifest.lua
+++ b/scripts/plugins/alerts/security/unexpected_dns/manifest.lua
@ -0,0 +1,14 @@
+--
+-- (C) 2019-20 - ntop.org
+--
+
+return {
+  --[[ i18n function is currently not available in manifest.lua
+    title = i18n("unexpected_dns.unexpected_dns_title"),
+  description = i18n("unexpected_dns.unexpected_dns_description"), --]]
+
+  title = "Unexpected DNS",
+  description = "Trigger an alert when not allowed DNS server is detected",
+  author = "Daniele Zulberti, Luca Argentieri",
+  dependencies = {},
+}
--- a/scripts/plugins/alerts/security/unexpected_dns/status_definitions/status_unexpected_dns.lua
+++ b/scripts/plugins/alerts/security/unexpected_dns/status_definitions/status_unexpected_dns.lua
@ -0,0 +1,10 @@
+local alert_consts = require("alert_consts")
+local status_keys = require "flow_keys"
+
+return {
+    status_key = status_keys.ntopng.status_unexpected_dns_server,
+    alert_severity = alert_consts.alert_severities.error,
+    alert_type = alert_consts.alert_types.alert_unexpected_dns,
+    i18n_title = "unexpected_dns.unexpected_dns_title",
+    i18n_description = "unexpected_dns.status_unexpected_dns_description",
+}
--- a/scripts/plugins/alerts/security/unexpected_dns/user_scripts/flow/unexpected_dns.lua
+++ b/scripts/plugins/alerts/security/unexpected_dns/user_scripts/flow/unexpected_dns.lua
@ -0,0 +1,75 @@
+--
+-- (C) 2019-20 - ntop.org
+--
+
+local user_scripts = require("user_scripts")
+local flow_consts = require("flow_consts")
+
+-- #################################################################
+
+local script = {
+   -- Script category
+   category = user_scripts.script_categories.security, 
+
+   -- Priority
+   prio = -20, -- Lower priority (executed after) than default 0 priority
+
+   -- NOTE: hooks defined below
+   hooks = {},
+
+   -- use this plugin only with this protocol
+   l7_proto_id = 5, -- 5 == DNS
+
+   -- Specify the default value whe clicking on the "Reset Default" button
+   default_value = {
+      items = {},
+   },
+
+  
+   -- The frequency for the periodicUpdate hook invocation. Must be
+   -- multiple of 30 seconds.
+   periodic_update_seconds = 30,
+
+   gui = {
+      i18n_title        = "unexpected_dns.unexpected_dns_title",
+      i18n_description  = "unexpected_dns.unexpected_dns_description",
+
+      input_builder     = "items_list",
+      item_list_type    = "string",
+      input_title       = i18n("unexpected_dns.title"),
+      input_description = i18n("unexpected_dns.description"),
+   }
+}
+
+-- #################################################################
+
+function script.hooks.protocolDetected(now, conf)
+   ok = 0
+   server_ip =  flow.getServerKey()
+
+   -- the fortmat of the string returned by flow.geServerKey() is "x.x.x.x@0", :sub(1, -3) deletes "@0"
+   server_ip = server_ip:sub(1, -3)
+
+   for _, dns_ip in pairs(conf.items or script.default_value.items) do
+       if server_ip == dns_ip then
+           ok = 1
+       end
+   end
+
+   if ok == 0 then
+          flow.triggerStatus(
+              flow_consts.status_types.status_unexpected_dns.create(
+                  flow_consts.status_types.status_unexpected_dns.alert_severity,
+                  server_ip
+              ),
+              100, -- flow_score
+              0, -- cli_score
+              100 --srv_score
+          )
+   end
+
+end
+
+-- #################################################################
+
+return script