vrr/ntopng
2
0
Fork 0
mirror of https://github.com/ntop/ntopng.git synced 2026-05-22 10:45:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Host.cpp: generate alerts for local hosts only

Browse source 
This commit lets alerts be generated only for local hosts and not
for remote hosts. When a remote host can be mentioned in an alert
because it holds a relevant role in it (e.g. it is an attacker
of a local host) it is mentioned but not specific alert is generated
for it. This addresses issue #3.
This commit is contained in:
Arianna Avanzini 2015-05-06 23:36:53 +02:00
parent 772de2ab20
commit d1ccd40cb8
1 changed files with 24 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

30
src/Host.cpp
View file

@ -951,6 +951,8 @@ bool Host::deserialize(char *json_str) {
/* *************************************** */
void Host::updateSynFlags(time_t when, u_int8_t flags, Flow *f, bool syn_sent) {
if (!localHost) return; /* don't print alerts for remote hosts */
AlertCounter *counter = syn_sent ? syn_flood_attacker_alert : syn_flood_victim_alert;
if(counter->incHits(when)) {
@ -968,17 +970,27 @@ void Host::updateSynFlags(time_t when, u_int8_t flags, Flow *f, bool syn_sent) {
h = ip->print(ip_buf, sizeof(ip_buf));
if(syn_sent)
if(syn_sent) {
error_msg = "Host <A HREF=%s/lua/host_details.lua?host=%s&ifname=%s>%s</A> is a SYN flooder [%u SYNs sent in the last %u sec] %s";
else
error_msg = "Host <A HREF=%s/lua/host_details.lua?host=%s&ifname=%s>%s</A> is under SYN flood attack [%u SYNs received in the last %u sec] %s";
snprintf(msg, sizeof(msg),
snprintf(msg, sizeof(msg),
error_msg, ntop->getPrefs()->get_http_prefix(),
h, iface->get_name(), h,
counter->getCurrentHits(),
counter->getOverThresholdDuration(),
f->print(flow_buf, sizeof(flow_buf)));
} else {
Host *attacker = f->get_srv_host();
IpAddress *aip = attacker->get_ip();
char aip_buf[48], *aip_ptr;
aip_ptr = aip->print(aip_buf, sizeof(aip_buf));
error_msg = "Host <A HREF=%s/lua/host_details.lua?host=%s&ifname=%s>%s</A> is under SYN flood attack by host %s [%u SYNs received in the last %u sec] %s";
snprintf(msg, sizeof(msg),
error_msg, ntop->getPrefs()->get_http_prefix(),
h, iface->get_name(), h, aip_ptr,
counter->getCurrentHits(),
counter->getOverThresholdDuration(),
f->print(flow_buf, sizeof(flow_buf)));
}
ntop->getTrace()->traceEvent(TRACE_INFO, "SYN Flood: %s", msg);
ntop->getRedis()->queueAlert(alert_level_error, alert_syn_flood, msg);
@ -989,6 +1001,8 @@ void Host::updateSynFlags(time_t when, u_int8_t flags, Flow *f, bool syn_sent) {
/* *************************************** */
void Host::incNumFlows(bool as_client) {
if (!localHost) return; /* don't print alerts for remote hosts */
if(as_client) {
total_num_flows_as_client++, num_active_flows_as_client++;
@ -1010,7 +1024,7 @@ void Host::incNumFlows(bool as_client) {
total_num_flows_as_server++, num_active_flows_as_server++;
if(num_active_flows_as_server == ntop->getPrefs()->get_host_max_active_flows()) {
const char* error_msg = "Host <A HREF=%s/lua/host_details.lua?host=%s&ifname=%s>%s</A> is a possibly under scan attack [%u active flows]";
const char* error_msg = "Host <A HREF=%s/lua/host_details.lua?host=%s&ifname=%s>%s</A> is a possibly under scan attack by %s [%u active flows]";
char ip_buf[48], *h, msg[512];
h = ip->print(ip_buf, sizeof(ip_buf));
@ -1029,6 +1043,8 @@ void Host::incNumFlows(bool as_client) {
/* *************************************** */
void Host::decNumFlows(bool as_client) {
if (!localHost) return; /* don't print alerts for remote hosts */
if(as_client) {
if(num_active_flows_as_client) {
num_active_flows_as_client--;
@ -1094,6 +1110,8 @@ bool Host::isAboveQuota() {
}
void Host::updateStats(struct timeval *tv) {
if (!localHost) return; /* don't print alerts for remote hosts */
((GenericHost*)this)->updateStats(tv);
if(http) http->updateStats(tv);