Added unexpected SMTP plugin

2026-05-03 09:20:10 +00:00 · 2020-10-09 16:30:02 +02:00 · 2020-10-09 16:30:02 +02:00 · d74caa9d2b
commit d74caa9d2b
parent cff77b49cf
5 changed files with 141 additions and 0 deletions
--- a/scripts/plugins/alerts/security/unexpected_smtp/alert_definitions/alert_unexpected_smtp.lua
+++ b/scripts/plugins/alerts/security/unexpected_smtp/alert_definitions/alert_unexpected_smtp.lua
@ -0,0 +1,21 @@
+local alert_keys = require "alert_keys"
+
+-- #################################################
+
+local function createUnexpectedSMTP(alert_severity, smtp_info)
+    local built = {
+        alert_severity= alert_severity,
+        alert_type_params = smtp_info 
+    }
+
+    return built
+end
+
+-- #################################################
+
+return {
+    alert_key = alert_keys.ntopng.alert_unexpected_smtp_server,
+    i18n_title = "unexpected_smtp.alert_unexpected_smtp_title",
+    icon = "fas fa-exclamation",
+    creator = createUnexpectedSMTP,
+}
--- a/scripts/plugins/alerts/security/unexpected_smtp/locales/en.lua
+++ b/scripts/plugins/alerts/security/unexpected_smtp/locales/en.lua
@ -0,0 +1,21 @@
+--
+-- (C) 2020 - ntop.org
+--
+
+return {
+   unexpected_smtp_description = "Trigger an alert when not allowed SMTP server is detected",
+   unexpected_smtp_title = "Unexpected SMTP server",
+
+-- ####################### Input builder strings
+
+   title = "Allowed SMTP servers",
+   description = "Comma separated values of SMTP servers IPs. Example: 173.194.76.109,52.97.232.242",
+
+-- ####################### Status strings
+
+    status_unexpected_smtp_description = "Unexpected SMTP server found:",
+
+-- ####################### Alert strings
+
+   alert_unexpected_smtp_title = "Unexpected SMTP server found"
+}
--- a/scripts/plugins/alerts/security/unexpected_smtp/manifest.lua
+++ b/scripts/plugins/alerts/security/unexpected_smtp/manifest.lua
@ -0,0 +1,14 @@
+--
+-- (C) 2019-20 - ntop.org
+--
+
+return {
+  --[[ i18n function is currently not available in manifest.lua
+    title = i18n("unexpected_smtp.unexpected_smtp_title"),
+  description = i18n("unexpected_smtp.unexpected_smtp_description"), --]]
+  
+  title = "Unexpected SMTP server",
+  description = "Trigger an alert when not allowed SMTP server is detected",
+  author = "Daniele Zulberti, Luca Argentieri",
+  dependencies = {},
+}
--- a/scripts/plugins/alerts/security/unexpected_smtp/status_definitions/status_unexpected_smtp.lua
+++ b/scripts/plugins/alerts/security/unexpected_smtp/status_definitions/status_unexpected_smtp.lua
@ -0,0 +1,10 @@
+local alert_consts = require("alert_consts")
+local status_keys = require "flow_keys"
+
+return {
+    status_key = status_keys.ntopng.status_unexpected_smtp_server,
+    alert_severity = alert_consts.alert_severities.error,
+    alert_type = alert_consts.alert_types.alert_unexpected_smtp,
+    i18n_title = "unexpected_smtp.unexpected_smtp_title",
+    i18n_description = "unexpected_smtp.status_unexpected_smtp_description",
+}
--- a/scripts/plugins/alerts/security/unexpected_smtp/user_scripts/flow/unexpected_smtp.lua
+++ b/scripts/plugins/alerts/security/unexpected_smtp/user_scripts/flow/unexpected_smtp.lua
@ -0,0 +1,75 @@
+--
+-- (C) 2019-20 - ntop.org
+--
+
+local user_scripts = require("user_scripts")
+local flow_consts = require("flow_consts")
+
+-- #################################################################
+
+local script = {
+   -- Script category
+   category = user_scripts.script_categories.security, 
+
+   -- Priority
+   prio = -20, -- Lower priority (executed after) than default 0 priority
+
+   -- NOTE: hooks defined below
+   hooks = {},
+
+   -- use this plugin only with this protocol
+   l7_proto_id = 3, -- 3 == SMTP
+
+   -- Specify the default value whe clicking on the "Reset Default" button
+   default_value = {
+      items = {},
+   },
+
+  
+   -- The frequency for the periodicUpdate hook invocation. Must be
+   -- multiple of 30 seconds.
+   periodic_update_seconds = 30,
+
+   gui = {
+      i18n_title        = "unexpected_smtp.unexpected_smtp_title",
+      i18n_description  = "unexpected_smtp.unexpected_smtp_description",
+
+      input_builder     = "items_list",
+      item_list_type    = "string",
+      input_title       = i18n("unexpected_smtp.title"),
+      input_description = i18n("unexpected_smtp.description"),
+   }
+}
+
+-- #################################################################
+
+function script.hooks.protocolDetected(now, conf)
+   ok = 0
+   server_ip =  flow.getServerKey()
+
+   -- the fortmat of the string returned by flow.geServerKey() is "x.x.x.x@0", :sub(1, -3) deletes "@0"
+   server_ip = server_ip:sub(1, -3)
+
+   for _, smtp_ip in pairs(conf.items or script.default_value.items) do
+       if server_ip == smtp_ip then
+           ok = 1
+       end
+   end
+
+   if ok == 0 then
+          flow.triggerStatus(
+              flow_consts.status_types.status_unexpected_smtp.create(
+                  flow_consts.status_types.status_unexpected_smtp.alert_severity,
+                  server_ip
+              ),
+              100, -- flow_score
+              0, -- cli_score
+              100 --srv_score
+          )
+   end
+
+end
+
+-- #################################################################
+
+return script