mirror of
https://github.com/ntop/ntopng.git
synced 2026-05-19 07:43:01 +00:00
Added the ability to set custom alert score
This commit is contained in:
Luca Deri
parent
7078912d43
commit
ddd449ea90
75 changed files with 1586 additions and 1600 deletions
|
|
@ -63,6 +63,7 @@ class Flow : public GenericHashEntry {
|
|||
predominant of a flow, which is written into `predominant_alert`.
|
||||
*/
|
||||
Bitmap128 alerts_map;
|
||||
std::unordered_map<FlowAlertTypeEnum,u_int16_t /* score */> alert_score;
|
||||
FlowAlertType predominant_alert; /* This is the predominant alert */
|
||||
u_int16_t predominant_alert_score; /* The score associated to the predominant alert */
|
||||
FlowSource flow_source;
|
||||
|
|
|
|||
|
|
@ -30,7 +30,8 @@ class FlowAlert {
|
|||
std::string check_name;
|
||||
bool cli_attacker, srv_attacker;
|
||||
bool cli_victim, srv_victim;
|
||||
|
||||
u_int8_t alert_score;
|
||||
|
||||
/*
|
||||
Adds to the passed `serializer` (generated with `getAlertSerializer`)
|
||||
information specific to this alert
|
||||
|
|
@ -55,8 +56,9 @@ class FlowAlert {
|
|||
inline bool isSrvVictim() { return srv_victim; }
|
||||
|
||||
virtual FlowAlertType getAlertType() const = 0;
|
||||
virtual u_int8_t getAlertScore() const { return SCORE_LEVEL_INFO; };
|
||||
|
||||
u_int8_t getAlertScore() const { return alert_score; };
|
||||
void setAlertScore(u_int8_t value) { alert_score = value; };
|
||||
|
||||
/* false = alert that requires attention, true = not important (auto ack) */
|
||||
virtual bool autoAck() const { return true; };
|
||||
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ class FlowCheck : public Check {
|
|||
|
||||
virtual std::string getName() const = 0;
|
||||
|
||||
static void computeCliSrvScore(FlowAlertType alert_type,
|
||||
static void computeCliSrvScore(u_int8_t alert_score,
|
||||
risk_percentage cli_pctg, u_int8_t *cli_score,
|
||||
u_int8_t *srv_score);
|
||||
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ class BlacklistedClientContactAlert : public FlowAlert {
|
|||
static FlowAlertType getClassType() {
|
||||
return {flow_alert_blacklisted_client_contact, alert_category_security};
|
||||
}
|
||||
static u_int8_t getDefaultScore() { return SCORE_LEVEL_NOTICE; };
|
||||
static u_int8_t getDefaultScore() { return SCORE_LEVEL_WARNING; };
|
||||
|
||||
BlacklistedClientContactAlert(FlowCheck* c, Flow* f) : FlowAlert(c, f) {};
|
||||
~BlacklistedClientContactAlert(){};
|
||||
|
|
|
|||
|
|
@ -26,7 +26,6 @@
|
|||
|
||||
class CustomFlowLuaScriptAlert : public FlowAlert {
|
||||
private:
|
||||
u_int8_t score;
|
||||
std::string msg;
|
||||
ndpi_serializer* getAlertJSON(ndpi_serializer* serializer);
|
||||
|
||||
|
|
@ -35,14 +34,12 @@ class CustomFlowLuaScriptAlert : public FlowAlert {
|
|||
return {flow_alert_custom_lua_script, alert_category_security};
|
||||
}
|
||||
static u_int8_t getDefaultScore() { return SCORE_LEVEL_ERROR; };
|
||||
|
||||
CustomFlowLuaScriptAlert(FlowCheck* c, Flow* f) : FlowAlert(c, f){};
|
||||
|
||||
CustomFlowLuaScriptAlert(FlowCheck* c, Flow* f) : FlowAlert(c, f){ setAlertScore(SCORE_LEVEL_ERROR); };
|
||||
~CustomFlowLuaScriptAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); };
|
||||
void setAlertMessage(std::string m) { msg = m; };
|
||||
void setAlertScore(u_int8_t v) { score = v; };
|
||||
virtual u_int8_t getAlertScore() const { return (score); };
|
||||
bool autoAck() const { return false; };
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -40,12 +40,11 @@ class FlowRiskBinaryApplicationTransferAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskBinaryApplicationTransferAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore()); };
|
||||
~FlowRiskBinaryApplicationTransferAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
|
||||
bool autoAck() const { return false; };
|
||||
};
|
||||
|
|
|
|||
|
|
@ -36,12 +36,11 @@ class FlowRiskClearTextCredentialsAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskClearTextCredentialsAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskClearTextCredentialsAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_CLEAR_TEXT_CREDENTIALS_H_ */
|
||||
|
|
|
|||
|
|
@ -35,12 +35,11 @@ class FlowRiskDNSFragmentedAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskDNSFragmentedAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskDNSFragmentedAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskDNSFragmentedAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_DNS_FRAGMENTED_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -35,12 +35,11 @@ class FlowRiskDNSLargePacketAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskDNSLargePacketAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskDNSLargePacketAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskDNSLargePacketAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_DNS_LARGE_PACKET_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -35,14 +35,13 @@ class FlowRiskDNSSuspiciousTrafficAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskDNSSuspiciousTrafficAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskDNSSuspiciousTrafficAlert(){};
|
||||
|
||||
bool autoAck() const { return false; };
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_DNS_SUSPICIOUS_TRAFFIC_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -37,12 +37,11 @@ class FlowRiskDesktopOrFileSharingSessionAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskDesktopOrFileSharingSessionAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskDesktopOrFileSharingSessionAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_DESKTOP_OR_FILE_SHARING_SESSION_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -34,6 +34,7 @@ class FlowRiskGenericAlert : public FlowRiskAlert {
|
|||
FlowRiskGenericAlert(FlowCheck *c, Flow *f, ndpi_risk_enum _risk)
|
||||
: FlowRiskAlert(c, f) {
|
||||
risk = _risk;
|
||||
setAlertScore(FlowRiskAlerts::getFlowRiskScore(risk));
|
||||
};
|
||||
~FlowRiskGenericAlert(){};
|
||||
|
||||
|
|
@ -41,9 +42,6 @@ class FlowRiskGenericAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskAlertType(risk);
|
||||
}
|
||||
ndpi_risk_enum getAlertRisk() const { return risk; }
|
||||
u_int8_t getAlertScore() const {
|
||||
return FlowRiskAlerts::getFlowRiskScore(risk);
|
||||
}
|
||||
};
|
||||
|
||||
#endif /* _FR_SIMPLE_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -35,12 +35,11 @@ class FlowRiskHTTPObsoleteServerAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskHTTPObsoleteServerAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskHTTPObsoleteServerAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_HTTP_OBSOLETE_SERVER_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -35,12 +35,11 @@ class FlowRiskHTTPSuspiciousHeaderAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskHTTPSuspiciousHeaderAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskHTTPSuspiciousHeaderAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_HTTP_SUSPICIOUS_HEADER_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -34,12 +34,11 @@ class FlowRiskHTTPSuspiciousURLAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskHTTPSuspiciousURLAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskHTTPSuspiciousURLAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskHTTPSuspiciousURLAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_HTTP_SUSPICIOUS_URL_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -37,12 +37,11 @@ class FlowRiskHTTPSuspiciousUserAgentAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskHTTPSuspiciousUserAgentAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskHTTPSuspiciousUserAgentAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_HTTP_SUSPICIOUS_USER_AGENT_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -40,12 +40,11 @@ class FlowRiskKnownProtocolOnNonStandardPortAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskKnownProtocolOnNonStandardPortAlert(FlowCheck* c, Flow* f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskKnownProtocolOnNonStandardPortAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -34,12 +34,11 @@ class FlowRiskMalformedPacketAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskMalformedPacketAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskMalformedPacketAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskMalformedPacketAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_MALFORMED_PACKET_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -39,7 +39,6 @@ class FlowRiskMaliciousJA3Alert : public FlowRiskAlert {
|
|||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
|
||||
bool autoAck() const { return false; };
|
||||
};
|
||||
|
|
|
|||
|
|
@ -37,12 +37,11 @@ class FlowRiskMaliciousSHA1CertificateAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskMaliciousSHA1CertificateAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskMaliciousSHA1CertificateAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
|
||||
bool autoAck() const { return false; };
|
||||
};
|
||||
|
|
|
|||
|
|
@ -34,12 +34,11 @@ class FlowRiskMalwareHostContactedAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskMalwareHostContactedAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskMalwareHostContactedAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskMalwareHostContactedAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_MALWARE_HOST_CONTACTED_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -34,12 +34,11 @@ class FlowRiskNumericIPHostAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskNumericIPHostAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskNumericIPHostAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskNumericIPHostAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_NUMERIC_IP_HOST_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -34,12 +34,11 @@ class FlowRiskPeriodicFlowAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskPeriodicFlowAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskPeriodicFlowAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskPeriodicFlowAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_PERIODIC_FLOW_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -34,12 +34,11 @@ class FlowRiskRiskyASNAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskRiskyASNAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskRiskyASNAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskRiskyASNAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_RISKY_ASN_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -34,12 +34,11 @@ class FlowRiskRiskyDomainAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskRiskyDomainAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskRiskyDomainAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskRiskyDomainAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_TLS_MISSING_SNI_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -35,12 +35,11 @@ class FlowRiskSMBInsecureVersionAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskSMBInsecureVersionAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskSMBInsecureVersionAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_SMB_INSECURE_VERSION_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -39,12 +39,11 @@ class FlowRiskSSHObsoleteClientAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskSSHObsoleteClientAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskSSHObsoleteClientAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskSSHObsoleteClientAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_SSH_OBSOLETE_CLIENT_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -39,12 +39,11 @@ class FlowRiskSSHObsoleteServerAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskSSHObsoleteServerAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskSSHObsoleteServerAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskSSHObsoleteServerAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_SSH_OBSOLETE_SERVER_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -38,12 +38,11 @@ class FlowRiskSuspiciousDGADomainAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskSuspiciousDGADomainAlert(FlowCheck* c, Flow* f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskSuspiciousDGADomainAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_SUSPICIOUS_DGA_DOMAIN_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -35,12 +35,11 @@ class FlowRiskSuspiciousEntropyAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskSuspiciousEntropyAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskSuspiciousEntropyAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskSuspiciousEntropyAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_SUSPICIOUS_ENTROPY_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -37,12 +37,11 @@ class FlowRiskTLSCertValidityTooLongAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskTLSCertValidityTooLongAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskTLSCertValidityTooLongAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_TLS_CERT_VALIDITY_TOO_LONG_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -36,12 +36,11 @@ class FlowRiskTLSCertificateExpiredAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskTLSCertificateExpiredAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskTLSCertificateExpiredAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_TLS_CERTIFICATE_EXPIRED_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -35,12 +35,11 @@ class FlowRiskTLSCertificateMismatchAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskTLSCertificateMismatchAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskTLSCertificateMismatchAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_TLS_CERTIFICATE_MISMATCH_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -40,12 +40,11 @@ class FlowRiskTLSCertificateSelfSignedAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskTLSCertificateSelfSignedAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskTLSCertificateSelfSignedAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_TLS_CERTIFICATE_SELFSIGNED_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -37,12 +37,11 @@ class FlowRiskTLSFatalAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskTLSFatalAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskTLSFatalAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskTLSFatalAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_TLS_FATAL_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -34,12 +34,11 @@ class FlowRiskTLSMissingSNIAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskTLSMissingSNIAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskTLSMissingSNIAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskTLSMissingSNIAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_TLS_MISSING_SNI_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -35,12 +35,11 @@ class FlowRiskTLSNotCarryingHTTPSAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskTLSNotCarryingHTTPSAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskTLSNotCarryingHTTPSAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_TLS_NOT_CARRYING_HTTPS_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -38,12 +38,11 @@ class FlowRiskTLSOldProtocolVersionAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskTLSOldProtocolVersionAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskTLSOldProtocolVersionAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_TLS_OLD_PROTOCOL_VERSION_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -37,12 +37,11 @@ class FlowRiskTLSSuspiciousESNIUsageAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskTLSSuspiciousESNIUsageAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskTLSSuspiciousESNIUsageAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_TLS_SUSPICIOUS_ESNI_USAGE_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -38,12 +38,11 @@ class FlowRiskTLSSuspiciousExtensionAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskTLSSuspiciousExtensionAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskTLSSuspiciousExtensionAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_TLS_SUSPICIOUS_EXTENSION_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -37,12 +37,11 @@ class FlowRiskTLSUncommonALPNAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskTLSUncommonALPNAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskTLSUncommonALPNAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskTLSUncommonALPNAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_TLS_UNCOMMON_ALPN_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -34,12 +34,11 @@ class FlowRiskTLSUnsafeCiphersAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskTLSUnsafeCiphersAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskTLSUnsafeCiphersAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskTLSUnsafeCiphersAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_TLS_UNSAFE_CHIPERS_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -37,12 +37,11 @@ class FlowRiskURLPossibleRCEInjectionAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskURLPossibleRCEInjectionAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskURLPossibleRCEInjectionAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_URL_POSSIBLE_RCE_INJ_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -37,12 +37,11 @@ class FlowRiskURLPossibleSQLInjectionAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskURLPossibleSQLInjectionAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskURLPossibleSQLInjectionAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
|
||||
bool autoAck() const { return false; };
|
||||
};
|
||||
|
|
|
|||
|
|
@ -34,12 +34,11 @@ class FlowRiskURLPossibleXSSAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskURLPossibleXSSAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskURLPossibleXSSAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskURLPossibleXSSAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_URL_POSSIBLE_XSS_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -36,12 +36,11 @@ class FlowRiskUnidirectionalTrafficAlert : public FlowRiskAlert {
|
|||
}
|
||||
|
||||
FlowRiskUnidirectionalTrafficAlert(FlowCheck *c, Flow *f)
|
||||
: FlowRiskAlert(c, f){};
|
||||
: FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskUnidirectionalTrafficAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_UNIDIRECTIONAL_TRAFFIC_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -34,12 +34,11 @@ class FlowRiskUnsafeProtocolAlert : public FlowRiskAlert {
|
|||
return FlowRiskAlerts::getFlowRiskScore(getClassRisk());
|
||||
}
|
||||
|
||||
FlowRiskUnsafeProtocolAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){};
|
||||
FlowRiskUnsafeProtocolAlert(FlowCheck *c, Flow *f) : FlowRiskAlert(c, f){ setAlertScore(getDefaultScore());};
|
||||
~FlowRiskUnsafeProtocolAlert(){};
|
||||
|
||||
FlowAlertType getAlertType() const { return getClassType(); }
|
||||
ndpi_risk_enum getAlertRisk() const { return getClassRisk(); }
|
||||
u_int8_t getAlertScore() const { return getDefaultScore(); }
|
||||
};
|
||||
|
||||
#endif /* _FR_UNSAFE_PROTOCOL_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -26,6 +26,8 @@
|
|||
|
||||
class BlacklistedServerContact : public FlowCheck {
|
||||
private:
|
||||
u_int8_t score;
|
||||
|
||||
public:
|
||||
BlacklistedServerContact()
|
||||
: FlowCheck(ntopng_edition_community, false /* All interfaces */,
|
||||
|
|
|
|||
|
|
@ -28,7 +28,8 @@ class ScoreThresholdAlert : public HostAlert {
|
|||
private:
|
||||
bool is_client_alert;
|
||||
u_int32_t value, threshold;
|
||||
|
||||
u_int8_t alert_score;
|
||||
|
||||
ndpi_serializer* getAlertJSON(ndpi_serializer* serializer) {
|
||||
if (serializer == NULL) return NULL;
|
||||
|
||||
|
|
@ -49,6 +50,7 @@ class ScoreThresholdAlert : public HostAlert {
|
|||
is_client_alert = cli_pctg != CLIENT_NO_RISK_PERCENTAGE;
|
||||
value = _value;
|
||||
threshold = _threshold;
|
||||
alert_score = SCORE_LEVEL_SEVERE;
|
||||
}
|
||||
~ScoreThresholdAlert(){};
|
||||
|
||||
|
|
@ -56,7 +58,8 @@ class ScoreThresholdAlert : public HostAlert {
|
|||
return {host_alert_score_threshold, alert_category_security};
|
||||
}
|
||||
HostAlertType getAlertType() const { return getClassType(); }
|
||||
u_int8_t getAlertScore() const { return SCORE_LEVEL_SEVERE; };
|
||||
u_int8_t getAlertScore() const { return alert_score; };
|
||||
void setAlertScore(u_int8_t value) { alert_score = value; };
|
||||
};
|
||||
|
||||
#endif /* _SCORE_THRESHOLD_ALERT_H_ */
|
||||
|
|
|
|||
|
|
@ -1391,7 +1391,7 @@ else
|
|||
local is_predominant = id == flow["predominant_alert"]
|
||||
local alert_label = alert_consts.alertTypeLabel(id, true, alert_entities.flow.entity_id)
|
||||
local message = alert_label
|
||||
local alert_score = ntop.getFlowAlertScore(id)
|
||||
local alert_score = flow.score.alert_score[tostring(id)] -- ntop.getFlowAlertScore(id)
|
||||
local alert_risk = ntop.getFlowAlertRisk(id)
|
||||
|
||||
if alert_score > 0 then
|
||||
|
|
|
|||
2950
src/Flow.cpp
2950
src/Flow.cpp
File diff suppressed because it is too large
Load diff
|
|
@ -29,6 +29,7 @@ FlowAlert::FlowAlert(FlowCheck *c, Flow *f) {
|
|||
cli_attacker = srv_attacker = false;
|
||||
cli_victim = srv_victim = false;
|
||||
if (c) check_name = c->getName();
|
||||
alert_score = SCORE_LEVEL_INFO;
|
||||
}
|
||||
|
||||
/* **************************************************** */
|
||||
|
|
@ -39,7 +40,7 @@ FlowAlert::~FlowAlert() {
|
|||
|
||||
/* ***************************************************** */
|
||||
|
||||
ndpi_serializer *FlowAlert::getSerializedAlert() {
|
||||
ndpi_serializer* FlowAlert::getSerializedAlert() {
|
||||
ndpi_serializer *serializer;
|
||||
|
||||
serializer = (ndpi_serializer *)malloc(sizeof(ndpi_serializer));
|
||||
|
|
@ -60,8 +61,7 @@ ndpi_serializer *FlowAlert::getSerializedAlert() {
|
|||
|
||||
/* Add information relative to this check */
|
||||
ndpi_serialize_start_of_block(serializer, "alert_generation");
|
||||
ndpi_serialize_string_string(serializer, "script_key",
|
||||
getCheckName().c_str());
|
||||
ndpi_serialize_string_string(serializer, "script_key", getCheckName().c_str());
|
||||
ndpi_serialize_string_string(serializer, "subdir", "flow");
|
||||
flow->getJSONRiskInfo(serializer);
|
||||
ndpi_serialize_end_of_block(serializer);
|
||||
|
|
|
|||
|
|
@ -102,12 +102,11 @@ bool FlowCheck::loadConfiguration(json_object *config) {
|
|||
|
||||
/* **************************************************** */
|
||||
|
||||
void FlowCheck::computeCliSrvScore(FlowAlertType alert_type,
|
||||
void FlowCheck::computeCliSrvScore(u_int8_t alert_score,
|
||||
risk_percentage cli_pctg,
|
||||
u_int8_t *cli_score, u_int8_t *srv_score) {
|
||||
u_int8_t score = ntop->getFlowAlertScore(alert_type.id);
|
||||
*cli_score = (score * cli_pctg) / 100;
|
||||
*srv_score = score - (*cli_score);
|
||||
*cli_score = (alert_score * cli_pctg) / 100;
|
||||
*srv_score = alert_score - (*cli_score);
|
||||
}
|
||||
|
||||
/* **************************************************** */
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ void BlacklistedClientContact::protocolDetected(Flow *f) {
|
|||
u_int8_t c_score, s_score;
|
||||
risk_percentage cli_score_pctg = CLIENT_FAIR_RISK_PERCENTAGE;
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
@ -56,6 +56,18 @@ FlowAlert* BlacklistedClientContact::buildAlert(Flow *f) {
|
|||
alert->setCliAttacker(), alert->setSrvAttacker();
|
||||
else if (is_client_bl && is_server_bl)
|
||||
alert->setCliAttacker(), alert->setSrvAttacker();
|
||||
|
||||
if(f->get_packets_srv2cli() == 0) {
|
||||
/*
|
||||
Nothing serious: the server did not reply (server port or traffic filtered)
|
||||
*/
|
||||
alert->setAlertScore(SCORE_LEVEL_NOTICE);
|
||||
} else {
|
||||
/*
|
||||
Bad: the server port is open and it has replied
|
||||
*/
|
||||
alert->setAlertScore(SCORE_LEVEL_WARNING);
|
||||
}
|
||||
}
|
||||
|
||||
return alert;
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ void BlacklistedCountry::protocolDetected(Flow *f) {
|
|||
if (is_server_bl || is_client_bl) {
|
||||
FlowAlertType alert_type = BlacklistedCountryAlert::getClassType();
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ void BlacklistedFlow::protocolDetected(Flow *f) {
|
|||
u_int8_t c_score, s_score;
|
||||
risk_percentage cli_score_pctg = CLIENT_HIGH_RISK_PERCENTAGE;
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,8 +29,17 @@ void BlacklistedServerContact::protocolDetected(Flow *f) {
|
|||
FlowAlertType alert_type = BlacklistedServerContactAlert::getClassType();
|
||||
u_int8_t c_score, s_score;
|
||||
risk_percentage cli_score_pctg = CLIENT_HIGH_RISK_PERCENTAGE;
|
||||
|
||||
if(f->get_protocol() == IPPROTO_ICMP) {
|
||||
/*
|
||||
ICMP is not really relevant and it can be an indication of
|
||||
a previous communication (e.g. ICMP port unreacheable)
|
||||
*/
|
||||
score = SCORE_LEVEL_NOTICE;
|
||||
} else
|
||||
score = ntop->getFlowAlertScore(alert_type.id);
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(score, cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
@ -56,6 +65,8 @@ FlowAlert* BlacklistedServerContact::buildAlert(Flow *f) {
|
|||
alert->setCliAttacker(), alert->setSrvAttacker();
|
||||
else if (is_client_bl && is_server_bl)
|
||||
alert->setCliAttacker(), alert->setSrvAttacker();
|
||||
|
||||
alert->setAlertScore(score); /* Set custom score */
|
||||
}
|
||||
|
||||
return alert;
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@ void BroadcastNonUDPTraffic::flowBegin(Flow *f) {
|
|||
|
||||
risk_percentage cli_score_pctg = CLIENT_HIGH_RISK_PERCENTAGE;
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -185,7 +185,7 @@ void CustomFlowLuaScript::checkFlow(Flow *f, LuaEngine *lua) {
|
|||
u_int8_t c_score, s_score;
|
||||
risk_percentage cli_score_pctg = CLIENT_FAIR_RISK_PERCENTAGE;
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ void DeviceProtocolNotAllowed::protocolDetected(Flow *f) {
|
|||
else
|
||||
cli_score_pctg = CLIENT_LOW_RISK_PERCENTAGE;
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ void ExternalAlertCheck::checkExternalAlert(Flow *f) {
|
|||
risk_percentage cli_score_pctg = CLIENT_FAIR_RISK_PERCENTAGE;
|
||||
u_int8_t c_score, s_score;
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ void LowGoodputFlow::checkLowGoodput(Flow *f) {
|
|||
break; /* Continue with the check */
|
||||
};
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ void NotPurged::checkNotPurged(Flow *f) {
|
|||
u_int8_t c_score, s_score;
|
||||
risk_percentage cli_score_pctg = CLIENT_FAIR_RISK_PERCENTAGE;
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ void RareDestination::protocolDetected(Flow *f) {
|
|||
u_int8_t c_score, s_score;
|
||||
risk_percentage cli_score_pctg = CLIENT_FAIR_RISK_PERCENTAGE;
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ void RemoteAccess::protocolDetected(Flow *f) {
|
|||
#endif
|
||||
if (cli) cli->incrRemoteAccess();
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
break;
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ void RemoteToLocalInsecureFlow::protocolDetected(Flow *f) {
|
|||
FlowAlertType alert_type = RemoteToLocalInsecureFlowAlert::getClassType();
|
||||
u_int8_t c_score, s_score;
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ void RemoteToRemote::protocolDetected(Flow *f) {
|
|||
u_int8_t c_score, s_score;
|
||||
risk_percentage cli_score_pctg = CLIENT_FAIR_RISK_PERCENTAGE;
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ void TCPFlowReset::checkFlowReset(Flow *f) {
|
|||
|
||||
risk_percentage cli_score_pctg = CLIENT_HIGH_RISK_PERCENTAGE;
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ void TCPNoDataExchanged::checkTCPNoDataExchanged(Flow *f) {
|
|||
u_int8_t c_score, s_score;
|
||||
risk_percentage cli_score_pctg = CLIENT_HIGH_RISK_PERCENTAGE;
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -65,7 +65,7 @@ void TCPPacketsIssues::checkTCPPacketsIssues(Flow *f) {
|
|||
lost_pctg, lost_threshold);
|
||||
#endif /* DEBUG_PACKETS_ISSUES */
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ void TCPZeroWindow::checkTCPWindow(Flow *f) {
|
|||
u_int8_t c_score, s_score;
|
||||
risk_percentage cli_score_pctg = CLIENT_HIGH_RISK_PERCENTAGE;
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -141,7 +141,7 @@ void UnexpectedServer::protocolDetected(Flow *f) {
|
|||
u_int8_t c_score, s_score;
|
||||
risk_percentage cli_score_pctg = CLIENT_HIGH_RISK_PERCENTAGE;
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -58,7 +58,7 @@ void VLANBidirectionalTraffic::checkBidirectionalTraffic(Flow *f) {
|
|||
u_int8_t c_score, s_score;
|
||||
risk_percentage cli_score_pctg = CLIENT_HIGH_RISK_PERCENTAGE;
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ void WebMining::protocolDetected(Flow *f) {
|
|||
u_int8_t c_score, s_score;
|
||||
risk_percentage cli_score_pctg = CLIENT_HIGH_RISK_PERCENTAGE;
|
||||
|
||||
computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
|
||||
computeCliSrvScore(ntop->getFlowAlertScore(alert_type.id), cli_score_pctg, &c_score, &s_score);
|
||||
|
||||
f->triggerAlertAsync(alert_type, c_score, s_score);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
Subproject commit d3e90b31668995cab9359170786e849a3505df2a
|
||||
Subproject commit 9b71c65c99c5d0c28c5cf176cda1fa2fe77aeac1
|
||||
Loading…
Add table
Add a link
Reference in a new issue