TCP Zero Window alert from issue #3417 (#4684)

* Added no_if_activity alert to user script keys

* Added no_if_activity description alert

* Fixes #4648 trigger an alert when no flows are collected

* Changed the time past one call of the alert and an other

* Fixes #4648 reorganized files and cache management

* Added status flow check regarding issue #3417

* Removed debug code

Co-authored-by: matteo <biscosi@ntop.org>
Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>

scripts/plugins/alerts/network/zero_tcp_window/flow_status_definitions/status_zero_tcp_window.lua

@@ -0,0 +1,43 @@
+--
+-- (C) 2020 - ntop.org
+--
+
+local alert_keys = require "alert_keys"
+local alert_creators = require "alert_creators"
+
+-- #######################################################
+
+local function zeroTcpWindow(ifid, alert, zero_tcp_window_checks)
+  if(zero_tcp_window_checks.is_client) then
+    return(i18n("zero_tcp_window.status_zero_tcp_window_description" .. "Flow direction: Client -> Server")) -- .. flow.name)) Need to concatenate the name/id/infos of the flow to the description
+  else
+    return(i18n("zero_tcp_window.status_zero_tcp_window_description" .. "Flow direction: Server -> Client")) -- .. flow.name)) Need to concatenate the name/id/infos of the flow to the description
+  end
+end
+
+-- ##############################################
+
+local function createZeroTcpWindow(alert_severity, alert_granularity, is_server, is_client)
+  local zero_tcp_window_type = {
+     alert_granularity = alert_granularity,
+     alert_severity = alert_severity,
+     alert_type_params = {
+      is_server = is_server,
+      is_client = is_client
+     }
+  }
+
+  return zero_tcp_window_type
+end
+
+-- #######################################################
+
+return {
+  status_keys = status_keys.ntopng.status_zero_tcp_window,
+  alert_severity = alert_consts.alert_severities.warning,
+  alert_type = alert_consts.alert_types.alert_connection_issues,
+  i18n_title = "zero_tcp_window.stats_zero_tcp_window_title",
+  i18n_description = zeroTcpWindow,
+  icon = "fas fa-arrow-circle-up",
+  creator = createZeroTcpWindow,
+}

scripts/plugins/alerts/network/zero_tcp_window/locales/en.lua

@@ -0,0 +1,16 @@
+--
+-- (C) 2020 - ntop.org
+--
+
+return {
+   zero_tcp_window_description = "Trigger an alert when a flow TCP window is zero",
+   zero_tcp_window_title = "Zero TCP Window",
+
+-- ####################### Status strings
+
+   status_zero_tcp_window_description = "Reported TCP window zero value for the flow: ",
+
+-- ####################### Alert strings
+
+   status_zero_tcp_window_title = "Reported TCP window zero value"
+}

scripts/plugins/alerts/network/zero_tcp_window/locales/it.lua

@@ -0,0 +1,16 @@
+--
+-- (C) 2020 - ntop.org
+--
+
+return {
+   zero_tcp_window_description = "Attiva un allarme quando la finestra di un flusso TCP è zero",
+   zero_tcp_window_title = "Zero TCP Window",
+
+-- ####################### Status strings
+
+   status_zero_tcp_window_description = "Individuato valore della finestra TCP a zero per il flusso: ",
+
+-- ####################### Alert strings
+
+   alert_zero_tcp_window_title = "Individuato valore della finestra TCP a zero"
+ }

scripts/plugins/alerts/network/zero_tcp_window/manifest.lua

@@ -0,0 +1,10 @@
+--
+-- (C) 2020 - ntop.org
+--
+
+return {
+  title = "Zero TCP Window check",
+  description = "Detects if there a flow TCP window value is zero, if it is triggers an alert",
+  author = "ntop",
+  dependencies = {},
+}

scripts/plugins/alerts/network/zero_tcp_window/user_scripts/flow/zero_tcp_window.lua

@@ -0,0 +1,86 @@
+--
+-- (C) 2020 - ntop.org
+--
+
+local alerts_api = require("alerts_api")
+local alert_consts = require "alert_consts"
+local user_scripts = require("user_scripts")
+
+local script
+
+-- #################################################################
+
+script = {
+  -- Script category
+  category = user_scripts.script_categories.network,
+
+  -- NB atm working only for packet interfaces
+  packet_interface_only = true,
+  l4_proto = "tcp",
+  periodic_update_seconds = 60,
+  
+  -- NOTE: hooks defined below
+  hooks = {},  
+
+  gui = {
+    i18n_title        = "zero_tcp_window.zero_tcp_window_title",
+    i18n_description  = "zero_tcp_window.zero_tcp_window_description",
+  }
+}
+
+-- #################################################################
+
+local function check_tcp_window(now)
+  local is_client = false -- Does the client has TCP issues?
+  local is_server = false -- Does the server has TCP issues?
+
+  if(false) then
+    tprint("=================================")
+    tprint("Into periodic update")
+    tprint(flow.getTcpWndCli2SrvCheck())
+    tprint(flow.getTcpWndCli2Srv())
+    tprint(flow.getTcpWndSrv2CliCheck())
+    tprint(flow.getTcpWndSrv2Cli())
+  end
+
+  -- Client -> Server
+  if(flow.getTcpWndCli2SrvCheck() == false) then
+    if(flow.getTcpWndCli2Srv() == true) then
+      flow.setTcpWndCli2SrvCheck()
+      is_client = true
+    end
+  end
+
+  -- Server -> Client
+  if(flow.getTcpWndSrv2CliCheck() == false) then
+    if(flow.getTcpWndSrv2Cli() == true) then
+      flow.setTcpWndSrv2CliCheck()
+      is_server = true
+    end
+  end
+
+  -- Now it's time to generate the alert, it either the client or the server has issues
+
+  if is_client or is_server then
+    flow.triggerStatus(
+      flow_consts.status_types.status_zero_tcp_window.create(
+        flow_consts.status_types.status_zero_tcp_window.alert_severity,
+        is_client,
+        is_server
+     ),
+     10 --[[ flow score]],
+     10 --[[ cli score ]],
+     10 --[[ srv score ]]
+    )
+  end
+end
+
+-- #################################################################
+
+script.hooks.periodicUpdate = check_tcp_window
+
+-- #################################################################
+
+
+
+return script