From e70c16be27150545b8170aa1a736f9cf8322775f Mon Sep 17 00:00:00 2001
From: Simone Mainardi <mainardi@ntop.org>
Date: Thu, 1 Jul 2021 17:28:37 +0200
Subject: [PATCH] Adds cog icon to configure checks from the flow details page

Addresses #5606
---
 scripts/lua/flow_details.lua                  | 23 ++++++++++++--
 scripts/lua/modules/alert_utils.lua           | 31 +++++++++++--------
 .../flow/ndpi_http_suspicious_user_agent.lua  |  2 +-
 3 files changed, 39 insertions(+), 17 deletions(-)

diff --git a/scripts/lua/flow_details.lua b/scripts/lua/flow_details.lua
index c28eac2fb7..4fc07e29e1 100644
--- a/scripts/lua/flow_details.lua
+++ b/scripts/lua/flow_details.lua
@@ -1318,6 +1318,16 @@ else
 
    -- Print flow alerts (ordered by score and then alphabetically)
    if num_statuses > 0 then
+      -- Prepare a mapping between alert id and check
+      local alert_id_to_flow_check = {}
+      local checks = require "checks"
+      local flow_checks = checks.load(ifId, checks.script_types.flow, "flow")
+      for flow_check_name, flow_check in pairs(flow_checks.modules) do
+	 if flow_check.alert_id then
+	    alert_id_to_flow_check[flow_check.alert_id] = flow_check_name
+	 end
+      end
+
       for _, score_alerts in pairsByKeys(alerts_by_score, rev) do
 	 for _, score_alert in pairsByField(score_alerts, "message", asc) do
 	    if first then
@@ -1332,6 +1342,15 @@ else
 	    if score_alert.alert_id then
 	       print('<td>')
 
+	       -- Add rules to disable the check
+	       print(string.format('<a href="#alerts_filter_dialog" alert_id=%u alert_label="%s" class="btn btn-sm btn-warning" role="button"><i class="fas fa-bell-slash"></i></a>', score_alert.alert_id, score_alert.alert_label))
+
+	       -- If available, add a cog to configure the check
+	       if alert_id_to_flow_check[score_alert.alert_id] then
+		  print(string.format('&nbsp;<a href="%s" class="btn btn-sm btn-info" role="button"><i class="fas fa-cog"></i></a>', alert_utils.getConfigsetURL(alert_id_to_flow_check[score_alert.alert_id], "flow")))
+	       end
+
+	       -- For the predominant alert, add an anchor to the historical alert
 	       if score_alert.is_predominant then
 		  -- Prepare bounds for the historical alert search.
 		  local epoch_begin = flow["seen.first"]
@@ -1344,7 +1363,7 @@ else
 		  local cli_port = flow["cli.port"]  .. tag_utils.SEPARATOR .. "eq"
 		  local srv_port = flow["srv.port"]  .. tag_utils.SEPARATOR .. "eq"
 
-		  print(string.format('<a href="%s/lua/alert_stats.lua?status=historical&page=flow&epoch_begin=%u&epoch_end=%u&l7_proto=%s&cli_ip=%s&cli_port=%s&srv_ip=%s&srv_port=%s" class="btn btn-sm btn-info" role="button"><i class="fas fa-exclamation-triangle"></i></a>&nbsp;',
+		  print(string.format('&nbsp;<a href="%s/lua/alert_stats.lua?status=historical&page=flow&epoch_begin=%u&epoch_end=%u&l7_proto=%s&cli_ip=%s&cli_port=%s&srv_ip=%s&srv_port=%s" class="btn btn-sm btn-info" role="button"><i class="fas fa-exclamation-triangle"></i></a>',
 				      ntop.getHttpPrefix(),
 				      epoch_begin,
 				      epoch_end,
@@ -1353,8 +1372,6 @@ else
 				      srv_ip, srv_port))
 	       end
 
-	       print(string.format('<a href="#alerts_filter_dialog" alert_id=%u alert_label="%s" class="btn btn-sm btn-warning" role="button"><i class="fas fa-bell-slash"></i></a>', score_alert.alert_id, score_alert.alert_label))
-
 	       print('</td>')
 	    else -- These are unhandled alerts, e.g., flow risks for which a check doesn't exist
 	       print(string.format('<td></td>'))
diff --git a/scripts/lua/modules/alert_utils.lua b/scripts/lua/modules/alert_utils.lua
index 9644a1d299..aa5ba52170 100644
--- a/scripts/lua/modules/alert_utils.lua
+++ b/scripts/lua/modules/alert_utils.lua
@@ -422,28 +422,33 @@ end
 
 -- #################################
 
+function alert_utils.getConfigsetURL(script_key, subdir)
+   return string.format('%s/lua/admin/edit_configset.lua?subdir=%s&check=%s#all', ntop.getHttpPrefix(), subdir, script_key)
+end
+
+-- #################################
+
 function alert_utils.getConfigsetAlertLink(alert_json, alert --[[ optional --]])
    local info = alert_json.alert_generation or (alert_json.alert_info and alert_json.alert_info.alert_generation)
 
    if(info and isAdministrator()) then
 
       if alert then
-         -- This piece of code (exception) has been moved here from formatAlertMessage
-         if(alert_consts.getAlertType(alert.alert_id, alert.entity_id) == "alert_am_threshold_cross") then
-            local plugins_utils = require "plugins_utils"
-            local active_monitoring_utils = plugins_utils.loadModule("active_monitoring", "am_utils")
-            local host = json.decode(alert.json)["host"]
+	 -- This piece of code (exception) has been moved here from formatAlertMessage
+	 if(alert_consts.getAlertType(alert.alert_id, alert.entity_id) == "alert_am_threshold_cross") then
+	    local plugins_utils = require "plugins_utils"
+	    local active_monitoring_utils = plugins_utils.loadModule("active_monitoring", "am_utils")
+	    local host = json.decode(alert.json)["host"]
 
-            if host and host.measurement and not host.is_infrastructure then
- 	       return ' <a href="'.. ntop.getHttpPrefix() ..'/plugins/active_monitoring_stats.lua?am_host='
-               .. host.host .. '&measurement='.. host.measurement ..'&page=overview"><i class="fas fa-cog" title="'.. i18n("edit_configuration") ..'"></i></a>'
-            end
-         end
+	    if host and host.measurement and not host.is_infrastructure then
+	       return ' <a href="'.. ntop.getHttpPrefix() ..'/plugins/active_monitoring_stats.lua?am_host='
+		  .. host.host .. '&measurement='.. host.measurement ..'&page=overview"><i class="fas fa-cog" title="'.. i18n("edit_configuration") ..'"></i></a>'
+	    end
+	 end
       end
 
-      return(' <a href="'.. ntop.getHttpPrefix() ..'/lua/admin/edit_configset.lua?'..
-	    'subdir='.. info.subdir ..'&check='.. info.script_key ..'#all">'..
-	    '<i class="fas fa-cog" title="'.. i18n("edit_configuration") ..'"></i></a>')
+      return(' <a href="'..alert_utils.getConfigsetURL(info.script_key, info.subdir)..'">'..
+		'<i class="fas fa-cog" title="'.. i18n("edit_configuration") ..'"></i></a>')
    end
 
    return('')
diff --git a/scripts/lua/modules/check_definitions/flow/ndpi_http_suspicious_user_agent.lua b/scripts/lua/modules/check_definitions/flow/ndpi_http_suspicious_user_agent.lua
index 1ffaed9c48..c2f7fc9200 100644
--- a/scripts/lua/modules/check_definitions/flow/ndpi_http_suspicious_user_agent.lua
+++ b/scripts/lua/modules/check_definitions/flow/ndpi_http_suspicious_user_agent.lua
@@ -12,7 +12,7 @@ local script = {
    category = checks.check_categories.security, 
 
    -- This script is only for alerts generation
-   alert_id = flow_alert_keys.flow_alert_ndpi_http_suspicious_header,
+   alert_id = flow_alert_keys.flow_alert_ndpi_http_suspicious_user_agent,
 
    default_enabled = true,