vrr/ntopng
2
0
Fork 0
mirror of https://github.com/ntop/ntopng.git synced 2026-04-29 15:39:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

[VS] Add check on the host before TCP/UDP portscan. (#8050)

Browse source
This commit is contained in:
Nicolo Maio 2023-11-23 14:58:37 +01:00
parent 3d1fbfe112
commit fb0ff0850c
7 changed files with 128 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

107
scripts/lua/modules/vulnerability_scan/vs_utils.lua
View file

@ -94,7 +94,8 @@ vs_utils.scan_status = {
ok = 1,
scheduled = 2,
not_scanned = 3,
scanning = 4
scanning = 4,
failed = 5,
}
vs_utils.scan_in_exec_type = {
@ -612,6 +613,37 @@ function vs_utils.cleanup_nmap_result(scan_result, scan_type)
end
end
-- Remove the first/last few lines that contain nmap information that change at each scan
function vs_utils.cleanup_nmap_check_host_result(scan_result)
if(scan_result ~= nil) then
if(debug_me) then traceError(TRACE_NORMAL, TRACE_CONSOLE, "Result: "..scan_result.."\n") end
scan_result = scan_result:gsub("|", "")
scan_result = scan_result:gsub("_", "")
scan_result = lines(scan_result)
-- remove the first line and the last one
table.remove(scan_result, 1)
table.remove(scan_result, #scan_result)
local is_up_and_run = false
for _,l in pairs(scan_result) do
-- searching for "Host is up" nmap string
if (string.find(l, "Host is up") ~= nil) then
is_up_and_run = true
goto continue
end
end
::continue::
return is_up_and_run
else
return false
end
end
-- **********************************************************
-- Remove the first/last few lines that contain nmap information that change at each scan
@ -800,7 +832,10 @@ local function update_scan_info_for_report(type_of_scan_execution, new_item, hos
end
if (info_json ~= {} and info_json.scanned_hosts ~= nil) then
info_json.scanned_hosts = tonumber(info_json.scanned_hosts) + 1
if (new_item.is_ok_last_scan == vs_utils.scan_status.ok) then
-- count just in success case
info_json.scanned_hosts = tonumber(info_json.scanned_hosts) + 1
end
else
info_json.scanned_hosts = 1
end
@ -921,6 +956,18 @@ end
-- **********************************************************
local function trigger_alert_host_down(host,host_name, epoch)
local host_info_to_cache = {
host = host,
host_name = host_name,
epoch = epoch,
is_up_check_case = true,
}
ntop.rpushCache(scanned_hosts_changes_queue_key, json.encode(host_info_to_cache))
end
-- **********************************************************
-- Function to update host scan values
function vs_utils.save_host_to_scan(scan_type, host, scan_result, last_scan_time, last_duration,
is_ok_last_scan, ports, scan_frequency, num_open_ports,
@ -949,13 +996,21 @@ function vs_utils.save_host_to_scan(scan_type, host, scan_result, last_scan_time
else
epoch_id = id
end
local is_down = false
if (isEmptyString(is_ok_last_scan)) then
-- first time saved without scan
-- check if possible
is_ok_last_scan = vs_utils.scan_status.not_scanned
elseif (is_ok_last_scan == vs_utils.scan_status.failed and trigger_alert) then
-- case host is not up and running, possible just in TCP/UDP portscan
trigger_alert_host_down(host,host_name,last_scan_time)
is_down = true
end
local cve_formatted, max_score_cve = get_cve_with_score(cve)
local new_item = {
num_open_ports = num_open_ports,
num_vulnerabilities_found = num_vulnerabilities_found,
@ -965,6 +1020,9 @@ function vs_utils.save_host_to_scan(scan_type, host, scan_result, last_scan_time
host_name = host_name
}
if (is_down) then
new_item.is_down = true
end
if tcp_ports ~= nil then
new_item.tcp_ports = tcp_ports.num_ports
new_item.tcp_ports_list = tcp_ports.ports
@ -1820,10 +1878,12 @@ function vs_utils.scan_host(scan_type, host, ports, scan_id, use_coroutines)
tcp_ports = {ports = format_port_list_to_string(tcp_ports), num_ports = #tcp_ports}
end
if scan_result then
if scan_result and scan_result ~= vs_utils.scan_status.failed then
scan_result = vs_utils.scan_status.ok
ntop.incrCache(scanned_hosts_count_key)
elseif(scan_result and scan_result == vs_utils.scan_status.failed) then
scan_result = vs_utils.scan_status.failed
end
if debug_me then
@ -2141,16 +2201,6 @@ function vs_utils.is_available()
return (#scan_modules > 0)
end
-- **********************************************************
-- **********************************************************
function vs_utils.runCommand(scan_command, use_coroutines)
@ -2222,6 +2272,30 @@ end
-- **********************************************************
function vs_utils.nmap_check_host(host_ip, use_coroutines)
local nmap = vs_utils.get_nmap_path()
local scan_command = nmap.." -sn"
-- IPv6 check
if(string.contains(host_ip, ':')) then scan_command = scan_command .. " -6" end
scan_command = string.format("%s %s",scan_command,host_ip)
if(debug_me) then traceError(TRACE_NORMAL, TRACE_CONSOLE, "Executing: "..scan_command.."\n") end
local start_scan = os.time()
local result = vs_utils.runCommand(scan_command, use_coroutines)
local end_scan = os.time()
local scan_duration = end_scan - start_scan
local is_up = vs_utils.cleanup_nmap_check_host_result(result)
if(debug_me) then traceError(TRACE_NORMAL, TRACE_CONSOLE, "Host is up: "..tostring(is_up).."\n") end
return is_up, scan_duration, start_scan, end_scan
end
-- **********************************************************
-- Migrate old configurations
function vs_utils.migrate_keys()
local old_hash_key = "ntopng.prefs.host_to_scan"
@ -2271,6 +2345,10 @@ else
use_slow_scan = ""
end
-- **********************************************************
function vs_utils.isVSConfiguredHost(ip)
end
-- **********************************************************
function vs_utils.retrieve_report_list(epoch)
@ -2278,7 +2356,6 @@ function vs_utils.retrieve_report_list(epoch)
return (vs_db_utils.retrieve_reports(sort_on,epoch))
end
-- **********************************************************
function vs_utils.retrieve_report(report_name)