mirror of
https://github.com/ntop/ntopng.git
synced 2026-05-07 13:48:33 +00:00
154 lines
6.6 KiB
Lua
154 lines
6.6 KiB
Lua
--
|
|
-- (C) 2020 - ntop.org
|
|
--
|
|
|
|
-- ##############################################
|
|
|
|
local alert_keys = {
|
|
ntopng = {
|
|
alert_blacklisted_country = 1,
|
|
alert_broadcast_domain_too_large = 2,
|
|
alert_device_connection = 3,
|
|
alert_device_disconnection = 4,
|
|
alert_device_protocol_not_allowed = 5,
|
|
alert_dropped_alerts = 6,
|
|
alert_external = 7,
|
|
alert_flow_blacklisted = 8,
|
|
alert_flow_blocked = 9,
|
|
alert_flow_misbehaviour = 10,
|
|
alert_flows_flood = 11,
|
|
alert_ghost_network = 12,
|
|
alert_host_pool_connection = 13,
|
|
alert_host_pool_disconnection = 14,
|
|
alert_influxdb_dropped_points = 15,
|
|
alert_influxdb_error = 16,
|
|
alert_influxdb_export_failure = 17,
|
|
alert_internals = 18,
|
|
alert_ip_outsite_dhcp_range = 19,
|
|
alert_list_download_failed = 20,
|
|
alert_login_failed = 21,
|
|
alert_mac_ip_association_change = 22,
|
|
alert_malicious_signature = 23,
|
|
alert_misbehaving_flows_ratio = 24,
|
|
alert_misconfigured_app = 25,
|
|
alert_new_device = 26,
|
|
alert_nfq_flushed = 27,
|
|
alert_none = 28,
|
|
alert_periodic_activity_not_executed = 29,
|
|
alert_am_threshold_cross = 30,
|
|
alert_port_duplexstatus_change = 31,
|
|
alert_port_errors = 32,
|
|
alert_port_load_threshold_exceeded = 33,
|
|
alert_port_mac_changed = 34,
|
|
alert_port_status_change = 35,
|
|
alert_potentially_dangerous_protocol = 36,
|
|
alert_process_notification = 37,
|
|
alert_quota_exceeded = 38,
|
|
alert_remote_to_remote = 39,
|
|
alert_request_reply_ratio = 40,
|
|
alert_slow_periodic_activity = 41,
|
|
alert_slow_purge = 42,
|
|
alert_snmp_device_reset = 43,
|
|
alert_snmp_topology_changed = 44,
|
|
alert_suspicious_activity = 45,
|
|
alert_tcp_syn_flood = 46,
|
|
alert_tcp_syn_scan = 47,
|
|
alert_test_failed = 48,
|
|
alert_threshold_cross = 49,
|
|
alert_too_many_drops = 50,
|
|
alert_udp_unidirectional = 51,
|
|
alert_unresponsive_device = 52,
|
|
alert_user_activity = 53,
|
|
alert_user_script_calls_drops = 54,
|
|
alert_web_mining = 55,
|
|
alert_connection_issues = 56,
|
|
-- Add here additional keys for alerts generated
|
|
-- by ntopng plugins
|
|
-- WARNING: make sure integers do NOT OVERLAP with
|
|
-- user alerts
|
|
},
|
|
user = {
|
|
alert_user_01 = 32768,
|
|
alert_user_02 = 32769,
|
|
alert_user_03 = 32770,
|
|
alert_user_04 = 32771,
|
|
alert_user_05 = 32772,
|
|
-- Add here additional keys generated by
|
|
-- user plugin
|
|
},
|
|
}
|
|
|
|
-- ##############################################
|
|
|
|
-- A table to keep the reverse mapping between integer alert keys and string alert keys
|
|
local alert_id_to_alert_key = {}
|
|
|
|
for _, ntopng_user in ipairs({"ntopng", "user"}) do
|
|
for cur_key, cur_id in pairs(alert_keys[ntopng_user]) do
|
|
alert_id_to_alert_key[cur_id] = cur_key
|
|
end
|
|
end
|
|
|
|
-- ##############################################
|
|
|
|
-- @brief Parse an alert key, check if it is compliant with the expected format, and returns the parsed key and a status message
|
|
--
|
|
-- Alert keys must have one of these two formats:
|
|
-- 1) Number: In this case the alert key is assumed to have no PEN and it is searched among the predefined alert keys
|
|
-- for ntopng and user. Failing to find the alert key among those keys causes the parse function to fail.
|
|
-- 2) Array: In this case the alert key must be specified as an array of two numbers as {<PEN>, <pen_key>}:
|
|
-- - <PEN> is an integer greater than zero and less than 65535 and can be used to uniquely identify an enterprise.
|
|
-- - <pen_key> is an integer greater than or equal to zero and less than 65535 which is combined with <PEN>
|
|
-- to uniquely identify an alert. The resulting alert key is a 32bit integer where the 16 most significant bits
|
|
-- reserved for the <PEN> and the 16 least significant bits reserved for the <pen_key>.
|
|
-- Any other format is discarded and the parse function fails.
|
|
--
|
|
-- @param key The alert key to be parsed.
|
|
-- Examples:
|
|
-- Number: `alert_keys.ntopng.alert_connection_issues`
|
|
-- Number: `alert_keys.user.alert_user_01`
|
|
-- Array: `{312, 513}`.
|
|
-- Array: `{0, alert_keys.user.alert_user_01}`. In this case where PEN equals zero only the <pen_key> is taken
|
|
--
|
|
-- @return An integer corresponding to the parsed alert key and a status message which equals "OK" when no error occurred during parsing.
|
|
--
|
|
function alert_keys.parse_alert_key(key)
|
|
local parsed_alert_key
|
|
local status = "OK"
|
|
|
|
if type(key) == "number" then
|
|
-- Plain number, let's make sure it is among the predefined keys
|
|
if not alert_id_to_alert_key[key] then
|
|
status = "Alert key specified is not among the available alert keys."
|
|
else
|
|
parsed_alert_key = key
|
|
end
|
|
elseif type(key) == "table" and #key == 2 then
|
|
-- A table, let's parse it with PEN and key
|
|
local pen, pen_key = key[1], key[2]
|
|
|
|
if not type(pen) == "number" or pen < 0 or pen >= 0xFFFF then
|
|
-- PEN is out of bounds or not a number
|
|
status = "Invalid PEN specified. PEN must be between 0 and 65535."
|
|
elseif not type(pen_key) == "number" or pen_key < 0 or pen_key >= 0xFFFF then
|
|
-- pen_key is out of bounds or not a number
|
|
status = "Invalid alert key specified. Alert key must be between 0 and 65535."
|
|
elseif pen == 0 then
|
|
-- PEN is zero, let's treat pen_key as if it was just a number
|
|
return alert_keys.parse_alert_key(pen_key)
|
|
else
|
|
-- PEN in the 16 MSB and pen_key in the 16 LSB
|
|
parsed_alert_key = (pen << 16) + pen_key
|
|
end
|
|
else
|
|
status = "Unexpected alert key type."
|
|
end
|
|
|
|
return parsed_alert_key, status
|
|
end
|
|
|
|
-- ##############################################
|
|
|
|
return alert_keys
|
|
|
|
-- ##############################################
|