mirror of
https://github.com/ntop/ntopng.git
synced 2026-04-30 16:09:32 +00:00
108 lines
3.3 KiB
Lua
108 lines
3.3 KiB
Lua
--
|
|
-- (C) 2019-21 - ntop.org
|
|
--
|
|
|
|
local alert_consts = require "alert_consts"
|
|
local alerts_api = require "alerts_api"
|
|
local alert_utils = require "alert_utils"
|
|
local checks = require("checks")
|
|
local callback_utils = require "callback_utils"
|
|
|
|
-- #################################################################
|
|
|
|
local script
|
|
|
|
-- #################################################################
|
|
|
|
local function check_allowed_mac(params)
|
|
local seen_devices_hash = getFirstSeenDevicesHashKey(interface.getId())
|
|
-- Saving the mac address list into a local variable and swapping keys with value due to performance issues
|
|
local mac_list = {}
|
|
|
|
-- Retrieving the list of the addresses already seen
|
|
local seen_devices = ntop.getHashAllCache(seen_devices_hash) or {}
|
|
|
|
-- This is the whitelist, that is, MACs configured here won't trigger any alert
|
|
for key, mac in ipairs(params.check_config.items) do
|
|
mac_list[mac:upper()] = 1
|
|
end
|
|
|
|
local macs_stats = interface.getMacsInfo(nil --[[ sortColumn --]], nil --[[ perPage --]], nil --[[ to_skip --]],
|
|
nil --[[ sOrder --]], nil --[[ source_macs_only --]], nil --[[ manufacturer --]],
|
|
nil, nil --[[ device_type --]], "")
|
|
|
|
for _, mac in pairs(macs_stats["macs"] or {}) do
|
|
local addr = mac["mac"]:upper()
|
|
|
|
if mac_list[addr] then
|
|
-- MAC belongs to the whitelist, no alert
|
|
goto continue
|
|
end
|
|
|
|
if seen_devices[addr] then
|
|
-- MAC already seen, no alert
|
|
goto continue
|
|
end
|
|
|
|
if mac["location"] == "lan" and not mac["special_mac"] then
|
|
-- This is a LAN MAC address, let's trigger an alert
|
|
-- Add this mac to the already seen devices
|
|
ntop.setHashCache(seen_devices_hash, addr, 1)
|
|
|
|
local device = getDeviceName(addr)
|
|
|
|
-- Check if the new mac address is expected or not
|
|
local alert = alert_consts.alert_types.alert_unexpected_new_device.new(
|
|
device,
|
|
addr
|
|
)
|
|
|
|
alert:set_score_warning()
|
|
alert:set_subtype(device)
|
|
alert:set_device_type(mac["devtype"])
|
|
alert:set_device_name(device)
|
|
|
|
alert:store(alerts_api.macEntity(addr))
|
|
end
|
|
|
|
::continue::
|
|
end
|
|
end
|
|
|
|
-- #################################################################
|
|
|
|
script = {
|
|
-- Script category
|
|
category = checks.check_categories.network,
|
|
|
|
default_enabled = false,
|
|
|
|
|
|
-- Specify the default value whe clicking on the "Reset Default" button
|
|
default_value = {
|
|
items = {},
|
|
},
|
|
|
|
hooks = {
|
|
min = check_allowed_mac,
|
|
},
|
|
|
|
gui = {
|
|
i18n_title = "checks.unexpected_new_device_title",
|
|
i18n_description = "checks.unexpected_new_device_description",
|
|
|
|
input_builder = "items_list",
|
|
item_list_type = "mac_address",
|
|
input_title = i18n("checks.unexpected_new_device_exclusion_title"),
|
|
input_description = i18n("checks.unexpected_new_device_exclusion_description"),
|
|
|
|
input_action_i18n = "Reset Learned Devices",
|
|
input_action_url = "lua/rest/v2/delete/host/new_devices.lua",
|
|
input_action_confirm = true,
|
|
input_action_i18n_confirm = "Are you sure to reset the learned devices?",
|
|
},
|
|
}
|
|
|
|
-- #################################################################
|
|
|
|
return script
|