mirror of
https://github.com/ntop/ntopng.git
synced 2026-04-29 23:49:33 +00:00
823 lines
28 KiB
SQL
823 lines
28 KiB
SQL
-- -----------------------------------------------------
|
|
-- -----------------------------------------------------
|
|
-- Persistent DataBase
|
|
-- -----------------------------------------------------
|
|
-- -----------------------------------------------------
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table active_monitoring_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS active_monitoring_alerts (
|
|
rowid INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0, -- e.g., historical [0], acknowledged [1], engaged [2]
|
|
resolved_ip TEXT NULL,
|
|
resolved_name TEXT NULL,
|
|
interface_id INTEGER NULL,
|
|
measurement TEXT NULL,
|
|
measure_threshold INTEGER NULL DEFAULT 0,
|
|
measure_value REAL NULL DEFAULT 0,
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
description TEXT NULL,
|
|
json TEXT NULL,
|
|
user_label TEXT NULL, -- A label that can be set by the user
|
|
user_label_tstamp DATETIME NULL DEFAULT 0, -- Timestamp of the last user_label change
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
@
|
|
ALTER TABLE active_monitoring_alerts ADD alert_category INTEGER NULL;
|
|
@
|
|
ALTER TABLE active_monitoring_alerts ADD require_attention INTEGER NULL;
|
|
@
|
|
CREATE INDEX IF NOT EXISTS am_alerts_i_id ON active_monitoring_alerts(alert_id);
|
|
CREATE INDEX IF NOT EXISTS am_alerts_i_alert_status ON active_monitoring_alerts(alert_status);
|
|
CREATE INDEX IF NOT EXISTS am_alerts_i_severity ON active_monitoring_alerts(severity);
|
|
CREATE INDEX IF NOT EXISTS am_alerts_i_tstamp ON active_monitoring_alerts(tstamp);
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table flow_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS flow_alerts (
|
|
rowid INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0,
|
|
interface_id INTEGER NULL,
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
json TEXT NULL,
|
|
ip_version INTEGER NOT NULL DEFAULT 0 CHECK(ip_version = 4 OR ip_version = 6),
|
|
cli_ip TEXT NOT NULL,
|
|
srv_ip TEXT NOT NULL,
|
|
cli_port INTEGER NOT NULL DEFAULT 0 CHECK(cli_port BETWEEN 0 AND 65535),
|
|
srv_port INTEGER NOT NULL DEFAULT 0 CHECK(srv_port BETWEEN 0 AND 65535),
|
|
vlan_id INTEGER NOT NULL DEFAULT 0 CHECK(vlan_id >= 0),
|
|
is_cli_attacker INTEGER NOT NULL DEFAULT 0 CHECK(is_cli_attacker IN (0,1)),
|
|
is_cli_victim INTEGER NOT NULL DEFAULT 0 CHECK(is_cli_victim IN (0,1)),
|
|
is_srv_attacker INTEGER NOT NULL DEFAULT 0 CHECK(is_srv_attacker IN (0,1)),
|
|
is_srv_victim INTEGER NOT NULL DEFAULT 0 CHECK(is_srv_victim IN (0,1)),
|
|
proto INTEGER NOT NULL DEFAULT 0 CHECK(proto >= 0),
|
|
l7_proto INTEGER NOT NULL DEFAULT 0 CHECK(l7_proto >= 0),
|
|
l7_master_proto INTEGER NOT NULL DEFAULT 0 CHECK(l7_master_proto >= 0),
|
|
l7_cat INTEGER NOT NULL DEFAULT 0 CHECK(l7_cat >= 0),
|
|
cli_name TEXT NULL,
|
|
srv_name TEXT NULL,
|
|
cli_country TEXT NULL,
|
|
srv_country TEXT NULL,
|
|
cli_blacklisted INTEGER NOT NULL DEFAULT 0 CHECK(cli_blacklisted IN (0,1)),
|
|
srv_blacklisted INTEGER NOT NULL DEFAULT 0 CHECK(srv_blacklisted IN (0,1)),
|
|
cli2srv_bytes INTEGER NOT NULL DEFAULT 0 CHECK(cli2srv_bytes >= 0),
|
|
srv2cli_bytes INTEGER NOT NULL DEFAULT 0 CHECK(srv2cli_bytes >= 0),
|
|
cli2srv_pkts INTEGER NOT NULL DEFAULT 0 CHECK(cli2srv_pkts >= 0),
|
|
srv2cli_pkts INTEGER NOT NULL DEFAULT 0 CHECK(srv2cli_pkts >= 0),
|
|
first_seen DATETIME NOT NULL DEFAULT 0,
|
|
community_id TEXT NULL,
|
|
alerts_map BLOB DEFAULT 0, -- An HEX bitmap of all flow statuses
|
|
alerts_map_h INTEGER NULL DEFAULT 0,
|
|
alerts_map_l INTEGER NULL DEFAULT 0,
|
|
flow_risk_bitmap INTEGER NOT NULL DEFAULT 0,
|
|
user_label TEXT NULL,
|
|
user_label_tstamp DATETIME NULL DEFAULT 0,
|
|
cli_network INTEGER NULL,
|
|
srv_network INTEGER NULL,
|
|
cli_host_pool_id INTEGER NULL,
|
|
srv_host_pool_id INTEGER NULL,
|
|
info TEXT NULL,
|
|
cli_location INTEGER NULL,
|
|
srv_location INTEGER NULL,
|
|
probe_ip TEXT NULL,
|
|
input_snmp INTEGER NULL,
|
|
output_snmp INTEGER NULL,
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
@
|
|
ALTER TABLE flow_alerts ADD alerts_map_h INTEGER NULL;
|
|
@
|
|
ALTER TABLE flow_alerts ADD alerts_map_l INTEGER NULL;
|
|
@
|
|
ALTER TABLE flow_alerts ADD require_attention INTEGER NULL;
|
|
@
|
|
ALTER TABLE flow_alerts ADD alert_category INTEGER NULL;
|
|
@
|
|
ALTER TABLE flow_alerts ADD output_snmp INTEGER NULL;
|
|
@
|
|
ALTER TABLE flow_alerts ADD input_snmp INTEGER NULL;
|
|
@
|
|
ALTER TABLE flow_alerts ADD probe_ip TEXT NULL;
|
|
@
|
|
ALTER TABLE flow_alerts ADD cli_location INTEGER NULL;
|
|
@
|
|
ALTER TABLE flow_alerts ADD srv_location INTEGER NULL;
|
|
@
|
|
ALTER TABLE flow_alerts ADD info TEXT NULL;
|
|
@
|
|
ALTER TABLE flow_alerts ADD cli_host_pool_id INTEGER NULL;
|
|
@
|
|
ALTER TABLE flow_alerts ADD srv_host_pool_id INTEGER NULL;
|
|
@
|
|
ALTER TABLE flow_alerts ADD cli_network INTEGER NULL;
|
|
@
|
|
ALTER TABLE flow_alerts ADD srv_network INTEGER NULL;
|
|
@
|
|
-- Added for compatibility reasons but not used by SQLite
|
|
ALTER TABLE flow_alerts ADD interface_id INTEGER NULL;
|
|
@
|
|
CREATE INDEX IF NOT EXISTS flow_alerts_i_id ON flow_alerts(alert_id);
|
|
CREATE INDEX IF NOT EXISTS flow_alerts_i_alert_status ON flow_alerts(alert_status);
|
|
CREATE INDEX IF NOT EXISTS flow_alerts_i_severity ON flow_alerts(severity);
|
|
CREATE INDEX IF NOT EXISTS flow_alerts_i_tstamp ON flow_alerts(tstamp);
|
|
CREATE INDEX IF NOT EXISTS flow_alerts_i_cli_ip ON flow_alerts(vlan_id,cli_ip);
|
|
CREATE INDEX IF NOT EXISTS flow_alerts_i_srv_ip ON flow_alerts(vlan_id,srv_ip);
|
|
CREATE INDEX IF NOT EXISTS flow_alerts_i_cli_port ON flow_alerts(cli_port);
|
|
CREATE INDEX IF NOT EXISTS flow_alerts_i_srv_port ON flow_alerts(srv_port);
|
|
CREATE INDEX IF NOT EXISTS flow_alerts_i_l7_proto ON flow_alerts(l7_proto);
|
|
CREATE INDEX IF NOT EXISTS flow_alerts_i_l7_master_proto ON flow_alerts(l7_master_proto);
|
|
CREATE INDEX IF NOT EXISTS flow_alerts_i_l7_cat ON flow_alerts(l7_cat);
|
|
CREATE INDEX IF NOT EXISTS flow_alerts_i_flow_risk_bitmap ON flow_alerts(flow_risk_bitmap);
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table host_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS host_alerts (
|
|
rowid INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0,
|
|
interface_id INTEGER NULL,
|
|
ip_version INTEGER NOT NULL DEFAULT 0 CHECK(ip_version = 4 OR ip_version = 6),
|
|
ip TEXT NOT NULL,
|
|
vlan_id INTEGER NULL DEFAULT 0 CHECK(vlan_id >= 0),
|
|
name TEXT NULL,
|
|
is_attacker INTEGER NULL CHECK(is_attacker IN (0,1)),
|
|
is_victim INTEGER NULL CHECK(is_victim IN (0,1)),
|
|
is_client INTEGER NULL CHECK(is_client IN (0,1)),
|
|
is_server INTEGER NULL CHECK(is_server IN (0,1)),
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
granularity INTEGER NOT NULL DEFAULT 0 CHECK(granularity >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
description TEXT NULL,
|
|
json TEXT NULL,
|
|
user_label TEXT NULL,
|
|
user_label_tstamp DATETIME NULL DEFAULT 0,
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
@
|
|
ALTER TABLE host_alerts ADD require_attention INTEGER NULL;
|
|
@
|
|
ALTER TABLE host_alerts ADD alert_category INTEGER NULL;
|
|
@
|
|
ALTER TABLE host_alerts ADD host_pool_id INTEGER NULL;
|
|
@
|
|
ALTER TABLE host_alerts ADD network INTEGER NULL;
|
|
@
|
|
ALTER TABLE host_alerts ADD country TEXT NULL;
|
|
@
|
|
-- Added for compatibility reasons but not used by SQLite
|
|
ALTER TABLE host_alerts ADD interface_id INTEGER NULL;
|
|
@
|
|
CREATE INDEX IF NOT EXISTS host_alerts_i_id ON host_alerts(alert_id);
|
|
CREATE INDEX IF NOT EXISTS host_alerts_i_alert_status ON host_alerts(alert_status);
|
|
CREATE INDEX IF NOT EXISTS host_alerts_i_severity ON host_alerts(severity);
|
|
CREATE INDEX IF NOT EXISTS host_alerts_i_tstamp ON host_alerts(tstamp);
|
|
CREATE INDEX IF NOT EXISTS host_alerts_i_ip ON host_alerts(vlan_id,ip);
|
|
CREATE INDEX IF NOT EXISTS host_alerts_i_is_attacker ON host_alerts(is_attacker);
|
|
CREATE INDEX IF NOT EXISTS host_alerts_i_is_victim ON host_alerts(is_victim);
|
|
CREATE INDEX IF NOT EXISTS host_alerts_i_is_client ON host_alerts(is_client);
|
|
CREATE INDEX IF NOT EXISTS host_alerts_i_is_victim ON host_alerts(is_victim);
|
|
CREATE INDEX IF NOT EXISTS host_alerts_i_is_server ON host_alerts(is_server);
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table mac_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS mac_alerts (
|
|
rowid INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0,
|
|
interface_id INTEGER NULL,
|
|
address TEXT NULL DEFAULT 0,
|
|
device_type INTEGER NULL CHECK(device_type >= 0),
|
|
name TEXT NULL,
|
|
is_attacker INTEGER NULL CHECK(is_attacker IN (0,1)),
|
|
is_victim INTEGER NULL CHECK(is_victim IN (0,1)),
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
granularity INTEGER NOT NULL DEFAULT 0 CHECK(granularity >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
description TEXT NULL,
|
|
json TEXT NULL,
|
|
user_label TEXT NULL,
|
|
user_label_tstamp DATETIME NULL DEFAULT 0,
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
@
|
|
ALTER TABLE mac_alerts ADD require_attention INTEGER NULL;
|
|
@
|
|
ALTER TABLE mac_alerts ADD alert_category INTEGER NULL;
|
|
@
|
|
-- Added for compatibility reasons but not used by SQLite
|
|
ALTER TABLE mac_alerts ADD interface_id INTEGER NULL;
|
|
@
|
|
CREATE INDEX IF NOT EXISTS mac_alerts_i_id ON mac_alerts(alert_id);
|
|
CREATE INDEX IF NOT EXISTS mac_alerts_i_alert_status ON mac_alerts(alert_status);
|
|
CREATE INDEX IF NOT EXISTS mac_alerts_i_severity ON mac_alerts(severity);
|
|
CREATE INDEX IF NOT EXISTS mac_alerts_i_tstamp ON mac_alerts(tstamp);
|
|
CREATE INDEX IF NOT EXISTS mac_alerts_i_address ON mac_alerts(address);
|
|
CREATE INDEX IF NOT EXISTS mac_alerts_i_is_attacker ON mac_alerts(is_attacker);
|
|
CREATE INDEX IF NOT EXISTS mac_alerts_i_is_victim ON mac_alerts(is_victim);
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table snmp_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS snmp_alerts (
|
|
rowid INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0,
|
|
interface_id INTEGER NULL,
|
|
ip TEXT NOT NULL,
|
|
port INTEGER NULL,
|
|
name TEXT NULL,
|
|
port_name TEXT NULL,
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
granularity INTEGER NOT NULL DEFAULT 0 CHECK(granularity >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
description TEXT NULL,
|
|
json TEXT NULL,
|
|
user_label TEXT NULL,
|
|
user_label_tstamp DATETIME NULL DEFAULT 0,
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
@
|
|
ALTER TABLE snmp_alerts ADD require_attention INTEGER NULL;
|
|
@
|
|
ALTER TABLE snmp_alerts ADD alert_category INTEGER NULL;
|
|
@
|
|
-- Added for compatibility reasons but not used by SQLite
|
|
ALTER TABLE snmp_alerts ADD interface_id INTEGER NULL;
|
|
@
|
|
CREATE INDEX IF NOT EXISTS snmp_alerts_i_id ON snmp_alerts(alert_id);
|
|
CREATE INDEX IF NOT EXISTS snmp_alerts_i_alert_status ON snmp_alerts(alert_status);
|
|
CREATE INDEX IF NOT EXISTS snmp_alerts_i_severity ON snmp_alerts(severity);
|
|
CREATE INDEX IF NOT EXISTS snmp_alerts_i_tstamp ON snmp_alerts(tstamp);
|
|
CREATE INDEX IF NOT EXISTS snmp_alerts_i_ip ON snmp_alerts(ip);
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table network_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS network_alerts (
|
|
rowid INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
local_network_id INTEGER NOT NULL CHECK(local_network_id >= 0),
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0,
|
|
interface_id INTEGER NULL,
|
|
name TEXT NULL,
|
|
alias TEXT NULL,
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
granularity INTEGER NOT NULL DEFAULT 0 CHECK(granularity >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
description TEXT NULL,
|
|
json TEXT NULL,
|
|
user_label TEXT NULL,
|
|
user_label_tstamp DATETIME NULL DEFAULT 0,
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
@
|
|
ALTER TABLE network_alerts ADD require_attention INTEGER NULL;
|
|
@
|
|
ALTER TABLE network_alerts ADD alert_category INTEGER NULL;
|
|
@
|
|
-- Added for compatibility reasons but not used by SQLite
|
|
ALTER TABLE network_alerts ADD interface_id INTEGER NULL;
|
|
@
|
|
CREATE INDEX IF NOT EXISTS network_alerts_i_id ON network_alerts(alert_id);
|
|
CREATE INDEX IF NOT EXISTS network_alerts_i_severity ON network_alerts(severity);
|
|
CREATE INDEX IF NOT EXISTS network_alerts_i_tstamp ON network_alerts(tstamp);
|
|
CREATE INDEX IF NOT EXISTS network_alerts_i_alert_status ON network_alerts(alert_status);
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table interface_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS interface_alerts (
|
|
rowid INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
ifid INTEGER NOT NULL CHECK(ifid >= -1),
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0,
|
|
interface_id INTEGER NULL,
|
|
subtype TEXT NULL,
|
|
name TEXT NULL,
|
|
alias TEXT NULL,
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
granularity INTEGER NOT NULL DEFAULT 0 CHECK(granularity >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
description TEXT NULL,
|
|
json TEXT NULL,
|
|
user_label TEXT NULL,
|
|
user_label_tstamp DATETIME NULL DEFAULT 0,
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
@
|
|
ALTER TABLE interface_alerts ADD require_attention INTEGER NULL;
|
|
@
|
|
ALTER TABLE interface_alerts ADD alert_category INTEGER NULL;
|
|
@
|
|
-- Added for compatibility reasons but not used by SQLite
|
|
ALTER TABLE interface_alerts ADD interface_id INTEGER NULL;
|
|
@
|
|
CREATE INDEX IF NOT EXISTS interface_alerts_i_id ON interface_alerts(alert_id);
|
|
CREATE INDEX IF NOT EXISTS interface_alerts_i_severity ON interface_alerts(severity);
|
|
CREATE INDEX IF NOT EXISTS interface_alerts_i_tstamp ON interface_alerts(tstamp);
|
|
CREATE INDEX IF NOT EXISTS interface_alerts_i_alert_status ON interface_alerts(alert_status);
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table user_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS user_alerts (
|
|
rowid INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0,
|
|
interface_id INTEGER NULL,
|
|
user TEXT NULL,
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
granularity INTEGER NOT NULL DEFAULT 0 CHECK(granularity >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
description TEXT NULL,
|
|
json TEXT NULL,
|
|
user_label TEXT NULL,
|
|
user_label_tstamp DATETIME NULL DEFAULT 0,
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
@
|
|
ALTER TABLE user_alerts ADD require_attention INTEGER NULL;
|
|
@
|
|
ALTER TABLE user_alerts ADD alert_category INTEGER NULL;
|
|
@
|
|
-- Added for compatibility reasons but not used by SQLite
|
|
ALTER TABLE user_alerts ADD interface_id INTEGER NULL;
|
|
@
|
|
CREATE INDEX IF NOT EXISTS user_alerts_i_id ON user_alerts(alert_id);
|
|
CREATE INDEX IF NOT EXISTS user_alerts_i_severity ON user_alerts(severity);
|
|
CREATE INDEX IF NOT EXISTS user_alerts_i_tstamp ON user_alerts(tstamp);
|
|
CREATE INDEX IF NOT EXISTS user_alerts_i_alert_status ON user_alerts(alert_status);
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table system_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS system_alerts (
|
|
rowid INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0,
|
|
interface_id INTEGER NULL,
|
|
name TEXT NULL,
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
granularity INTEGER NOT NULL DEFAULT 0 CHECK(granularity >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
description TEXT NULL,
|
|
json TEXT NULL,
|
|
user_label TEXT NULL,
|
|
user_label_tstamp DATETIME NULL DEFAULT 0,
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
@
|
|
ALTER TABLE system_alerts ADD require_attention INTEGER NULL;
|
|
@
|
|
ALTER TABLE system_alerts ADD alert_category INTEGER NULL;
|
|
@
|
|
-- Added for compatibility reasons but not used by SQLite
|
|
ALTER TABLE system_alerts ADD interface_id INTEGER NULL;
|
|
@
|
|
CREATE INDEX IF NOT EXISTS system_alerts_i_id ON system_alerts(alert_id);
|
|
CREATE INDEX IF NOT EXISTS system_alerts_i_severity ON system_alerts(severity);
|
|
CREATE INDEX IF NOT EXISTS system_alerts_i_tstamp ON system_alerts(tstamp);
|
|
CREATE INDEX IF NOT EXISTS system_alerts_i_alert_status ON system_alerts(alert_status);
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table asset_management
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS assets (
|
|
rowid INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
type TEXT NOT NULL,
|
|
key TEXT NOT NULL UNIQUE,
|
|
ifid INT NOT NULL,
|
|
ip TEXT NULL,
|
|
mac TEXT NOT NULL,
|
|
vlan UNSIGNED INT NULL DEFAULT 0,
|
|
network UNSIGNED INT NULL,
|
|
name TEXT NULL,
|
|
device_type UNSIGNED INT NULL,
|
|
manufacturer TEXT NULL,
|
|
first_seen DATETIME NOT NULL DEFAULT 0,
|
|
last_seen DATETIME NOT NULL DEFAULT 0,
|
|
gateway_mac TEXT NULL,
|
|
json_info TEXT NULL, -- A json containing all other info
|
|
os_type TEXT NULL,
|
|
model TEXT NULL
|
|
);
|
|
@
|
|
ALTER TABLE assets ADD os_type TEXT NULL;
|
|
@
|
|
ALTER TABLE assets ADD model TEXT NULL;
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- -----------------------------------------------------
|
|
-- In-Memory DataBase
|
|
-- -----------------------------------------------------
|
|
-- -----------------------------------------------------
|
|
|
|
ATTACH DATABASE ':memory:' AS mem_db;
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table engaged_active_monitoring_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS mem_db.engaged_active_monitoring_alerts (
|
|
rowid INTEGER PRIMARY KEY,
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0, -- e.g., historical [0], acknowledged [1], engaged (TBD)
|
|
resolved_ip TEXT NULL,
|
|
resolved_name TEXT NULL,
|
|
interface_id INTEGER NULL,
|
|
measurement TEXT NULL,
|
|
measure_threshold INTEGER NULL DEFAULT 0,
|
|
measure_value REAL NULL DEFAULT 0,
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
description TEXT NULL,
|
|
json TEXT NULL,
|
|
user_label TEXT NULL, -- A label that can be set by the user
|
|
user_label_tstamp DATETIME NULL DEFAULT 0, -- Timestamp of the last user_label change
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table engaged_mac_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS mem_db.engaged_mac_alerts (
|
|
rowid INTEGER PRIMARY KEY,
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0,
|
|
interface_id INTEGER NULL,
|
|
address TEXT NULL DEFAULT 0,
|
|
device_type INTEGER NULL CHECK(device_type >= 0),
|
|
name TEXT NULL,
|
|
is_attacker INTEGER NULL CHECK(is_attacker IN (0,1)),
|
|
is_victim INTEGER NULL CHECK(is_victim IN (0,1)),
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
granularity INTEGER NOT NULL DEFAULT 0 CHECK(granularity >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
description TEXT NULL,
|
|
json TEXT NULL,
|
|
user_label TEXT NULL,
|
|
user_label_tstamp DATETIME NULL DEFAULT 0,
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table engaged_snmp_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS mem_db.engaged_snmp_alerts (
|
|
rowid INTEGER PRIMARY KEY,
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0,
|
|
interface_id INTEGER NULL,
|
|
ip TEXT NOT NULL,
|
|
port INTEGER NULL,
|
|
name TEXT NULL,
|
|
port_name TEXT NULL,
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
granularity INTEGER NOT NULL DEFAULT 0 CHECK(granularity >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
description TEXT NULL,
|
|
json TEXT NULL,
|
|
user_label TEXT NULL,
|
|
user_label_tstamp DATETIME NULL DEFAULT 0,
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table engaged_network_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS mem_db.engaged_network_alerts (
|
|
rowid INTEGER PRIMARY KEY ,
|
|
local_network_id INTEGER NOT NULL CHECK(local_network_id >= 0),
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0,
|
|
interface_id INTEGER NULL,
|
|
name TEXT NULL,
|
|
alias TEXT NULL,
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
granularity INTEGER NOT NULL DEFAULT 0 CHECK(granularity >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
description TEXT NULL,
|
|
json TEXT NULL,
|
|
user_label TEXT NULL,
|
|
user_label_tstamp DATETIME NULL DEFAULT 0,
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table engaged_interface_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS mem_db.engaged_interface_alerts (
|
|
rowid INTEGER PRIMARY KEY,
|
|
ifid INTEGER NOT NULL CHECK(ifid >= -1),
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0,
|
|
interface_id INTEGER NULL,
|
|
subtype TEXT NULL,
|
|
name TEXT NULL,
|
|
alias TEXT NULL,
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
granularity INTEGER NOT NULL DEFAULT 0 CHECK(granularity >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
description TEXT NULL,
|
|
json TEXT NULL,
|
|
user_label TEXT NULL,
|
|
user_label_tstamp DATETIME NULL DEFAULT 0,
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table engaged_user_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS mem_db.engaged_user_alerts (
|
|
rowid INTEGER PRIMARY KEY,
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0,
|
|
interface_id INTEGER NULL,
|
|
user TEXT NULL,
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
granularity INTEGER NOT NULL DEFAULT 0 CHECK(granularity >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
description TEXT NULL,
|
|
json TEXT NULL,
|
|
user_label TEXT NULL,
|
|
user_label_tstamp DATETIME NULL DEFAULT 0,
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table engaged_system_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE IF NOT EXISTS mem_db.engaged_system_alerts (
|
|
rowid INTEGER PRIMARY KEY,
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0,
|
|
interface_id INTEGER NULL,
|
|
name TEXT NULL,
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
granularity INTEGER NOT NULL DEFAULT 0 CHECK(granularity >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
description TEXT NULL,
|
|
json TEXT NULL,
|
|
user_label TEXT NULL,
|
|
user_label_tstamp DATETIME NULL DEFAULT 0,
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
|
|
@
|
|
|
|
-- -----------------------------------------------------
|
|
-- Table engaged_host_alerts
|
|
-- -----------------------------------------------------
|
|
CREATE TABLE mem_db.engaged_host_alerts (
|
|
rowid INTEGER PRIMARY KEY,
|
|
alert_id INTEGER NOT NULL CHECK(alert_id >= 0),
|
|
alert_status INTEGER NOT NULL CHECK(alert_status >= 0) DEFAULT 0,
|
|
interface_id INTEGER NULL,
|
|
ip_version INTEGER NOT NULL DEFAULT 0 CHECK(ip_version = 4 OR ip_version = 6),
|
|
ip TEXT NOT NULL,
|
|
vlan_id INTEGER NULL DEFAULT 0 CHECK(vlan_id >= 0),
|
|
name TEXT NULL,
|
|
is_attacker INTEGER NULL CHECK(is_attacker IN (0,1)),
|
|
is_victim INTEGER NULL CHECK(is_victim IN (0,1)),
|
|
is_client INTEGER NULL CHECK(is_client IN (0,1)),
|
|
is_server INTEGER NULL CHECK(is_server IN (0,1)),
|
|
tstamp DATETIME NOT NULL,
|
|
tstamp_end DATETIME NULL DEFAULT 0,
|
|
severity INTEGER NOT NULL CHECK(severity >= 0),
|
|
score INTEGER NOT NULL DEFAULT 0 CHECK(score >= 0),
|
|
granularity INTEGER NOT NULL DEFAULT 0 CHECK(granularity >= 0),
|
|
counter INTEGER NOT NULL DEFAULT 0 CHECK(counter >= 0),
|
|
description TEXT NULL,
|
|
json TEXT NULL,
|
|
user_label TEXT NULL,
|
|
user_label_tstamp DATETIME NULL DEFAULT 0,
|
|
country TEXT NULL,
|
|
network INTEGER NULL,
|
|
host_pool_id INTEGER NULL,
|
|
alert_category INTEGER NULL,
|
|
require_attention INTEGER NULL DEFAULT 0
|
|
);
|
|
|
|
@
|
|
-- -----------------------------------------------------
|
|
-- -----------------------------------------------------
|
|
-- Views
|
|
-- -----------------------------------------------------
|
|
-- -----------------------------------------------------
|
|
|
|
@
|
|
|
|
CREATE TEMP VIEW active_monitoring_alerts_view AS
|
|
SELECT * FROM active_monitoring_alerts
|
|
UNION ALL
|
|
SELECT * FROM mem_db.engaged_active_monitoring_alerts
|
|
|
|
@
|
|
|
|
CREATE TEMP VIEW mac_alerts_view AS
|
|
SELECT * FROM mac_alerts
|
|
UNION ALL
|
|
SELECT * FROM mem_db.engaged_mac_alerts
|
|
|
|
@
|
|
|
|
CREATE TEMP VIEW snmp_alerts_view AS
|
|
SELECT * FROM snmp_alerts
|
|
UNION ALL
|
|
SELECT * FROM mem_db.engaged_snmp_alerts
|
|
|
|
@
|
|
|
|
CREATE TEMP VIEW network_alerts_view AS
|
|
SELECT * FROM network_alerts
|
|
UNION ALL
|
|
SELECT * FROM mem_db.engaged_network_alerts
|
|
|
|
@
|
|
|
|
CREATE TEMP VIEW interface_alerts_view AS
|
|
SELECT * FROM interface_alerts
|
|
UNION ALL
|
|
SELECT * FROM mem_db.engaged_interface_alerts
|
|
|
|
@
|
|
|
|
CREATE TEMP VIEW user_alerts_view AS
|
|
SELECT * FROM user_alerts
|
|
UNION ALL
|
|
SELECT * FROM mem_db.engaged_user_alerts
|
|
|
|
@
|
|
|
|
CREATE TEMP VIEW system_alerts_view AS
|
|
SELECT * FROM system_alerts
|
|
UNION ALL
|
|
SELECT * FROM mem_db.engaged_system_alerts
|
|
|
|
@
|
|
|
|
-- Note: columns are listed manually as order may change due to alter table
|
|
CREATE TEMP VIEW host_alerts_view AS
|
|
SELECT
|
|
rowid,
|
|
alert_id,
|
|
alert_status,
|
|
interface_id,
|
|
ip_version,
|
|
ip,
|
|
vlan_id,
|
|
name,
|
|
is_attacker,
|
|
is_victim,
|
|
is_client,
|
|
is_server,
|
|
tstamp,
|
|
tstamp_end,
|
|
severity,
|
|
score,
|
|
granularity,
|
|
counter,
|
|
description,
|
|
json,
|
|
user_label,
|
|
user_label_tstamp,
|
|
country,
|
|
network,
|
|
host_pool_id,
|
|
alert_category,
|
|
require_attention
|
|
FROM host_alerts
|
|
UNION ALL
|
|
SELECT
|
|
(rowid+1000000000) rowid, -- Avoid conflicts
|
|
alert_id,
|
|
alert_status,
|
|
interface_id,
|
|
ip_version,
|
|
ip,
|
|
vlan_id,
|
|
name,
|
|
is_attacker,
|
|
is_victim,
|
|
is_client,
|
|
is_server,
|
|
tstamp,
|
|
tstamp_end,
|
|
severity,
|
|
score,
|
|
granularity,
|
|
counter,
|
|
description,
|
|
json,
|
|
user_label,
|
|
user_label_tstamp,
|
|
country,
|
|
network,
|
|
host_pool_id,
|
|
alert_category,
|
|
require_attention
|
|
FROM mem_db.engaged_host_alerts;
|