Added stub for RareDestination check/alert implementation #6416 and #…

…6417
ntop · Mar 22, 2023 · 96e10b1 · 96e10b1
1 parent 0a86bd4
commit 96e10b1
Show file tree

Hide file tree

Showing 13 changed files with 267 additions and 2 deletions.
diff --git a/include/flow_alerts/RareDestinationAlert.h b/include/flow_alerts/RareDestinationAlert.h
@@ -0,0 +1,41 @@
+/*
+ *
+ * (C) 2013-23 - ntop.org
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+#ifndef _RARE_DESTINATION_FLOW_ALERT_H_
+#define _RARE_DESTINATION_FLOW_ALERT_H_
+
+#include "ntop_includes.h"
+
+class RareDestinationAlert : public FlowAlert {
+ private:
+  ndpi_serializer *getAlertJSON(ndpi_serializer* serializer);
+
+ public:
+  static FlowAlertType getClassType()    { return { flow_alert_rare_destination, alert_category_network }; }
+  static u_int8_t      getDefaultScore() { return SCORE_LEVEL_NOTICE; };
+
+ RareDestinationAlert(FlowCheck *c, Flow *f) : FlowAlert(c, f) {};
+  ~RareDestinationAlert() {};
+
+  FlowAlertType getAlertType() const { return getClassType(); }
+};
+
+#endif /* _RARE_DESTINATION_FLOW_ALERT_H_ */
diff --git a/include/flow_alerts_includes.h b/include/flow_alerts_includes.h
@@ -31,6 +31,7 @@
 #include "flow_alerts/ExternalAlertCheckAlert.h"
 #include "flow_alerts/LowGoodputFlowAlert.h"
 #include "flow_alerts/NotPurgedAlert.h"
+#include "flow_alerts/RareDestinationAlert.h"
 #include "flow_alerts/RemoteAccessAlert.h"
 #include "flow_alerts/RemoteToLocalInsecureProtoAlert.h"
 #include "flow_alerts/RemoteToRemoteAlert.h"

diff --git a/include/flow_checks/RareDestination.h b/include/flow_checks/RareDestination.h
@@ -0,0 +1,41 @@
+/*
+ *
+ * (C) 2013-23 - ntop.org
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+#ifndef _RARE_DESTINATION_H_
+#define _RARE_DESTINATION_H_
+
+#include "ntop_includes.h"
+
+
+class RareDestination : public FlowCheck {
+ public:
+  RareDestination() : FlowCheck(ntopng_edition_community,
+				true /* Packet Interfaces only */, true /* Exclude for nEdge */, false /* Only for nEdge */,
+				true /* has_protocol_detected */, false /* has_periodic_update */, false /* has_flow_end */) {};
+  virtual ~RareDestination() {};
+
+  void protocolDetected(Flow *f);
+  FlowAlert *buildAlert(Flow *f);
+
+  std::string getName()        const { return(std::string("rare_destination")); }
+};
+
+#endif /* _RARE_DESTINATION_H_ */
diff --git a/include/flow_checks_includes.h b/include/flow_checks_includes.h
@@ -69,6 +69,7 @@
 #include "flow_checks/IECInvalidCommandTransition.h"
 #include "flow_checks/LowGoodputFlow.h"
 #include "flow_checks/NotPurged.h"
+#include "flow_checks/RareDestination.h"
 #include "flow_checks/RemoteAccess.h"
 #include "flow_checks/RemoteToLocalInsecureProto.h"
 #include "flow_checks/RemoteToRemote.h"

diff --git a/include/ntop_typedefs.h b/include/ntop_typedefs.h
@@ -510,6 +510,7 @@ typedef enum {
   flow_alert_ndpi_minor_issues                    = 89,
   flow_alert_ndpi_tcp_issues                      = 90,
   flow_alert_vlan_bidirectional_traffic           = 91,
+  flow_alert_rare_destination                     = 92,
 
   MAX_DEFINED_FLOW_ALERT_TYPE, /* Leave it as last member */
 

diff --git a/scripts/locales/en.lua b/scripts/locales/en.lua
@@ -1119,6 +1119,8 @@ local lang = {
     ["potentially_dangerous_protocol"] = "Potentially Dangerous Protocol",
     ["process"] = "Process",
     ["quota_exceeded"] = "Quota Exceeded",
+    ["rare_destination"] = "Rare Destination",
+    ["rare_destination_description"] = "Rare Destination '%{destination}' detected",
     ["remote_access_alert_descr"] = "Remote access ended [duration: %{time}]",
     ["remote_access_description"] = "Trigger an alert when a Remote Access Session is ended",
     ["remote_access_title"] = "Remote Access",
@@ -2431,6 +2433,8 @@ local lang = {
     ["note_scripts_list"] = "A full list of available %{product} scripts can be found in the <a href=\"%{url}\">scripts</a> page.",
     ["notes"] = "NOTES",
     ["periodic_update"] = "Periodic Update",
+    ["rare_destination_description"] = "Rare/unusual destination (hostname) detected.",
+    ["rare_destination_title"] = "Rare Destination",
     ["status_changed"] = "Status Changed",
     ["status_zero_tcp_window_description"] = "Reported TCP Zero Window",
     ["status_zero_tcp_window_description_c2s"] = "Reported client TCP zero window",
@@ -2504,6 +2508,7 @@ local lang = {
     ["possible_bot_flow_title"] = "Possible Bot",
     ["potentially_dangerous_protocol"] = "Potentially dangerous protocol",
     ["potentially_dangerous_protocol_description"] = "Trigger an alert when a potentially dangerous protocol is detected",
+    ["rare_destination"] = "Rare Destination",
     ["remote_to_local_insecure_proto_description"] = "Trigger an alert when a remote Server contacts a local Host using an insecure protocol",
     ["remote_to_local_insecure_proto_title"] = "Remote to Local Insecure Protocol",
     ["remote_to_remote"] = "Remote to Remote Flow",

diff --git a/scripts/lua/modules/alert_definitions/flow/alert_rare_destination.lua b/scripts/lua/modules/alert_definitions/flow/alert_rare_destination.lua
@@ -0,0 +1,49 @@
+--
+-- (C) 2019-23 - ntop.org
+--
+
+-- ##############################################
+
+local flow_alert_keys = require "flow_alert_keys"
+-- Import the classes library.
+local classes = require "classes"
+-- Make sure to import the Superclass!
+local alert = require "alert"
+
+-- ##############################################
+
+local alert_rare_destination = classes.class(alert)
+
+-- ##############################################
+
+alert_rare_destination.meta = {
+   alert_key  = flow_alert_keys.flow_alert_rare_destination,
+   i18n_title = "flow_checks_config.rare_destination",
+   icon = "fas fa-fw fa-exclamation",
+}
+
+-- ##############################################
+
+-- @brief Prepare an alert table used to generate the alert
+-- @return A table with the alert built
+function alert_rare_destination:init()
+   -- Call the parent constructor
+   self.super:init()
+end
+
+-- #######################################################
+
+function alert_rare_destination.format(ifid, alert, alert_type_params)
+   if not alert_type_params then
+      tprint("-1-")
+      return i18n("alerts_dashboard.rare_destination_description", {destination = ""})
+   else
+      local ret = i18n("alerts_dashboard.rare_destination_description", {destination = alert_type_params["destination"]})
+      tprint("-2->"..ret)
+      return(ret)
+   end
+end
+
+-- #######################################################
+
+return alert_rare_destination
diff --git a/scripts/lua/modules/alert_keys/flow_alert_keys.lua b/scripts/lua/modules/alert_keys/flow_alert_keys.lua
@@ -97,8 +97,9 @@ local flow_alert_keys = {
    flow_alert_ndpi_periodic_flow                   = 88,
    flow_alert_ndpi_minor_issues                    = 89,
    flow_alert_ndpi_tcp_issues                      = 90,
-   flow_alert_vlan_bidirectional_traffic           = 91
-
+   flow_alert_vlan_bidirectional_traffic           = 91,
+   flow_alert_rare_destination                     = 92
+
    -- NOTE: for flow alerts not not go beyond the size of Bitmap alert_map inside Flow.h (currently 128)
 }
 

diff --git a/scripts/lua/modules/check_definitions/flow/rare_destination.lua b/scripts/lua/modules/check_definitions/flow/rare_destination.lua
@@ -0,0 +1,36 @@
+--
+-- (C) 2019-22 - ntop.org
+--
+
+local checks = require("checks")
+local alerts_api = require "alerts_api"
+local alert_consts = require "alert_consts"
+local flow_alert_keys = require "flow_alert_keys"
+
+-- #################################################################
+
+local script = {
+  packet_interface_only = true,
+
+  -- Script category
+  category = checks.check_categories.network,
+
+  packet_interface_only = true,
+  nedge_exclude = true,
+
+  -- This script is only for alerts generation
+  alert_id = flow_alert_keys.flow_alert_low_goodput,
+
+  default_value = {
+
+  },
+
+  gui = {
+    i18n_title = "flow_checks.rare_destination_title",
+    i18n_description = "flow_checks.rare_destination_description",
+  }
+}
+
+-- #################################################################
+
+return script
diff --git a/src/FlowAlertsLoader.cpp b/src/FlowAlertsLoader.cpp
@@ -65,6 +65,7 @@ FlowAlertsLoader::FlowAlertsLoader() {
   registerAlert(LowGoodputFlowAlert::getClassType(),             LowGoodputFlowAlert::getDefaultScore());
   registerAlert(NedgeBlockedFlowAlert::getClassType(),           NedgeBlockedFlowAlert::getDefaultScore());
   registerAlert(NotPurgedAlert::getClassType(),                  NotPurgedAlert::getDefaultScore());
+  registerAlert(RareDestinationAlert::getClassType(),            RareDestinationAlert::getDefaultScore());
   registerAlert(RemoteAccessAlert::getClassType(),               RemoteAccessAlert::getDefaultScore());
   registerAlert(RemoteToLocalInsecureProtoAlert::getClassType(), RemoteToLocalInsecureProtoAlert::getDefaultScore());
   registerAlert(RemoteToRemoteAlert::getClassType(),             RemoteToRemoteAlert::getDefaultScore());

diff --git a/src/FlowChecksLoader.cpp b/src/FlowChecksLoader.cpp
@@ -109,6 +109,7 @@ void FlowChecksLoader::registerChecks() {
   if((fcb = new LowGoodputFlow()))                              registerCheck(fcb);
   if((fcb = new NotPurged()))                                   registerCheck(fcb);  
   if((fcb = new RemoteAccess()))                                registerCheck(fcb);
+  if((fcb = new RareDestination()))                             registerCheck(fcb);
   if((fcb = new RemoteToLocalInsecureProto()))                  registerCheck(fcb);
   if((fcb = new RemoteToRemote()))                              registerCheck(fcb);
   if((fcb = new TCPZeroWindow()))                               registerCheck(fcb);

diff --git a/src/flow_alerts/RareDestinationAlert.cpp b/src/flow_alerts/RareDestinationAlert.cpp
@@ -0,0 +1,32 @@
+/*
+ *
+ * (C) 2013-23 - ntop.org
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+#include "flow_alerts_includes.h"
+
+ndpi_serializer* RareDestinationAlert::getAlertJSON(ndpi_serializer* serializer) {
+  Flow *f = getFlow();
+
+  if(serializer)
+    ndpi_serialize_string_string(serializer, "destination", f->getFlowServerInfo());  
+
+  return serializer;
+}
+
diff --git a/src/flow_checks/RareDestination.cpp b/src/flow_checks/RareDestination.cpp
@@ -0,0 +1,55 @@
+/*
+ *
+ * (C) 2013-23 - ntop.org
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+#include "ntop_includes.h"
+#include "flow_checks_includes.h"
+
+/* ***************************************************** */
+
+void RareDestination::protocolDetected(Flow *f) {
+  bool is_rare_destination = false;
+
+  /* TODO: check if this is a real rare destination */
+  if(f->getFlowServerInfo() != NULL) {
+#ifdef TODO_HERE
+    ntop->getTrace()->traceEvent(TRACE_NORMAL, "*** Rare destination %s", f->getFlowServerInfo());
+    is_rare_destination = true;
+#endif
+  }
+
+  if(is_rare_destination) {
+    FlowAlertType alert_type = RareDestinationAlert::getClassType();
+    u_int8_t c_score, s_score;
+    risk_percentage cli_score_pctg = CLIENT_FAIR_RISK_PERCENTAGE; 
+
+    computeCliSrvScore(alert_type, cli_score_pctg, &c_score, &s_score);
+
+    f->triggerAlertAsync(alert_type, c_score, s_score);
+  }
+}
+
+/* ***************************************************** */
+
+FlowAlert* RareDestination::buildAlert(Flow *f) {
+  return new RareDestinationAlert(this, f);
+}
+
+/* ***************************************************** */