Splitting blacklisted flow alert and creating two new alerts. (#8354) (…

…#8355) * Splitting blacklisted flow alert and creating two new alerts. (#8354) * Renaming to 'Blacklisted Client Contact' and 'Blacklisted Server Contact'. (#8354)
ntop · Apr 24, 2024 · 59075f5 · 59075f5
1 parent 636ba29
commit 59075f5
Show file tree

Hide file tree

Showing 20 changed files with 739 additions and 29 deletions.
diff --git a/include/flow_alerts/BlacklistedClientContactAlert.h b/include/flow_alerts/BlacklistedClientContactAlert.h
@@ -0,0 +1,45 @@
+/*
+ *
+ * (C) 2013-24 - ntop.org
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+#ifndef _BLACKLIST_CLIENT_CONTACT_ALERT_H_
+#define _BLACKLIST_CLIENT_CONTACT_ALERT_H_
+
+#include "ntop_includes.h"
+
+class BlacklistedClientContactAlert : public FlowAlert {
+ private:
+  ndpi_serializer* getAlertJSON(ndpi_serializer* serializer);
+
+ public:
+  static FlowAlertType getClassType() {
+    return {flow_alert_blacklisted_client_contact, alert_category_security};
+  }
+  static u_int8_t getDefaultScore() { return SCORE_LEVEL_NOTICE; };
+
+  BlacklistedClientContactAlert(FlowCheck* c, Flow* f) : FlowAlert(c, f) {};
+  ~BlacklistedClientContactAlert(){};
+
+  bool autoAck() const { return false; };
+
+  FlowAlertType getAlertType() const { return getClassType(); }
+};
+
+#endif /* _BLACKLIST_CLIENT_CONTACT_ALERT_H_ */
diff --git a/include/flow_alerts/BlacklistedServerContactAlert.h b/include/flow_alerts/BlacklistedServerContactAlert.h
@@ -0,0 +1,45 @@
+/*
+ *
+ * (C) 2013-24 - ntop.org
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+#ifndef _BLACKLIST_SERVER_CONTACT_ALERT_H_
+#define _BLACKLIST_SERVER_CONTACT_ALERT_H_
+
+#include "ntop_includes.h"
+
+class BlacklistedServerContactAlert : public FlowAlert {
+ private:
+  ndpi_serializer* getAlertJSON(ndpi_serializer* serializer);
+
+ public:
+  static FlowAlertType getClassType() {
+    return {flow_alert_blacklisted_server_contact, alert_category_security};
+  }
+  static u_int8_t getDefaultScore() { return SCORE_LEVEL_CRITICAL; };
+
+  BlacklistedServerContactAlert(FlowCheck* c, Flow* f) : FlowAlert(c, f) {};
+  ~BlacklistedServerContactAlert(){};
+
+  bool autoAck() const { return false; };
+
+  FlowAlertType getAlertType() const { return getClassType(); }
+};
+
+#endif /* _BLACKLIST_SERVER_CONTACT_ALERT_H_ */
diff --git a/include/flow_alerts_includes.h b/include/flow_alerts_includes.h
@@ -83,6 +83,8 @@
 #include "flow_alerts/IECInvalidTransitionAlert.h"
 #include "flow_alerts/IECInvalidCommandTransitionAlert.h"
 #include "flow_alerts/IECUnexpectedTypeIdAlert.h"
+#include "flow_alerts/BlacklistedClientContactAlert.h"
+#include "flow_alerts/BlacklistedServerContactAlert.h"
 #include "flow_alerts/TCPFlowResetAlert.h"
 
 /* Pro Alerts - do NOT use #ifdef as alerts must always be available */

diff --git a/include/flow_checks/BlacklistedClientContact.h b/include/flow_checks/BlacklistedClientContact.h
@@ -0,0 +1,45 @@
+/*
+ *
+ * (C) 2013-24 - ntop.org
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+#ifndef _BLACKLIST_CLIENT_CONTACT_H_
+#define _BLACKLIST_CLIENT_CONTACT_H_
+
+#include "ntop_includes.h"
+
+class BlacklistedClientContact : public FlowCheck {
+ private:
+ public:
+  BlacklistedClientContact()
+      : FlowCheck(ntopng_edition_community, false /* All interfaces */,
+                  false /* Don't exclude for nEdge */,
+                  false /* NOT only for nEdge */,
+                  true /* has_protocol_detected */,
+                  false /* has_periodic_update */, false /* has_flow_end */){};
+  ~BlacklistedClientContact(){};
+
+  bool loadConfiguration(json_object *config);
+  void protocolDetected(Flow *f);
+  FlowAlert *buildAlert(Flow *f);
+
+  std::string getName() const { return (std::string("blacklisted_client_contact")); }
+};
+
+#endif /* _BLACKLIST_CLIENT_CONTACT_H_ */
diff --git a/include/flow_checks/BlacklistedServerContact.h b/include/flow_checks/BlacklistedServerContact.h
@@ -0,0 +1,45 @@
+/*
+ *
+ * (C) 2013-24 - ntop.org
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+#ifndef _BLACKLIST_SERVER_CONTACT_H_
+#define _BLACKLIST_SERVER_CONTACT_H_
+
+#include "ntop_includes.h"
+
+class BlacklistedServerContact : public FlowCheck {
+ private:
+ public:
+  BlacklistedServerContact()
+      : FlowCheck(ntopng_edition_community, false /* All interfaces */,
+                  false /* Don't exclude for nEdge */,
+                  false /* NOT only for nEdge */,
+                  true /* has_protocol_detected */,
+                  false /* has_periodic_update */, false /* has_flow_end */){};
+  ~BlacklistedServerContact(){};
+
+  bool loadConfiguration(json_object *config);
+  void protocolDetected(Flow *f);
+  FlowAlert *buildAlert(Flow *f);
+
+  std::string getName() const { return (std::string("blacklisted_server_contact")); }
+};
+
+#endif /* _BLACKLIST_SERVER_CONTACT_H_ */
diff --git a/include/flow_checks_includes.h b/include/flow_checks_includes.h
@@ -84,6 +84,8 @@
 #include "flow_checks/UnexpectedSMTPServer.h"
 #include "flow_checks/WebMining.h"
 #include "flow_checks/VLANBidirectionalTraffic.h"
+#include "flow_checks/BlacklistedClientContact.h"
+#include "flow_checks/BlacklistedServerContact.h"
 #include "flow_checks/TCPFlowReset.h"
 
 #ifdef NTOPNG_PRO

diff --git a/include/ntop_typedefs.h b/include/ntop_typedefs.h
@@ -449,11 +449,11 @@ typedef enum {
   flow_alert_dns_data_exfiltration = 6,
   flow_alert_dns_invalid_query = 7,
   flow_alert_elephant_flow = 8,
-  flow_alert_notused_1 = 9,
+  flow_alert_blacklisted_client_contact = 9,
   flow_alert_external = 10,
   flow_alert_longlived = 11,
   flow_alert_low_goodput = 12,
-  flow_alert_notused_2 = 13,
+  flow_alert_blacklisted_server_contact = 13,
   flow_alert_internals = 14,
   flow_alert_notused_3 = 15,
   flow_alert_remote_to_remote = 16,

diff --git a/scripts/locales/en.lua b/scripts/locales/en.lua
@@ -2834,6 +2834,10 @@ local lang = {
   ["flow_checks_config"] = {
     ["blacklisted"] = "Blacklisted Flow",
     ["blacklisted_description"] = "Trigger an alert when a blacklisted host or domain is detected",
+    ["blacklist_client_contact"] = "Blacklisted Client Contact",
+    ["blacklist_client_contact_description"] = "Trigger an alert when a remote blacklisted host contacts a local host",
+    ["blacklist_server_contact"] = "Blacklisted Server Contact",
+    ["blacklist_server_contact_description"] = "Trigger an alert when a localhost contacts a remote blacklisted host",
     ["broadcast_non_udp_traffic_description"] = "Trigger an alert when an host contacts a Broadcast address using a non-UDP protocol",
     ["broadcast_non_udp_traffic_title"] = "Broadcast Non-UDP Traffic",
     ["connection_failed_description"] = "Trigger an alert when detecting a TCP connection with no server answer",

diff --git a/scripts/lua/modules/alert_definitions/flow/alert_blacklisted_client_contact.lua b/scripts/lua/modules/alert_definitions/flow/alert_blacklisted_client_contact.lua
@@ -0,0 +1,107 @@
+--
+-- (C) 2019-24 - ntop.org
+--
+-- ##############################################
+local flow_alert_keys = require "flow_alert_keys"
+
+-- Import the classes library.
+local classes = require "classes"
+-- Make sure to import the Superclass!
+local alert = require "alert"
+local blacklist_debug = 'ntopng.debug.alerts.blacklisted_flow'
+
+-- ##############################################
+
+local alert_blacklisted_client_contact = classes.class(alert)
+
+-- ##############################################
+
+alert_blacklisted_client_contact.meta = {
+    alert_key = flow_alert_keys.flow_alert_blacklisted_client_contact,
+    i18n_title = "flow_checks_config.blacklist_client_contact",
+    icon = "fas fa-fw fa-exclamation",
+
+    has_victim = true,
+    has_attacker = true
+}
+
+-- ##############################################
+
+-- @brief Prepare an alert table used to generate the alert
+-- @param info A flow info table fetched with `flow.getBlacklistedInfo()`
+-- @return A table with the alert built
+function alert_blacklisted_client_contact:init()
+    -- Call the parent constructor
+    self.super:init()
+end
+
+-- #######################################################
+
+-- @brief Format an alert into a human-readable string
+-- @param ifid The integer interface id of the generated alert
+-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
+-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
+-- @return A human-readable string
+function alert_blacklisted_client_contact.format(ifid, alert, alert_type_params)
+    local who = {}
+
+    if alert_type_params["cli_blacklisted"] and alert_type_params["cli_blacklisted"] ~= "0" then
+        who[#who + 1] = {
+            type = i18n("client"),
+            blacklist_name = alert_type_params["custom_cat_file"]
+        }
+    end
+
+    if alert_type_params["srv_blacklisted"] and alert_type_params["srv_blacklisted"] ~= "0" then
+        who[#who + 1] = {
+            type = i18n("server"),
+            blacklist_name = alert_type_params["custom_cat_file"]
+        }
+    end
+
+    local who_string = ""
+    local black_list_names = ""
+    for _, v in ipairs(who) do
+        if v.type then
+            if who_string ~= "" then
+                who_string = who_string .. ", "
+            end
+            who_string = who_string .. v.type
+        end
+
+        if v.blacklist_name then
+            if black_list_names ~= "" then
+                black_list_names = black_list_names .. ", "
+            end
+            black_list_names = black_list_names .. v.blacklist_name
+        end
+    end
+    local res = i18n("flow_details.blacklisted_flow_detailed", {
+        who = who_string,
+        blacklist = black_list_names,
+        uid = ternary(alert_type_params["uid"] ~= nil, alert_type_params["uid"], "")
+    })
+
+    if #who == 0 and alert_type_params["cat_blacklisted"] then
+        if ntop.getCache(blacklist_debug) == '1' then
+            traceError(TRACE_NORMAL, TRACE_CONSOLE, "Blacklisted flow with no blacklisted client nor server. Info:\n")
+            tprint(alert)
+            tprint(alert_type_params)
+        end
+        local l7_protocol
+        if tonumber(alert["l7_master_proto"]) and tonumber(alert["l7_proto"]) then
+            l7_protocol =
+                interface.getnDPIFullProtoName(tonumber(alert["l7_master_proto"]), tonumber(alert["l7_proto"]))
+        end
+        res = i18n("blacklisted_category", {
+            config_href = "<a href='" .. ntop.getHttpPrefix() .. "/lua/admin/edit_categories.lua?application=" ..
+                l7_protocol .. "' target='_blank'><i class='fas fa-cog fa-sm'></i></a>"
+        })
+    end
+
+    return res
+end
+
+-- #######################################################
+
+return alert_blacklisted_client_contact