Added ACL Violation alert (#8696)

ntop · Nov 28, 2024 · 819f398 · 819f398
1 parent 5a62b5d
commit 819f398
Show file tree

Hide file tree

Showing 10 changed files with 113 additions and 1 deletion.
diff --git a/include/Flow.h b/include/Flow.h
@@ -427,6 +427,10 @@ class Flow : public GenericHashEntry {
     return (predominant_alert.id != flow_alert_normal);
   };
 
+#if defined(NTOPNG_PRO)
+  bool isFlowAllowed(bool *is_allowed);
+#endif
+
   void setPredominantAlertInfo(FlowAlert *alert);
   inline bool isPredominantAlertAutoAck() {
     return !!predominant_alert_info.auto_acknowledge;

diff --git a/include/flow_alerts/AccessControlListAlert.h b/include/flow_alerts/AccessControlListAlert.h
@@ -0,0 +1,40 @@
+/*
+ *
+ * (C) 2013-24 - ntop.org
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+#ifndef _ACCESS_CONTROL_LIST_ALERT_H_
+#define _ACCESS_CONTROL_LIST_ALERT_H_
+
+#include "ntop_includes.h"
+
+class AccessControlListAlert : public FlowAlert {
+ public:
+  static FlowAlertType getClassType() {
+    return {flow_alert_access_control_list, alert_category_network};
+  }
+  static u_int8_t getDefaultScore() { return SCORE_LEVEL_ERROR; };
+
+  AccessControlListAlert(FlowCheck *c, Flow *f) : FlowAlert(c, f){};
+  ~AccessControlListAlert(){};
+
+  FlowAlertType getAlertType() const { return getClassType(); }
+};
+
+#endif /* _ACCESS_CONTROL_LIST_ALERT_H_ */
diff --git a/include/flow_alerts_includes.h b/include/flow_alerts_includes.h
@@ -102,6 +102,7 @@
 #include "flow_alerts/DataExfiltrationAlert.h"
 #include "flow_alerts/ElephantFlowAlert.h"
 #include "flow_alerts/LateralMovementAlert.h"
+#include "flow_alerts/AccessControlListAlert.h"
 #include "flow_alerts/PeriodicityChangedAlert.h"
 #include "flow_alerts/LongLivedFlowAlert.h"
 #include "flow_alerts/DNSDataExfiltrationAlert.h"

diff --git a/include/flow_checks_includes.h b/include/flow_checks_includes.h
@@ -95,6 +95,7 @@
 #include "flow_checks/ExternalAlertCheckPro.h"
 #include "flow_checks/InvalidDNSQuery.h"
 #include "flow_checks/LateralMovement.h"
+#include "flow_checks/AccessControlList.h"
 #include "flow_checks/PeriodicityChanged.h"
 #include "flow_checks/LongLivedFlow.h"
 #include "flow_checks/ModbusUnexpectedFunctionCode.h"

diff --git a/include/ntop_typedefs.h b/include/ntop_typedefs.h
@@ -530,6 +530,7 @@ typedef enum {
   flow_alert_ndpi_binary_data_transfer = 99,
   flow_alert_tcp_flow_reset = 100,
   flow_alert_ndpi_probing_attempt = 101,
+  flow_alert_access_control_list = 102,
 
   MAX_DEFINED_FLOW_ALERT_TYPE, /* Leave it as last member */
 

diff --git a/scripts/lua/modules/alert_definitions/flow/alert_access_control_list.lua b/scripts/lua/modules/alert_definitions/flow/alert_access_control_list.lua
@@ -0,0 +1,52 @@
+--
+-- (C) 2019-24 - ntop.org
+--
+
+-- ##############################################
+
+local flow_alert_keys = require "flow_alert_keys"
+-- Import the classes library.
+local classes = require "classes"
+-- Make sure to import the Superclass!
+local alert = require "alert"
+local json = require "dkjson"
+-- Import Mitre Att&ck utils
+local mitre = require "mitre_utils"
+
+-- ##############################################
+
+local alert_access_control_list = classes.class(alert)
+
+-- ##############################################
+
+alert_access_control_list.meta = {
+   alert_key = flow_alert_keys.flow_alert_access_control_list,
+   icon = "fas fa-fw fa-exclamation",
+   i18n_title = "alerts_dashboard.access_control_list",
+}
+
+-- ##############################################
+
+-- @brief Prepare an alert table used to generate the alert
+-- @return A table with the alert built
+function alert_access_control_list:init()
+   -- Call the parent constructor
+   self.super:init()
+end
+
+-- #######################################################
+
+-- @brief Format an alert into a human-readable string
+-- @param ifid The integer interface id of the generated alert
+-- @param alert The alert description table, including alert data such as the generating entity, timestamp, granularity, type
+-- @param alert_type_params Table `alert_type_params` as built in the `:init` method
+-- @return A human-readable string
+function alert_access_control_list.format(ifid, alert, alert_type_params)
+   -- Extracting info field
+   local href = ntop.getHttpPrefix() .. '/lua/pro/admin/access_control_list.lua'
+   return(i18n("alerts_dashboard.access_control_list_descr", { href = href }))
+end
+
+-- #######################################################
+
+return alert_access_control_list
diff --git a/scripts/lua/modules/alert_keys/flow_alert_keys.lua b/scripts/lua/modules/alert_keys/flow_alert_keys.lua
@@ -107,7 +107,8 @@ local flow_alert_keys = {
    flow_alert_ndpi_malware_host_contacted          = 98,
    flow_alert_ndpi_binary_data_transfer            = 99,
    flow_alert_tcp_flow_reset                       = 100,
-   flow_alert_ndpi_probing_attempt                 = 101
+   flow_alert_ndpi_probing_attempt                 = 101,
+   flow_alert_access_control_list                  = 102
 
    -- NOTE: do not go beyond the size of the alert_map bitmal inside Flow.h (currently 128)
 }

diff --git a/src/Flow.cpp b/src/Flow.cpp
@@ -9048,3 +9048,10 @@ const char* Flow::getDomainName() {
 
   return(NULL);
 }
+
+#if defined(NTOPNG_PRO)
+  bool Flow::isFlowAllowed(bool *is_allowed) {
+    return iface->findFlowACL(this, is_allowed);
+  };
+#endif
+
diff --git a/src/FlowAlertsLoader.cpp b/src/FlowAlertsLoader.cpp
@@ -76,6 +76,10 @@ FlowAlertsLoader::FlowAlertsLoader() {
                 LateralMovementAlert::getDefaultScore());
   registerAlert(PeriodicityChangedAlert::getClassType(),
                 PeriodicityChangedAlert::getDefaultScore());
+#endif
+#if defined(NTOPNG_PRO)
+  registerAlert(AccessControlListAlert::getClassType(),
+                AccessControlListAlert::getDefaultScore());
 #endif
   registerAlert(LongLivedFlowAlert::getClassType(),
                 LongLivedFlowAlert::getDefaultScore());

diff --git a/src/FlowChecksLoader.cpp b/src/FlowChecksLoader.cpp
@@ -137,6 +137,7 @@ void FlowChecksLoader::registerChecks() {
   if ((fcb = new ElephantFlow())) registerCheck(fcb);
   if ((fcb = new ExternalAlertCheckPro())) registerCheck(fcb);
   if ((fcb = new InvalidDNSQuery())) registerCheck(fcb);
+  if ((fcb = new AccessControlList())) registerCheck(fcb);
 #if !defined(HAVE_NEDGE)
   if ((fcb = new LateralMovement())) registerCheck(fcb);
   if ((fcb = new PeriodicityChanged())) registerCheck(fcb);