Added endpoint to get alerts info from bitmap and alert id

ntop · Oct 29, 2024 · 5465eac · 5465eac
1 parent 938ed24
commit 5465eac
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 1 deletion.
diff --git a/scripts/lua/modules/alert_utils.lua b/scripts/lua/modules/alert_utils.lua
@@ -800,7 +800,7 @@ function alert_utils.format_other_alerts(alert_bitmap, predominant_alert, alert_
             for bit_num = 0, 7 do
                 -- Checks the bits set in this current nibble
                 local has_bit = alerts_map_nibble & (1 << bit_num) == (1 << bit_num)
-
+                
                 if has_bit then -- The bit is set
                     -- The actual alert id is the bit number times the current byte multiplied by 8
                     local alert_id = math.floor(8 * nibble_num / 2) + bit_num

diff --git a/scripts/lua/modules/http_lint.lua b/scripts/lua/modules/http_lint.lua
@@ -2005,6 +2005,9 @@ local known_parameters = {
    ["mitre_tactic"] = validateListOfTypeInline(validateFilters(validateNumber)),
    ["mitre_technique"] = validateListOfTypeInline(validateFilters(validateNumber)),
    ["mitre_subtechnique"] = validateListOfTypeInline(validateFilters(validateNumber)),
+   ["alert_map"] = validateSingleWord,
+   ["alert_type"] = validateNumber,
+   ["mitre_subtechnique"] = validateListOfTypeInline(validateFilters(validateNumber)),
    ["description"] = validateUnquoted,
    ["alert_l7_proto"] = validateNumber,                                               -- An alert l7 protocol
    ["alert_subtype"] = validateSingleWord,                                            -- An alert subtype string

diff --git a/scripts/lua/rest/v2/get/alert/alert_from_map.lua b/scripts/lua/rest/v2/get/alert/alert_from_map.lua
@@ -0,0 +1,34 @@
+--
+-- (C) 2021-24 - ntop.org
+--
+local dirs = ntop.getDirs()
+package.path = dirs.installdir .. "/scripts/lua/modules/alert_store/?.lua;" .. package.path
+package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path
+
+require "lua_utils"
+local alert_utils = require "alert_utils"
+local json = require "dkjson"
+local rest_utils = require "rest_utils"
+
+-- Given alerts bitmap and alert_id return all the alerts relevant for the provided values
+-- Example: curl -u admin:admin -H "Content-Type: application/json" -d '{"alert_map": "10050000000100000000100000", "alert_type": "90"}' http://localhost:3000/lua/rest/v2/get/alert/alert_from_map.lua
+-- Returns: {"rsp":{"additional_alerts":["TCP Connection Refused ","TCP No Data Exchanged ","Periodic Flow ","TCP Flow Reset "],"alerts_by_score":[]},"rc_str":"OK","rc":0,"rc_str_hr":"Success"}
+
+
+local rc = rest_utils.consts.success.ok
+local alerts_map = _GET["alert_map"]
+local alert_id = _GET["alert_type"]
+local res 
+
+if alerts_map and alert_id then
+    local other_alerts_by_score, additional_alerts = alert_utils.format_other_alerts(tostring(alerts_map), tostring(alert_id), nil, nil, true)
+    res = {
+        alerts_by_score = alerts_by_score or {},
+        additional_alerts = additional_alerts or {}
+    }
+else 
+    rc = rest_utils.consts.err.invalid_args
+    res = {}
+end
+
+rest_utils.answer(rc, res)