From 5465eacda8bec143ba62afe9fbe8cda88f04e1b8 Mon Sep 17 00:00:00 2001 From: DGabri Date: Tue, 29 Oct 2024 19:17:33 +0100 Subject: [PATCH] Added endpoint to get alerts info from bitmap and alert id --- scripts/lua/modules/alert_utils.lua | 2 +- scripts/lua/modules/http_lint.lua | 3 ++ .../lua/rest/v2/get/alert/alert_from_map.lua | 34 +++++++++++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 scripts/lua/rest/v2/get/alert/alert_from_map.lua diff --git a/scripts/lua/modules/alert_utils.lua b/scripts/lua/modules/alert_utils.lua index 50943cb56d5b..424901f0382c 100644 --- a/scripts/lua/modules/alert_utils.lua +++ b/scripts/lua/modules/alert_utils.lua @@ -800,7 +800,7 @@ function alert_utils.format_other_alerts(alert_bitmap, predominant_alert, alert_ for bit_num = 0, 7 do -- Checks the bits set in this current nibble local has_bit = alerts_map_nibble & (1 << bit_num) == (1 << bit_num) - + if has_bit then -- The bit is set -- The actual alert id is the bit number times the current byte multiplied by 8 local alert_id = math.floor(8 * nibble_num / 2) + bit_num diff --git a/scripts/lua/modules/http_lint.lua b/scripts/lua/modules/http_lint.lua index 7227e7d6d66a..a29da5ebd676 100644 --- a/scripts/lua/modules/http_lint.lua +++ b/scripts/lua/modules/http_lint.lua @@ -2005,6 +2005,9 @@ local known_parameters = { ["mitre_tactic"] = validateListOfTypeInline(validateFilters(validateNumber)), ["mitre_technique"] = validateListOfTypeInline(validateFilters(validateNumber)), ["mitre_subtechnique"] = validateListOfTypeInline(validateFilters(validateNumber)), + ["alert_map"] = validateSingleWord, + ["alert_type"] = validateNumber, + ["mitre_subtechnique"] = validateListOfTypeInline(validateFilters(validateNumber)), ["description"] = validateUnquoted, ["alert_l7_proto"] = validateNumber, -- An alert l7 protocol ["alert_subtype"] = validateSingleWord, -- An alert subtype string diff --git a/scripts/lua/rest/v2/get/alert/alert_from_map.lua b/scripts/lua/rest/v2/get/alert/alert_from_map.lua new file mode 100644 index 000000000000..cbcade532a0e --- /dev/null +++ b/scripts/lua/rest/v2/get/alert/alert_from_map.lua @@ -0,0 +1,34 @@ +-- +-- (C) 2021-24 - ntop.org +-- +local dirs = ntop.getDirs() +package.path = dirs.installdir .. "/scripts/lua/modules/alert_store/?.lua;" .. package.path +package.path = dirs.installdir .. "/scripts/lua/modules/?.lua;" .. package.path + +require "lua_utils" +local alert_utils = require "alert_utils" +local json = require "dkjson" +local rest_utils = require "rest_utils" + +-- Given alerts bitmap and alert_id return all the alerts relevant for the provided values +-- Example: curl -u admin:admin -H "Content-Type: application/json" -d '{"alert_map": "10050000000100000000100000", "alert_type": "90"}' http://localhost:3000/lua/rest/v2/get/alert/alert_from_map.lua +-- Returns: {"rsp":{"additional_alerts":["TCP Connection Refused ","TCP No Data Exchanged ","Periodic Flow ","TCP Flow Reset "],"alerts_by_score":[]},"rc_str":"OK","rc":0,"rc_str_hr":"Success"} + + +local rc = rest_utils.consts.success.ok +local alerts_map = _GET["alert_map"] +local alert_id = _GET["alert_type"] +local res + +if alerts_map and alert_id then + local other_alerts_by_score, additional_alerts = alert_utils.format_other_alerts(tostring(alerts_map), tostring(alert_id), nil, nil, true) + res = { + alerts_by_score = alerts_by_score or {}, + additional_alerts = additional_alerts or {} + } +else + rc = rest_utils.consts.err.invalid_args + res = {} +end + +rest_utils.answer(rc, res)