/src/ntopng/src/AlertsQueue.cpp

Source
/*
 *
 * (C) 2019-25 - ntop.org
 *
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software Foundation,
 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 */

#include "ntop_includes.h"

/* **************************************************** */

AlertsQueue::AlertsQueue(NetworkInterface *_iface) {
  if(trace_new_delete) ntop->getTrace()->traceEvent(TRACE_NORMAL, "[new] %s", __FILE__);
  iface = _iface;
}

/* **************************************************** */

/*
 * Note: consumer should destroy the tlv with:
 * ndpi_term_serializer(tlv);
 * free(tlv);
 */
void AlertsQueue::pushAlertJson(ndpi_serializer *alert, const char *atype,
                                const char *a_subtype, AlertCategory alert_category) {
  /* These are mandatory fields, present in all the pushed alerts */
  ndpi_serialize_string_uint32(alert, "ifid", iface->get_id());
  ndpi_serialize_string_string(alert, "alert_id", atype);
  ndpi_serialize_string_uint32(alert, "alert_category", alert_category);
  if (a_subtype && a_subtype[0] != '\0')
    ndpi_serialize_string_string(alert, "subtype", a_subtype);
  ndpi_serialize_string_uint64(alert, "tstamp", time(NULL));

  if (!ntop->getInternalAlertsQueue()->enqueue(alert)) {
    iface->incNumDroppedAlerts(alert_entity_other);

    ndpi_term_serializer(alert);
    free(alert);
  }
}

/* **************************************************** */

void AlertsQueue::pushOutsideDhcpRangeAlert(u_int8_t *cli_mac, Mac *sender_mac,
                                            u_int32_t ip, u_int32_t router_ip,
                                            u_int16_t vlan_id) {
  ndpi_serializer *tlv;
  char name[64];

  if (ntop->getPrefs()->are_alerts_disabled()) return;

  tlv = (ndpi_serializer *)calloc(1, sizeof(ndpi_serializer));

  if (tlv) {
    char cli_mac_s[32], sender_mac_s[32];
    char ipbuf[64], router_ip_buf[64], *ip_s, *router_ip_s;

    Utils::formatMac(cli_mac, cli_mac_s, sizeof(cli_mac_s));
    sender_mac->print(sender_mac_s, sizeof(cli_mac_s));
    ip_s = Utils::intoaV4(ip, ipbuf, sizeof(ipbuf));
    router_ip_s =
        Utils::intoaV4(router_ip, router_ip_buf, sizeof(router_ip_buf));

    ntop->getTrace()->traceEvent(
        TRACE_INFO, "IP not in DHCP range: %s (mac=%s, sender=%s, router=%s)",
        ipbuf, cli_mac_s, sender_mac_s, router_ip_s);

    ndpi_init_serializer_ll(tlv, ndpi_serialization_format_tlv, 64);

    ndpi_serialize_string_string(tlv, "client_mac", cli_mac_s);
    ndpi_serialize_string_string(tlv, "sender_mac", sender_mac_s);
    ndpi_serialize_string_string(tlv, "client_ip", ip_s);
    ndpi_serialize_string_string(tlv, "router_ip", router_ip_s);
    ndpi_serialize_string_int32(tlv, "vlan_id", vlan_id);
    ndpi_serialize_string_int32(tlv, "device_type",
                                sender_mac->getDeviceType());

    sender_mac->getDHCPName(name, sizeof(name));
    ndpi_serialize_string_string(tlv, "device_name", name);

    pushAlertJson(tlv, "misconfigured_dhcp_range", NULL, alert_category_network);
  }
}

/* **************************************************** */

void AlertsQueue::pushMacIpAssociationChangedAlert(u_int32_t ip,
                                                   u_int8_t *old_mac,
                                                   u_int8_t *new_mac,
                                                   Mac *new_host_mac) {
  ndpi_serializer *tlv;
  char name[64];

  if (ntop->getPrefs()->are_alerts_disabled()) return;

  tlv = (ndpi_serializer *)calloc(1, sizeof(ndpi_serializer));

  if (tlv) {
    char oldmac_s[32], newmac_s[32], ipbuf[32], *ip_s;

    Utils::formatMac(old_mac, oldmac_s, sizeof(oldmac_s));
    Utils::formatMac(new_mac, newmac_s, sizeof(newmac_s));
    ip_s = Utils::intoaV4(ip, ipbuf, sizeof(ipbuf));

    ntop->getTrace()->traceEvent(TRACE_INFO,
                                 "IP %s: modified MAC association %s -> %s",
                                 ip_s, oldmac_s, newmac_s);

    ndpi_init_serializer_ll(tlv, ndpi_serialization_format_tlv, 64);

    ndpi_serialize_string_string(tlv, "ip", ip_s);
    ndpi_serialize_string_string(tlv, "old_mac", oldmac_s);
    ndpi_serialize_string_string(tlv, "new_mac", newmac_s);
    ndpi_serialize_string_int32(tlv, "device_type",
                                new_host_mac->getDeviceType());

    new_host_mac->getDHCPName(name, sizeof(name));
    ndpi_serialize_string_string(tlv, "device_name", name);

    pushAlertJson(tlv, "mac_ip_association_change", NULL, alert_category_network);
  }
}

/* **************************************************** */

void AlertsQueue::pushBroadcastDomainTooLargeAlert(const u_int8_t *src_mac,
                                                   const u_int8_t *dst_mac,
                                                   u_int32_t spa, u_int32_t tpa,
                                                   u_int16_t vlan_id) {
  ndpi_serializer *tlv;

  if (ntop->getPrefs()->are_alerts_disabled()) return;

  tlv = (ndpi_serializer *)calloc(1, sizeof(ndpi_serializer));

  if (tlv) {
    char src_mac_s[32], dst_mac_s[32], spa_buf[32], tpa_buf[32];
    char *spa_s, *tpa_s;

    Utils::formatMac(src_mac, src_mac_s, sizeof(src_mac_s));
    Utils::formatMac(dst_mac, dst_mac_s, sizeof(dst_mac_s));
    spa_s = Utils::intoaV4(spa, spa_buf, sizeof(spa_buf));
    tpa_s = Utils::intoaV4(tpa, tpa_buf, sizeof(tpa_buf));

    ndpi_init_serializer_ll(tlv, ndpi_serialization_format_tlv, 64);

    ndpi_serialize_string_int32(tlv, "vlan_id", vlan_id);
    ndpi_serialize_string_string(tlv, "src_mac", src_mac_s);
    ndpi_serialize_string_string(tlv, "dst_mac", dst_mac_s);
    ndpi_serialize_string_string(tlv, "spa", spa_s);
    ndpi_serialize_string_string(tlv, "tpa", tpa_s);

    pushAlertJson(tlv, "broadcast_domain_too_large", NULL, alert_category_network);
  }
}

/* **************************************************** */

void AlertsQueue::pushLoginTrace(const char *user, const char *method, bool authorized) {
  ndpi_serializer *tlv;

  if (ntop->getPrefs()->are_alerts_disabled()) return;

  tlv = (ndpi_serializer *)calloc(1, sizeof(ndpi_serializer));

  if (tlv) {
    ndpi_init_serializer_ll(tlv, ndpi_serialization_format_tlv, 64);

    ndpi_serialize_string_string(tlv, "scope", "login");
    ndpi_serialize_string_string(tlv, "user", user);
    if (method)
      ndpi_serialize_string_string(tlv, "method", method);

    pushAlertJson(tlv, authorized ? "user_activity" : "login_failed", NULL, alert_category_system);
  }
}

/* **************************************************** */

void AlertsQueue::pushNfqFlushedAlert(int queue_len, int queue_len_pct,
                                      int queue_dropped) {
  ndpi_serializer *tlv;

  if (ntop->getPrefs()->are_alerts_disabled()) return;

  tlv = (ndpi_serializer *)calloc(1, sizeof(ndpi_serializer));

  if (tlv) {
    ndpi_init_serializer_ll(tlv, ndpi_serialization_format_tlv, 64);

    ndpi_serialize_string_int32(tlv, "tot", queue_len);
    ndpi_serialize_string_int32(tlv, "pct", queue_len_pct);
    ndpi_serialize_string_int32(tlv, "dropped", queue_dropped);

    pushAlertJson(tlv, "nfq_flushed", NULL, alert_category_system);
  }
}

/* **************************************************** */

void AlertsQueue::pushCloudDisconnectionAlert(const char *descr) {
  ndpi_serializer *tlv;

  if (ntop->getPrefs()->are_alerts_disabled()) return;

  tlv = (ndpi_serializer *)calloc(1, sizeof(ndpi_serializer));

  if (tlv) {
    ndpi_init_serializer_ll(tlv, ndpi_serialization_format_tlv, 64);

    if (descr)
      ndpi_serialize_string_string(tlv, "description", descr);

    pushAlertJson(tlv, "cloud_disconnected", NULL, alert_category_system);
  }
}

/* **************************************************** */

void AlertsQueue::pushCloudReconnectionAlert(const char *descr) {
  ndpi_serializer *tlv;

  if (ntop->getPrefs()->are_alerts_disabled()) return;

  tlv = (ndpi_serializer *)calloc(1, sizeof(ndpi_serializer));

  if (tlv) {
    ndpi_init_serializer_ll(tlv, ndpi_serialization_format_tlv, 64);

    if (descr)
      ndpi_serialize_string_string(tlv, "description", descr);

    pushAlertJson(tlv, "cloud_reconnected", NULL, alert_category_system);
  }
}

/* **************************************************** */

void AlertsQueue::pushSNMPTrapAlert(const char *device_ip, const char *descr) {
  ndpi_serializer *tlv;

  if (ntop->getPrefs()->are_alerts_disabled()) return;

  tlv = (ndpi_serializer *)calloc(1, sizeof(ndpi_serializer));

  if (tlv) {
    ndpi_init_serializer_ll(tlv, ndpi_serialization_format_tlv, 64);

    ndpi_serialize_string_string(tlv, "device", device_ip);

    if (descr)
      ndpi_serialize_string_string(tlv, "description", descr);

    pushAlertJson(tlv, "snmp_trap", NULL, alert_category_network);
  }
}

/* **************************************************** */

Coverage Report

Created: 2025-11-16 06:59

Line	Count	Source
1		/*
2		*
3		* (C) 2019-25 - ntop.org
4		*
5		*
6		* This program is free software; you can redistribute it and/or modify
7		* it under the terms of the GNU General Public License as published by
8		* the Free Software Foundation; either version 3 of the License, or
9		* (at your option) any later version.
10		*
11		* This program is distributed in the hope that it will be useful,
12		* but WITHOUT ANY WARRANTY; without even the implied warranty of
13		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14		* GNU General Public License for more details.
15		*
16		* You should have received a copy of the GNU General Public License
17		* along with this program; if not, write to the Free Software Foundation,
18		* Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
19		*
20		*/
21
22		#include "ntop_includes.h"
23
24		/* **************************************************** */
25
26	2	AlertsQueue::AlertsQueue(NetworkInterface *_iface) {
27	2	if(trace_new_delete) ntop->getTrace()->traceEvent(TRACE_NORMAL, "[new] %s", __FILE__);
28	2	iface = _iface;
29	2	}
30
31		/* **************************************************** */
32
33		/*
34		* Note: consumer should destroy the tlv with:
35		* ndpi_term_serializer(tlv);
36		* free(tlv);
37		*/
38		void AlertsQueue::pushAlertJson(ndpi_serializer alert, const char atype,
39	0	const char *a_subtype, AlertCategory alert_category) {
40		/* These are mandatory fields, present in all the pushed alerts */
41	0	ndpi_serialize_string_uint32(alert, "ifid", iface->get_id());
42	0	ndpi_serialize_string_string(alert, "alert_id", atype);
43	0	ndpi_serialize_string_uint32(alert, "alert_category", alert_category);
44	0	if (a_subtype && a_subtype[0] != '\0')
45	0	ndpi_serialize_string_string(alert, "subtype", a_subtype);
46	0	ndpi_serialize_string_uint64(alert, "tstamp", time(NULL));
47
48	0	if (!ntop->getInternalAlertsQueue()->enqueue(alert)) {
49	0	iface->incNumDroppedAlerts(alert_entity_other);
50
51	0	ndpi_term_serializer(alert);
52	0	free(alert);
53	0	}
54	0	}
55
56		/* **************************************************** */
57
58		void AlertsQueue::pushOutsideDhcpRangeAlert(u_int8_t cli_mac, Mac sender_mac,
59		u_int32_t ip, u_int32_t router_ip,
60	0	u_int16_t vlan_id) {
61	0	ndpi_serializer *tlv;
62	0	char name[64];
63
64	0	if (ntop->getPrefs()->are_alerts_disabled()) return;
65
66	0	tlv = (ndpi_serializer *)calloc(1, sizeof(ndpi_serializer));
67
68	0	if (tlv) {
69	0	char cli_mac_s[32], sender_mac_s[32];
70	0	char ipbuf[64], router_ip_buf[64], ip_s, router_ip_s;
71
72	0	Utils::formatMac(cli_mac, cli_mac_s, sizeof(cli_mac_s));
73	0	sender_mac->print(sender_mac_s, sizeof(cli_mac_s));
74	0	ip_s = Utils::intoaV4(ip, ipbuf, sizeof(ipbuf));
75	0	router_ip_s =
76	0	Utils::intoaV4(router_ip, router_ip_buf, sizeof(router_ip_buf));
77
78	0	ntop->getTrace()->traceEvent(
79	0	TRACE_INFO, "IP not in DHCP range: %s (mac=%s, sender=%s, router=%s)",
80	0	ipbuf, cli_mac_s, sender_mac_s, router_ip_s);
81
82	0	ndpi_init_serializer_ll(tlv, ndpi_serialization_format_tlv, 64);
83
84	0	ndpi_serialize_string_string(tlv, "client_mac", cli_mac_s);
85	0	ndpi_serialize_string_string(tlv, "sender_mac", sender_mac_s);
86	0	ndpi_serialize_string_string(tlv, "client_ip", ip_s);
87	0	ndpi_serialize_string_string(tlv, "router_ip", router_ip_s);
88	0	ndpi_serialize_string_int32(tlv, "vlan_id", vlan_id);
89	0	ndpi_serialize_string_int32(tlv, "device_type",
90	0	sender_mac->getDeviceType());
91
92	0	sender_mac->getDHCPName(name, sizeof(name));
93	0	ndpi_serialize_string_string(tlv, "device_name", name);
94
95	0	pushAlertJson(tlv, "misconfigured_dhcp_range", NULL, alert_category_network);
96	0	}
97	0	}
98
99		/* **************************************************** */
100
101		void AlertsQueue::pushMacIpAssociationChangedAlert(u_int32_t ip,
102		u_int8_t *old_mac,
103		u_int8_t *new_mac,
104	0	Mac *new_host_mac) {
105	0	ndpi_serializer *tlv;
106	0	char name[64];
107
108	0	if (ntop->getPrefs()->are_alerts_disabled()) return;
109
110	0	tlv = (ndpi_serializer *)calloc(1, sizeof(ndpi_serializer));
111
112	0	if (tlv) {
113	0	char oldmac_s[32], newmac_s[32], ipbuf[32], *ip_s;
114
115	0	Utils::formatMac(old_mac, oldmac_s, sizeof(oldmac_s));
116	0	Utils::formatMac(new_mac, newmac_s, sizeof(newmac_s));
117	0	ip_s = Utils::intoaV4(ip, ipbuf, sizeof(ipbuf));
118
119	0	ntop->getTrace()->traceEvent(TRACE_INFO,
120	0	"IP %s: modified MAC association %s -> %s",
121	0	ip_s, oldmac_s, newmac_s);
122
123	0	ndpi_init_serializer_ll(tlv, ndpi_serialization_format_tlv, 64);
124
125	0	ndpi_serialize_string_string(tlv, "ip", ip_s);
126	0	ndpi_serialize_string_string(tlv, "old_mac", oldmac_s);
127	0	ndpi_serialize_string_string(tlv, "new_mac", newmac_s);
128	0	ndpi_serialize_string_int32(tlv, "device_type",
129	0	new_host_mac->getDeviceType());
130
131	0	new_host_mac->getDHCPName(name, sizeof(name));
132	0	ndpi_serialize_string_string(tlv, "device_name", name);
133
134	0	pushAlertJson(tlv, "mac_ip_association_change", NULL, alert_category_network);
135	0	}
136	0	}
137
138		/* **************************************************** */
139
140		void AlertsQueue::pushBroadcastDomainTooLargeAlert(const u_int8_t *src_mac,
141		const u_int8_t *dst_mac,
142		u_int32_t spa, u_int32_t tpa,
143	0	u_int16_t vlan_id) {
144	0	ndpi_serializer *tlv;
145
146	0	if (ntop->getPrefs()->are_alerts_disabled()) return;
147
148	0	tlv = (ndpi_serializer *)calloc(1, sizeof(ndpi_serializer));
149
150	0	if (tlv) {
151	0	char src_mac_s[32], dst_mac_s[32], spa_buf[32], tpa_buf[32];
152	0	char spa_s, tpa_s;
153
154	0	Utils::formatMac(src_mac, src_mac_s, sizeof(src_mac_s));
155	0	Utils::formatMac(dst_mac, dst_mac_s, sizeof(dst_mac_s));
156	0	spa_s = Utils::intoaV4(spa, spa_buf, sizeof(spa_buf));
157	0	tpa_s = Utils::intoaV4(tpa, tpa_buf, sizeof(tpa_buf));
158
159	0	ndpi_init_serializer_ll(tlv, ndpi_serialization_format_tlv, 64);
160
161	0	ndpi_serialize_string_int32(tlv, "vlan_id", vlan_id);
162	0	ndpi_serialize_string_string(tlv, "src_mac", src_mac_s);
163	0	ndpi_serialize_string_string(tlv, "dst_mac", dst_mac_s);
164	0	ndpi_serialize_string_string(tlv, "spa", spa_s);
165	0	ndpi_serialize_string_string(tlv, "tpa", tpa_s);
166
167	0	pushAlertJson(tlv, "broadcast_domain_too_large", NULL, alert_category_network);
168	0	}
169	0	}
170
171		/* **************************************************** */
172
173	0	void AlertsQueue::pushLoginTrace(const char user, const char method, bool authorized) {
174	0	ndpi_serializer *tlv;
175
176	0	if (ntop->getPrefs()->are_alerts_disabled()) return;
177
178	0	tlv = (ndpi_serializer *)calloc(1, sizeof(ndpi_serializer));
179
180	0	if (tlv) {
181	0	ndpi_init_serializer_ll(tlv, ndpi_serialization_format_tlv, 64);
182
183	0	ndpi_serialize_string_string(tlv, "scope", "login");
184	0	ndpi_serialize_string_string(tlv, "user", user);
185	0	if (method)
186	0	ndpi_serialize_string_string(tlv, "method", method);
187
188	0	pushAlertJson(tlv, authorized ? "user_activity" : "login_failed", NULL, alert_category_system);
189	0	}
190	0	}
191
192		/* **************************************************** */
193
194		void AlertsQueue::pushNfqFlushedAlert(int queue_len, int queue_len_pct,
195	0	int queue_dropped) {
196	0	ndpi_serializer *tlv;
197
198	0	if (ntop->getPrefs()->are_alerts_disabled()) return;
199
200	0	tlv = (ndpi_serializer *)calloc(1, sizeof(ndpi_serializer));
201
202	0	if (tlv) {
203	0	ndpi_init_serializer_ll(tlv, ndpi_serialization_format_tlv, 64);
204
205	0	ndpi_serialize_string_int32(tlv, "tot", queue_len);
206	0	ndpi_serialize_string_int32(tlv, "pct", queue_len_pct);
207	0	ndpi_serialize_string_int32(tlv, "dropped", queue_dropped);
208
209	0	pushAlertJson(tlv, "nfq_flushed", NULL, alert_category_system);
210	0	}
211	0	}
212
213		/* **************************************************** */
214
215	0	void AlertsQueue::pushCloudDisconnectionAlert(const char *descr) {
216	0	ndpi_serializer *tlv;
217
218	0	if (ntop->getPrefs()->are_alerts_disabled()) return;
219
220	0	tlv = (ndpi_serializer *)calloc(1, sizeof(ndpi_serializer));
221
222	0	if (tlv) {
223	0	ndpi_init_serializer_ll(tlv, ndpi_serialization_format_tlv, 64);
224
225	0	if (descr)
226	0	ndpi_serialize_string_string(tlv, "description", descr);
227
228	0	pushAlertJson(tlv, "cloud_disconnected", NULL, alert_category_system);
229	0	}
230	0	}
231
232		/* **************************************************** */
233
234	0	void AlertsQueue::pushCloudReconnectionAlert(const char *descr) {
235	0	ndpi_serializer *tlv;
236
237	0	if (ntop->getPrefs()->are_alerts_disabled()) return;
238
239	0	tlv = (ndpi_serializer *)calloc(1, sizeof(ndpi_serializer));
240
241	0	if (tlv) {
242	0	ndpi_init_serializer_ll(tlv, ndpi_serialization_format_tlv, 64);
243
244	0	if (descr)
245	0	ndpi_serialize_string_string(tlv, "description", descr);
246
247	0	pushAlertJson(tlv, "cloud_reconnected", NULL, alert_category_system);
248	0	}
249	0	}
250
251		/* **************************************************** */
252
253	0	void AlertsQueue::pushSNMPTrapAlert(const char device_ip, const char descr) {
254	0	ndpi_serializer *tlv;
255
256	0	if (ntop->getPrefs()->are_alerts_disabled()) return;
257
258	0	tlv = (ndpi_serializer *)calloc(1, sizeof(ndpi_serializer));
259
260	0	if (tlv) {
261	0	ndpi_init_serializer_ll(tlv, ndpi_serialization_format_tlv, 64);
262
263	0	ndpi_serialize_string_string(tlv, "device", device_ip);
264
265	0	if (descr)
266	0	ndpi_serialize_string_string(tlv, "description", descr);
267
268		pushAlertJson(tlv, "snmp_trap", NULL, alert_category_network);
269	0	}
270	0	}
271
272		/* **************************************************** */