Per-host configurable alerts #3
Comments
ariava
added a commit
that referenced
this issue
May 7, 2015
This commit lets alerts be generated only for local hosts and not for remote hosts. When a remote host can be mentioned in an alert because it holds a relevant role in it (e.g. it is an attacker of a local host) it is mentioned but not specific alert is generated for it. This addresses issue #3.
ariava
added a commit
that referenced
this issue
May 7, 2015
This commit moves alert thresholds so that they are now per host and not global. This addresses issue #3.
Closed
simonemainardi
added a commit
that referenced
this issue
Mar 29, 2017
* thread #12: tid = 0x1e75b2, 0x00007fffa35024fc libsystem_pthread.dylib`pthread_mutex_lock, stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT) frame #0: 0x00007fffa35024fc libsystem_pthread.dylib`pthread_mutex_lock * frame #1: 0x000000010007c6ef ntopng`Mutex::lock(this=0x27223d65756c617e, filename="src/ICMPstats.cpp", line=90) + 47 at Mutex.cpp:43 frame #2: 0x00000001000592be ntopng`ICMPstats::lua(this=0x27223d65756c6176, isV4=true, vm=0x0000000009620378) + 78 at ICMPstats.cpp:90 frame #3: 0x0000000100051cfd ntopng`Host::lua(this=0x0000000002026c00, vm=0x0000000009620378, ptree=0x0000000000000000, host_details=true, verbose=false, returnHost=false, asListElement=true, exclude_deserialized_bytes=false) + 1181 at Host.cpp:465 frame #4: 0x000000010008fe3f ntopng`NetworkInterface::getActiveHostsList(this=0x000000000180ba00, vm=0x0000000009620378, allowed_hosts=0x0000000000000000, host_details=true, location=location_all, countryFilter=0x0000000000000000, mac_filter=0x0000000000000000, vlan_id=0, osFilter=0x0000000000000000, asnFilter=4294967295, networkFilter=-2, pool_filter=65535, ipver_filter='\0', proto_filter=-1, sortColumn="column_ip", maxHits=32768, toSkip=0, a2zSortOrder=true) + 783 at NetworkInterface.cpp:3147 frame #5: 0x000000010006ce64 ntopng`ntop_get_interface_hosts(vm=0x0000000009620378, location=location_all) + 1220 at Lua.cpp:574 frame #6: 0x0000000100067d7a ntopng`ntop_get_interface_hosts_info(vm=0x0000000009620378) + 26 at Lua.cpp:652 frame #7: 0x00000001000fbec8 ntopng`lj_BC_FUNCC + 52 frame #8: 0x0000000100116243 ntopng`lua_pcall(L=0x0000000009620378, nargs=0, nresults=-1, errfunc=0) + 179 at lj_api.c:1052 frame #9: 0x000000010006104d ntopng`Lua::run_script(this=0x0000000004178f10, script_path="/Users/simone/code/ntopng/scripts/callbacks/minute.lua") + 157 at Lua.cpp:5952 frame #10: 0x00000001000a6afd ntopng`PeriodicActivities::runScript(this=0x000000000150a930, path="/Users/simone/code/ntopng/scripts/callbacks/minute.lua", when=1490790060) + 429 at PeriodicActivities.cpp:98 frame #11: 0x00000001000a6fbc ntopng`PeriodicActivities::minuteActivitiesLoop(this=0x000000000150a930) + 284 at PeriodicActivities.cpp:188 frame #12: 0x00000001000a68e5 ntopng`minuteStartLoop(ptr=0x000000000150a930) + 21 at PeriodicActivities.cpp:46 frame #13: 0x00007fffa3504aab libsystem_pthread.dylib`_pthread_body + 180 frame #14: 0x00007fffa35049f7 libsystem_pthread.dylib`_pthread_start + 286 frame #15: 0x00007fffa35041fd libsystem_pthread.dylib`thread_start + 13
Closed
Closed
lucaderi
pushed a commit
that referenced
this issue
Apr 2, 2019
simonemainardi
added a commit
that referenced
this issue
Oct 31, 2019
Fixes
Thread 15 "TrPoolWorker" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffc9df4700 (LWP 314)]
0x000000000047e743 in Mac::incnDPIStats (this=0x7fff7a30a080, when=1572439200, ndpi_category=NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, sent_packets=0, sent_bytes=0, sent_goodput_bytes=0, rcvd_packets=1,
rcvd_bytes=60, rcvd_goodput_bytes=2) at /home/deri/ntopng/include/Mac.h:140
140 stats->incnDPIStats(when, ndpi_category, sent_packets, sent_bytes, sent_goodput_bytes,
(gdb) bt
#0 0x000000000047e743 in Mac::incnDPIStats (this=0x7fff7a30a080, when=1572439200, ndpi_category=NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, sent_packets=0, sent_bytes=0, sent_goodput_bytes=0, rcvd_packets=1, rcvd_bytes=60, rcvd_goodput_bytes=2)
at /home/deri/ntopng/include/Mac.h:140
#1 0x00000000004715b0 in Flow::periodic_stats_update (this=0x7ffee7685d50, user_data=0x7fffc9df3880, quick=true) at src/Flow.cpp:1154
#2 0x000000000048a175 in host_flow_update_stats (node=0x7ffee7685d50, user_data=0x7fffc9df3880, matched=0x7fffc9df37db) at src/NetworkInterface.cpp:2647
#3 0x00000000004596f4 in GenericHash::walk (this=0x4ab5ee0, begin_slot=0x7fffc9df387c, walk_all=true, walker=0x48a119 <host_flow_update_stats(GenericHashEntry*, void*, bool*)>, user_data=0x7fffc9df3880) at src/GenericHash.cpp:192
#4 0x000000000048365c in NetworkInterface::walker (this=0x113a570, begin_slot=0x7fffc9df387c, walk_all=true, wtype=walker_flows, walker=0x48a119 <host_flow_update_stats(GenericHashEntry*, void*, bool*)>, user_data=0x7fffc9df3880) at src/NetworkInterface.cpp:859
#5 0x000000000048a4e2 in NetworkInterface::periodicStatsUpdate (this=0x113a570) at src/NetworkInterface.cpp:2739
#6 0x00000000004cb574 in ntop_periodic_stats_update (vm=0x7fff91cf4e48) at src/LuaEngine.cpp:5891
#7 0x0000000000589a04 in luaD_precall ()
#8 0x0000000000595025 in luaV_execute ()
#9 0x0000000000589ccf in luaD_call ()
#10 0x0000000000589d21 in luaD_callnoyield ()
#11 0x000000000058913f in luaD_rawrunprotected ()
#12 0x000000000058a03d in luaD_pcall ()
#13 0x000000000058746f in lua_pcallk ()
#14 0x000000000053f280 in LuaHandler::luaL_dofileM (this=0x7fff90d5bb00, execute=true) at pro/LuaHandler.cpp:32
#15 0x00000000004d866f in __ntop_lua_handlefile (L=0x7fff91cf4e48, script_path=0x7fff8c0008e0 "/home/deri/ntopng/scripts/callbacks/interface/stats_update.lua", ex=true) at src/LuaEngine.cpp:10107
#16 0x00000000004d99ae in LuaEngine::run_script (this=0x7fff9076c530, script_path=0x7fff8c0008e0 "/home/deri/ntopng/scripts/callbacks/interface/stats_update.lua", iface=0x113a570, load_only=false) at src/LuaEngine.cpp:11095
#17 0x00000000004aa6c5 in ThreadedActivity::runScript (this=0xae03410, script_path=0x7fff8c0008e0 "/home/deri/ntopng/scripts/callbacks/interface/stats_update.lua", iface=0x113a570) at src/ThreadedActivity.cpp:232
#18 0x00000000004e435c in ThreadPool::run (this=0xacc4620) at src/ThreadPool.cpp:100
#19 0x00000000004e3f3f in doRun (ptr=0xacc4620) at src/ThreadPool.cpp:31
#20 0x00007ffff65bd6ba in start_thread (arg=0x7fffc9df4700) at pthread_create.c:333
#21 0x00007ffff490941d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb) f 140
#0 0x0000000000000000 in ?? ()
(gdb) f 0
#0 0x000000000047e743 in Mac::incnDPIStats (this=0x7fff7a30a080, when=1572439200, ndpi_category=NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, sent_packets=0, sent_bytes=0, sent_goodput_bytes=0, rcvd_packets=1, rcvd_bytes=60, rcvd_goodput_bytes=2)
at /home/deri/ntopng/include/Mac.h:140
140 stats->incnDPIStats(when, ndpi_category, sent_packets, sent_bytes, sent_goodput_bytes,
(gdb) p stats
$1 = (MacStats *) 0x0
emanuele-f
pushed a commit
that referenced
this issue
Feb 17, 2020
Leak trace:
Direct leak of 14 byte(s) in 1 object(s) allocated from:
#0 0x564eb47ef589 in strdup (/home/emanuele/src/ntopng/ntopng+0x15a589)
#1 0x564eb4ad5d85 in ZMQParserInterface::parsePENNtopField(ParsedFlow*, unsigned int, ParsedValue*) const /home/emanuele/src/ntopng/src/ZMQParserInterface.cpp:556:25
#2 0x564eb4adae10 in ZMQParserInterface::parseSingleTLVFlow(ndpi_serializer*, unsigned char) /home/emanuele/src/ntopng/src/ZMQParserInterface.cpp:1237:14
#3 0x564eb4adbd3e in ZMQParserInterface::parseTLVFlow(char const*, int, unsigned char, void*) /home/emanuele/src/ntopng/src/ZMQParserInterface.cpp:1423:8
#4 0x564eb4ad06a1 in ZMQCollectorInterface::collect_flows() /home/emanuele/src/ntopng/src/ZMQCollectorInterface.cpp:421:38
#5 0x564eb4ad105f in packetPollLoop(void*) /home/emanuele/src/ntopng/src/ZMQCollectorInterface.cpp:469:10
#6 0x7fc0b4a0b46e in start_thread (/usr/lib/libpthread.so.0+0x946e)
Closed
Closed
Closed
simonemainardi
added a commit
that referenced
this issue
Apr 26, 2021
simonemainardi
added a commit
that referenced
this issue
Apr 26, 2021
alert store skeleton Alert database type changes Implement alert store for host alerts. All alert store skeletons. Fix class method access Enable tracing Implements simple queries for host alerts Implement flow alert store Fixes escaping of INSERT queries Flow alerts database schema fixes Adds escaping for alert JSON in flows and hosts Implements queries .select() for alerts store Adds limit and offset to perform paginated queries Adds new REST getter for flow alerts Name changes alert_severity to severity, alert_json to json Fixes alert message not shown Implement active monitoring alerts store Implements sort of queries in the new dataabase Changes alert_type to alert_id Implement mac alerts store Fixes flow alert messages Implement system alerts store Implement snmp alert store Add missing items to the flow alerts Add missing items to the host alerts Add missing items to the mac alerts Implements COUNT aplerts api Add device_name to snmp alerts add flow alerts templates updated gitignore fix for missing order field add families defined in `alert_store_schema.sql` Reworks and simplifies alert store subclasses Implements REST API to fetch alert timeseries Fixes date in flow REST api Host alert json fix Add get/host/alert/list.lua Move alert/list.lua to alert/past/list.lua Add alert/past/list.lua for all alert families Add entity_id to system table to identify the alert type based on <alert_id, entity_id> Add missing field Implements facilities to query engaged alerts via REST Handle both historical and past alerts in alert/list.lua Fix count Update params of select_historical Implement method to add family-specific filters Add alert/ts.lua for all alert families Implements facilities and REST endpoints to delete alerts Implements ordering of alert queries Fix add_order_by group_by Rest API tests update Tests output update Remove debug trace Use alert_id instead of type. Add more flow alert info. Update http lint Format obsolete tlv version alerts. Add more host info. Add row_id to list of alerts Fix selection of engaged alerts Add test for mac alerts (bcast domains) Removes attempt to format alerts as flow alerts Fixes interface selection for active monitoring Update test output with rest changes Add more fields to be ignores Set alert count to 1 for the time being add bar timeseries chart add apexcharts improvements on timeseries bar chart registered chart callbakcs working on alert page fix for date format Fixes acrive monitoring REST API Fixes alignment of grouped alert data Additional fix for alert histogram remove useless if formatting alerts page fixes on flows alert stats table rename local networks to device format host pagie in alert_stats add tag support for hosts and flow implemented single delete action add release modal Fixes format of threshold cross interface alerts Fixes wrong increase of dropped alerts Implements exclusion list for invalid dns queries Reworks exclusions lists for hosts and flows Addresses #5212 Addresses #5113 Adds host alert keys in host callbacks definitions Adds alert ids to flow callbacks fix for not working button (#5215) Fixes reported timeseries name removed any additional button inside chart's toolbar (#5200) Add tables for interfaces, networks, users to the schema. Skeleton alert_store classes fixed broken range picker layout in firefox (#5199) Alert insert fixes Add more info to network alerts Add rest endpoint for interface, network, user alerts Fix endpoint selection in alerts_stats Unifies columns between engaged and past alerts Fixes Missing mandatory 'alert_granularity' Minor fixes for missing alert_severity Fixes arithmetic on a nil value (field 'last_seen') Fixes get/system/alert/list.lua use tstamp for column names (#5221) Implements host alert formatter Add alerts_store format_record_common Use common format_record for am, system alerts Use common format_record for all alerts Fixes formatting of alerts of all types Fixes nil in function 'hostinfo2label' fixes on disable modal add pages for network, user and interface endpoint (#5224) Set alert_entity in all classes Unifies influxdb alerts into system alerts Addresses #5224 Unifies process alerts into system alerts Addresses #5224 Cleanup unused periodicActivityEntity Unifies category lists alerts into system alerts Addresses #5224 Aligns new alert enums Addresses #5224 Fixes alert page links Fixes insertion of interface alerts Implement filters for Host alerts Fixes active monitoring alerts not triggering Implement filters on flow alerts Fixes for internal alerts timestamp and subtype implements disable for the alerts formatted alert disable label Add address and device type to mac alert records fix for delete alert toggle Fix access to entity_val in alert_unexpected_new_device add mac address and device type inside table Fixes for new alert fields not handled Fixes alert_definitions to handle new fields Add ip/port to snmp alert records Implements deletion of stored flow alerts Add alert_name to all alert records via rest. Fix duration. fixes for snmp tab Implements delete of past host alerts Add name to snmp alert records fixes on system tab Fix Date column fixes link Update menu Fixes bad argument #3 to 'format' in snmp alerts updated interface link new alerts url for host (#5228) Fixes sort of engaged alert Minor cleanup Fixes data returned for local network alerts Fix duration for one shot. Note. Fix duration override Fixes interface selection for system alerts Move host alert page fixes for local network tab Minor fix Fix engaged host alerts fixes on user tab Fix alert_user_activity message
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add per-host thresholds so that alerts are not generated with a global threshold that might be too high for some hosts and too little for others.
Alerts need to be generated for local hosts only and ignored for others. Example if local host X is under flood attack by remote host Y, the alert should report this (i.e. both X and Y must be named) but no state for host Y must be kept.
The text was updated successfully, but these errors were encountered: