Merge branch 'ntop:dev' into dev

http_src/vue/page-as-stats.vue

@@ -43,7 +43,8 @@ const map_table_def_columns = (columns) => {
             let return_value = "";
 
             if (asName.length > 0) {
-                return_value += `<A class='ntopng-external-link' href='https://stat.ripe.net/app/launchpad/S1_${row["asn"]}_C13C31C4C34C9C22C28C20C6C7C26C29C30C14C17C2C21C33C16C10'>${row["asname"]}&nbsp;<i class='fas fa-external-link-alt fa-lg'></i></A>`
+                return_value += `${row["asname"]} [ <A class='ntopng-external-link' href='https://stat.ripe.net/app/launchpad/S1_${row["asn"]}_C13C31C4C34C9C22C28C20C6C7C26C29C30C14C17C2C21C33C16C10'>RIPEstat <i class='fas fa-external-link-alt fa-sm'></i></A>`;
+                return_value += ` | <A class='ntopng-external-link' href='https://www.peeringdb.com/asn/${row["asn"]}'>PeeringDB <i class='fas fa-external-link-alt fa-sm'></i></A> ]`;
             }
             return return_value;
         },

include/NetworkInterface.h

@@ -1267,7 +1267,6 @@ class NetworkInterface : public NetworkInterfaceAlertableEntity {
                                ndpi_protocol_category_t protoCategory);
   bool nDPILoadIPCategory(char *what, u_int16_t id, char *list_name);
   bool nDPILoadHostnameCategory(char *what, u_int16_t id, char *list_name);
-  int nDPILoadMaliciousJA3Signatures(const char *file_path);
   int setDomainMask(const char *domain, u_int64_t domain_mask);
   int addTrustedIssuerDN(const char *dn);
   inline void setLastInterfacenDPIReload(time_t now) { last_ndpi_reload = now; }

include/Ntop.h

@@ -773,7 +773,6 @@ class Ntop {
                           char *list_name);
   bool nDPILoadHostnameCategory(char *what, ndpi_protocol_category_t id,
                                 char *list_name);
-  int nDPILoadMaliciousJA3Signatures(const char *file_path);
   int nDPISetDomainMask(const char *domain, u_int64_t domain_mask);
   void setLastInterfacenDPIReload(time_t now);
   bool needsnDPICleanup();

include/flow_checks/FlowRiskMaliciousFingerprint.h

@@ -19,20 +19,20 @@
  *
  */
 
-#ifndef _FLOW_RISK_MALICIOUS_JA3_H_
-#define _FLOW_RISK_MALICIOUS_JA3_H_
+#ifndef _FLOW_RISK_MALICIOUS_FINGERPRINT_H_
+#define _FLOW_RISK_MALICIOUS_FINGERPRINT_H_
 
 #include "ntop_includes.h"
 
-class FlowRiskMaliciousJA3 : public FlowRisk {
+class FlowRiskMaliciousFingerprint : public FlowRisk {
  private:
   FlowAlertType getAlertType() const {
     return FlowRiskMaliciousFingerprintAlert::getClassType();
   }
 
  public:
-  FlowRiskMaliciousJA3(){};
-  ~FlowRiskMaliciousJA3(){};
+  FlowRiskMaliciousFingerprint(){};
+  ~FlowRiskMaliciousFingerprint(){};
 
   FlowAlert *buildAlert(Flow *f) {
     return new FlowRiskMaliciousFingerprintAlert(this, f);
@@ -47,4 +47,4 @@ class FlowRiskMaliciousJA3 : public FlowRisk {
   }
 };
 
-#endif /* _FLOW_RISK_MALICIOUS_JA3_H_ */
+#endif /* _FLOW_RISK_MALICIOUS_FINGERPRINT_H_ */

include/ntop_typedefs.h

@@ -507,7 +507,7 @@ typedef enum {
   flow_alert_ndpi_anonymous_subscriber = 76,
   flow_alert_unidirectional_traffic = 77,
   flow_alert_ndpi_desktop_or_file_sharing_session = 78,
-  flow_alert_ndpi_malicious_ja3 = 79,
+  flow_alert_ndpi_malicious_fingerprint = 79,
   flow_alert_ndpi_malicious_sha1_certificate = 80,
   flow_alert_ndpi_tls_uncommon_alpn = 81,
   flow_alert_ndpi_tls_suspicious_extension = 82,

scripts/locales/en.lua

@@ -379,13 +379,6 @@ local lang = {
   ["is_connected"] = "is connected",
   ["issuerDN"] = "IssuerDN",
   ["issues_score"] = "Score / Issues",
-  ["ja3_client"] = "JA3 Client",
-  ["ja3_client_hash"] = "JA3 Client Hash",
-  ["ja3_fingerprint"] = "JA3 Fingerprint",
-  ["ja3_server"] = "JA3 Server",
-  ["ja3_server_cipher"] = "JA3 Server Cipher",
-  ["ja3_server_hash"] = "JA3 Server Hash",
-  ["ja3_server_unsafe_cipher"] = "Cipher State",
   ["ja4_client_hash"] = "JA4 Client Hash",
   ["json"] = "JSON",
   ["jump_to_chart"] = "Chart View",
@@ -1285,7 +1278,7 @@ local lang = {
     ["mac_ip_association_change"] = "IP/MAC Reassoc/Spoofing",
     ["mac_ip_association_change_descr"] = "Trigger an alert when an IP address, previously seen with a MAC address, is now seen with another MAC address. This alert might indicate an ARP spoof attempt. Only works for the builtin alert recipient.",
     ["main_alert"] = "Main Alert",
-    ["malicious_signature_detected"] = "Malicious signature detected [Client JA3 Hash: %{ja3_hash}]",
+    ["malicious_signature_detected"] = "Malicious signature detected",
     ["many_replies"] = "%{count} %{what} replies",
     ["many_requests"] = "%{count} %{what} requests",
     ["memory_ts"] = "Memory Timeseries",
@@ -1303,7 +1296,7 @@ local lang = {
     ["ndpi_http_suspicious_url_title"] = "HTTP Susp. URL",
     ["ndpi_http_suspicious_user_agent_title"] = "HTTP Susp. User-Agent",
     ["ndpi_malformed_packet_title"] = "Malformed Packet",
-    ["ndpi_malicious_ja3_title"] = "Possibly Malicious JA3",
+    ["ndpi_malicious_fingerprint_title"] = "Possibly Malicious Fingerprint",
     ["ndpi_malicious_sha1"] = "Malicious SHA1 Cert",
     ["ndpi_risky_asn_title"] = "Risky ASN",
     ["ndpi_risky_domain_title"] = "Risky Domain",
@@ -1630,7 +1623,6 @@ local lang = {
     ["server_returned_error"] = "The server returned an error",
     ["too_many_hosts_loaded"] = "Domain names limit reached (%{limit} domains)",
     ["too_many_ips_loaded"] = "IP addresses limit reached (%{limit} addresses)",
-    ["too_many_ja3_loaded"] = "JA3 signatures limit reached (%{limit} signatures)",
     ["update_frequency"] = "Update Frequency",
     ["update_now"] = "Update Now",
   },
@@ -2208,7 +2200,6 @@ local lang = {
       ["ip_address"] = "IP",
       ["ip_version"] = "IP Version",
       ["issuer_dn"] = "TLS Issuer DN",
-      ["ja3"] = "JA3",
       ["l4proto"] = "Protocol",
       ["l7_proto"] = "Application",
       ["l7cat"] = "Category",
@@ -2986,8 +2977,8 @@ local lang = {
     ["lateral_movement_title"] = "Service Map Lateral Movement Detection",
     ["long_lived"] = "Long Lived",
     ["long_lived_description"] = "Trigger an alert when a flow lasts more than the configured duration",
-    ["malicious_ja3"] = "Malicious JA3 Fingerp.",
-    ["malicious_ja3_description"] = "Trigger an alert when a JA3 of the TLS connection is considered suspicious",
+    ["malicious_fingerprint"] = "Malicious Fingerprint",
+    ["malicious_fingerprint_description"] = "Trigger an alert when a fingerprint of the TLS connection is considered suspicious",
     ["malicious_sha1_certificate"] = "Malicious JA3 SHA1 Cert.",
     ["malicious_sha1_certificate_description"] = "Trigger an alert when a SHA1 certificate of the TLS connection is found on a blacklist",
     ["malicious_signature"] = "Malicious JA3 Signature",
@@ -3164,7 +3155,6 @@ local lang = {
     ["looks_like_idle_flow_message"] = "This looks like an <font color=red>idle flow</font> with periodic transmissions just to keep it alive.",
     ["lost_packets"] = "Lost Packets",
     ["low_goodput"] = "Low Goodput",
-    ["malicious_ja3_signature"] = "Possibly Malicious %{cli_or_srv} Signature [JA3: <a href=\"%{url}\">%{signature}</a> %{icon}]",
     ["max_estimated_tcp_throughput"] = "Max (Estimated) TCP Throughput",
     ["max_packet_interarrival_time"] = "Max Packet Interarrival Time",
     ["mean_rtt"] = "Mean RTT",
@@ -3550,7 +3540,6 @@ local lang = {
     ["ipv6_next_hop"] = "IPv6 next hop address",
     ["ipv6_src_addr"] = "IPv6 source address",
     ["ipv6_src_mask"] = "IPv6 source mask",
-    ["ja3"] = "JA3",
     ["l4_dst_port"] = "Layer 4 destination port",
     ["l4_dst_port_map"] = "Layer 4 destination port symbolic name",
     ["l4_src_port"] = "IPv4 source port",
@@ -3884,7 +3873,7 @@ local lang = {
     ["ndpi_known_protocol_on_non_standard_port"] = "Known Proto on Non Std Por",
     ["ndpi_malformed_packet"] = "Malformed packet",
     ["ndpi_malformed_packet_descr"] = "Some packet has an unexpected format",
-    ["ndpi_malicious_ja3"] = "Possibly Malicious Signature (JA3)",
+    ["ndpi_malicious_fingerprint"] = "Possibly Malicious Fingerprint",
     ["ndpi_malicious_sha1_certificate"] = "Malicisous SHA1 TLS Cert",
     ["ndpi_no_risk"] = "No risk",
     ["ndpi_periodic_flow_descr"] = "Periodic flow",

scripts/lua/as_stats.lua

@@ -70,6 +70,7 @@ local context = {
 local json_context = json.encode(context)
 
 if page == "overview" or not page then
+   -- Edit page-as-stats.vue (see http_src/vue/ntop_vue.js)
     template_utils.render("pages/vue_page.template", {
         vue_page_name = "PageAsStats",
         page_context = json_context

scripts/lua/modules/alert_definitions/flow/alert_ndpi_malicious_ja3.lua → scripts/lua/modules/alert_definitions/flow/alert_ndpi_malicious_fingerprint.lua

@@ -15,13 +15,13 @@ local mitre = require "mitre_utils"
 
 -- ##############################################
 
-local alert_ndpi_malicious_ja3 = classes.class(alert)
+local alert_ndpi_malicious_fingerprint = classes.class(alert)
 
 -- ##############################################
 
-alert_ndpi_malicious_ja3.meta = {
-  alert_key = flow_alert_keys.flow_alert_ndpi_malicious_ja3,
-  i18n_title = "flow_checks_config.malicious_ja3",
+alert_ndpi_malicious_fingerprint.meta = {
+  alert_key = flow_alert_keys.flow_alert_ndpi_malicious_fingerprint,
+  i18n_title = "flow_checks_config.malicious_fingerprint",
   icon = "fas fa-fw fa-info-circle",
 
    -- Mitre Att&ck Matrix values
@@ -36,12 +36,12 @@ alert_ndpi_malicious_ja3.meta = {
 
 -- @brief Prepare an alert table used to generate the alert
 -- @return A table with the alert built
-function alert_ndpi_malicious_ja3:init()
+function alert_ndpi_malicious_fingerprint:init()
    -- Call the parent constructor
    self.super:init()
 end
 
 -- #######################################################
 
-return alert_ndpi_malicious_ja3
+return alert_ndpi_malicious_fingerprint
 

scripts/lua/modules/alert_keys/flow_alert_keys.lua

@@ -85,7 +85,7 @@ local flow_alert_keys = {
    flow_alert_ndpi_anonymous_subscriber            = 76,
    flow_alert_unidirectional_traffic               = 77,
    flow_alert_ndpi_desktop_or_file_sharing_session = 78,
-   flow_alert_ndpi_malicious_ja3                   = 79,
+   flow_alert_ndpi_malicious_fingerprint           = 79,
    flow_alert_ndpi_malicious_sha1_certificate      = 80,
    flow_alert_ndpi_tls_uncommon_alpn               = 81,
    flow_alert_ndpi_tls_suspicious_extension        = 82,

scripts/lua/modules/check_definitions/flow/ndpi_malicious_ja3.lua → scripts/lua/modules/check_definitions/flow/ndpi_malicious_fingerprint.lua

@@ -13,14 +13,14 @@ local script = {
    category = checks.check_categories.security,
 
    -- This script is only for alerts generation
-   alert_id = flow_alert_keys.flow_alert_ndpi_malicious_ja3,
+   alert_id = flow_alert_keys.flow_alert_ndpi_malicious_fingerprint,
 
    default_value = {
    },
 
    gui = {
-      i18n_title = "flow_checks_config.malicious_ja3",
-      i18n_description = "flow_checks_config.malicious_ja3_description",
+      i18n_title = "flow_checks_config.malicious_fingerprint",
+      i18n_description = "flow_checks_config.malicious_fingerprint_description",
    }
 }
 

scripts/lua/modules/checks.lua

@@ -412,10 +412,10 @@ local function init_check(check, mod_fname, full_path, script, script_type, subd
 
         -- Possibly localize the input title/description
         if check.gui.input_title then
-            check.gui.input_title = check.gui.input_title
+            check.gui.input_title = i18n(check.gui.input_title)
         end
         if check.gui.input_description then
-            check.gui.input_description = check.gui.input_description
+            check.gui.input_description = i18n(check.gui.input_description)
         end
     end