File: flow_field_value_maps.lua

package info (click to toggle)
ntopng 5.2.1%2Bdfsg1-2
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 121,832 kB
  • sloc: javascript: 143,431; cpp: 71,175; ansic: 11,108; sh: 4,687; makefile: 911; python: 587; sql: 512; pascal: 234; perl: 118; ruby: 52; exp: 4
file content (98 lines) | stat: -rw-r--r-- 3,076 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
 
--
-- (C) 2014-22 - ntop.org
--

local dirs = ntop.getDirs()
package.path = dirs.installdir .. "/scripts/lua/modules/flow_field_value_maps/?.lua;" .. package.path

local os_utils = require "os_utils"
local json = require "dkjson"

local flow_field_value_maps = {}

local NTOP_PEN = "35632"

local pen_map = {}

local pen_to_map_file = {
   ["8741"] = "sonicwall_app_id"
}

-- ################################################################################

local function init_flow_field_value_map(field_pen)
   if pen_to_map_file[field_pen] and not pen_map[field_pen] then
      pen_map[field_pen] = require(pen_to_map_file[field_pen])
   end
end

-- ################################################################################

function flow_field_value_maps.key_to_pen_type_and_value(field)
   -- nProbe exports the field as the dot-concatenation
   -- of PEN and TYPE
   -- Example: 8741.22
   -- 8741 is the PEN of Sonicwall
   -- 22 is the TYPE 22 with pen Sonicwall

   local pen_type = field:split("%.") or {}

   --   tprint({field = field, field_pen = field_pen, field_type = field_type})

   return pen_type[1], pen_type[2], pen_type[3]
end

-- ################################################################################

function flow_field_value_maps.options_topic_field_value_map(ifid, pen, field, value)
   -- check the hash cache set when nProbe tells us the mappings over the options topic
   local k = string.format("ntopng.cache.ifid_%u.field_value_map.pen_%u.field_%u", ifid, pen, field)
   local res = ntop.getHashCache(k, value)

   local jres = json.decode(res)
   if jres and jres["name"] then
      return jres["name"]
   end

   return value
end

-- ################################################################################

function flow_field_value_maps.map_field_value(ifid, field, value)
   local field_pen, field_id, field_type = flow_field_value_maps.key_to_pen_type_and_value(field)
   
   if field_pen ~= nil and field_id ~= nil then
      -- if pen or type is nil then
      -- it has not been possible to extract pen and type (string field?)
      -- so no mapping can be found for this value

      field_id = tonumber(field_id)
      
      if(field_pen == NTOP_PEN) then
	 -- ntop
	 field_id = field_id + NTOP_BASE_ID
      end
      
      -- lazy init of the mapping
      init_flow_field_value_map(field_pen)

      -- do the actual mapping
      if pen_map[field_pen] then
	 field, value = pen_map[field_pen].map_field_value(ifid, field_id, value)
      elseif rtemplate[field_id] then
	 -- If there's no match on pen_map, attempt at decoding using the nProbe rtemplate
	 -- NOTE: see function getFlowKey in flow_utils.lua
	 field = rtemplate[tonumber(field_id)]
      end

      -- override with static mappings with those received from nProbe on the options topic
      value = flow_field_value_maps.options_topic_field_value_map(ifid, field_pen, field_id, value)
   end

   return field, value
end

-- ################################################################################

return flow_field_value_maps