search

jokob-sk / NetAlertX

🖧🔍 WIFI / LAN intruder detector. Scans for devices connected to your network and alerts you if new and unknown devices are found.
GNU General Public License v3.0
3.13k stars 188 forks source link

Presence detection for "always-on" devices or imported devices #814

Closed ingoratsdorf closed 3 weeks ago

ingoratsdorf commented 1 month ago

Is there an existing issue for this?

Current Behavior

When a device is always on or has been imported before being scanned and discovered, the presence detection fails. Although the device is online, there are no sessions, no events, and mo presence.

Expected Behavior

Device to show up in presence when online.

Steps To Reproduce

  1. Have an always-on device like a smart switch, wifi router, access point or simply import devices from a previous backup.
  2. Check presence.
  3. Device not present, although online.

Example: image There's a an "online since" field that is populated, but not sure from where?

Cause there are no session: image

And no events either: image

Presence in the device details page seem to have randomly stopped somewhere: image

And presence in the monitoring page is not even there at all: image

I have a few of such devices, some of them do not even have a presence in device details page.

Any ideas? The only thing I could think of would be: If a device gets detected as online, then check if there's a previuous 'device-online' event, if not, create one with now as datetime stamp.

app.conf

No response

docker-compose.yml

No response

What branch are you running?

Dev

app.log

No response

Debug enabled

jokob-sk commented 1 month ago

Hi @ingoratsdorf ,

Thanks for the report!

I've been avoiding this part of the app since I started maintaining it. The code isn't very readable IMO so I tried to avoid touching it. I know there are a couple of bugs, but I'd say they are non-breaking issues. I will try to have a look in the next few days, but not sure if I can find the bug.

If you have the availability and interest, these are the 2 files which I think need to be fixed.

https://github.com/jokob-sk/NetAlertX/blob/main/front/php/server/events.php https://github.com/jokob-sk/NetAlertX/blob/main/server/networkscan.py#L176

johnwang16 commented 1 month ago

It's because of SELECT * FROM Convert_Events_to_Sessions on line 173 of networkscan.py

In the SQLite file, Convert_Events_to_Sessions corresponds to a view that selects from the Events table. This determines whether a session begins based on the following events: 'New Device','Connected', however this misses the event 'Down Reconnected', which is why it never starts a new session for some devices.

Connecting to SQLite and fixing the view allowed the sessions to show up for me. I'm not sure what the best way of fixing this for existing users would be since it's essentially a one time database update.

DROP VIEW Convert_Events_to_Sessions;
CREATE VIEW Convert_Events_to_Sessions AS     SELECT EVE1.eve_MAC,
           EVE1.eve_IP,
           EVE1.eve_EventType AS eve_EventTypeConnection,
           EVE1.eve_DateTime AS eve_DateTimeConnection,
           CASE WHEN EVE2.eve_EventType IN ('Disconnected', 'Device Down') OR
                     EVE2.eve_EventType IS NULL THEN EVE2.eve_EventType ELSE '<missing event>' END AS eve_EventTypeDisconnection,
           CASE WHEN EVE2.eve_EventType IN ('Disconnected', 'Device Down') THEN EVE2.eve_DateTime ELSE NULL END AS eve_DateTimeDisconnection,
           CASE WHEN EVE2.eve_EventType IS NULL THEN 1 ELSE 0 END AS eve_StillConnected,
           EVE1.eve_AdditionalInfo
      FROM Events AS EVE1
           LEFT JOIN
           Events AS EVE2 ON EVE1.eve_PairEventRowID = EVE2.RowID
     WHERE EVE1.eve_EventType IN ('New Device', 'Connected','Down Reconnected')
UNION
    SELECT eve_MAC,
           eve_IP,
           '<missing event>' AS eve_EventTypeConnection,
           NULL AS eve_DateTimeConnection,
           eve_EventType AS eve_EventTypeDisconnection,
           eve_DateTime AS eve_DateTimeDisconnection,
           0 AS eve_StillConnected,
           eve_AdditionalInfo
      FROM Events AS EVE1
     WHERE (eve_EventType = 'Device Down' OR
            eve_EventType = 'Disconnected') AND
           EVE1.eve_PairEventRowID IS NULL;
jokob-sk commented 1 month ago

Amazing @johnwang16 🙏 thanks a lot!

Just pushed it to dev and should be available for testing in ~15 min in the netalertx-dev image

johnwang16 commented 1 month ago

Looks like this doesn't fix the issue where a device is imported and never has a connection event to begin with. I'll take a look at what can be done to address that.

johnwang16 commented 1 month ago

this should do it https://github.com/jokob-sk/NetAlertX/pull/855

jokob-sk commented 1 month ago

thanks @johnwang16 , the -dev build should be ready in ~15 min

jokob-sk commented 3 weeks ago

releasing in 15 min -> closing - thanks again @johnwang16