Author: admin

  • Home
  • Articles by: admin
ntop

Using ElasticSearch to Store and Correlate Ntopng Alarms
With the introduction of ntopng endpoints and recipients, it is now possible to handle alerts in a flexible fashion by means of recipients. ntopng embeds a SQLite database for turn-key alert storage and reporting. However in large organizations with many alerts scalability of this solution is limited due to the limited number of records (16k) that can be handled. In the latest ntopng 4.1.x versions it is now possible to export alerts in an external ElasticSearch database (not available in the community edition). This post shows you how to use …
ntopng

Using ntopng Recipients and Endpoints for Flexible Alert Handling
In the latest ntopng 4.1.x versions (and soon 4.2) we have completely reworked the way alerts are delivered to subscribers. Up to 4.0 the ntopng engine was configured in a single way for all alerts: go to the preferences page and specify where to deliver alerts. This was suboptimal for many reasons, including the fact that it was not possible to send alerts to different recipients on different channels, or selectively decide when send alerts out. For this reason we have introduced the concept of Endpoints server account configuration where …
nDPI

How Great Hashing Can (More Than) Double Application Performance
Most ntop applications (ntopng, nProbe, Cento) and libraries (FT) are based on the concept of flow processing, that merely means keeping track of all network communications. In order to implement this, network packets are decoded and, based on a “key” (usually a 5-tuple consisting of protocol and src/dst IP and port), clustered into flows (other keys such as VLAN can be added if necessary). This usually requires a lookup in an hash table, by using an hash function to translate the key into an index for an array with collision …
News

September Webinars: ntopng Scripting and API Integrations
Save the date! Two webinars have been planned for the cycle of this month. We start on Thursday, September 17th, 16:00 CEST / 10 AM EST, with “How to Write an ntopng Plugin“. In this workshop, we will see how to create an ntopng Lua plugin to generate alerts and opportunely update the ‘score’ indicator of compromise for hosts and flows. During the workshop, we will walk the audience through a typical workflow which can then be reused to write any kind of plugin. We will start with a simple …
nDPI

Monitoring Industrial IoT/Scada Traffic with nDPI and ntopng
Monitoring Industrial IoT and SCADA traffic can be challenging as most open source monitoring tools are designed for Internet protocols. As this is becoming a hot topic with companies automating production lines, we have decided to enhance ntop tools to provide our user community traffic visibility even in industrial environments. This has required to enhance nDPI to detect these protocols and enhance ntopng, our monitoring console, to visualize this traffic by providing enhanced protocol dissection on top of which alerts can be triggered. To date, nDPI supports modbus, DNP3 and …
Cybersecurity

How Attack Mitigation Works (via SNMP)
One of the greatest strengths of ntopng is its ability to correlate data originating at different layers and at multiple sources together. For example, ntopng can look at IP packets, Ethernet frames and, at the same time, poll SNMP devices. This enables ntopng to effectively perform correlations and observe: The behavior of IP addresses (e.g., Is this IP known to be blacklisted?) The MAC addresses carrying IP traffic around in the network The physical location of the MAC addresses (i.e., physical switches traversed by a given MAC address along with …
Cybersecurity

How to Detect Domain Hiding (a.k.a. as Domain Fronting)
Domain fronting is a technique that was used in 2010s by mobile apps to attempt to bypass censorship. The technique relies on a “front” legitimate domain that basically acts as a pivot for the forbidden domain. In essence an attacker performs a HTTPS connection where in the DNS (used to resolve the domain name) and TLS SNI the legitimate domain name is used, whereas inside the HTTP connection in the “Host” HTTP header it specifies the forbidden domain Recently at DEF CON 28 a new tool named Noctilucent has been …
n2n

Introducing n2n 2.8: Modern Crypto and Data Compression
This is to announce the release of n2n 2.8 stable. This release brings significant new features to n2n’s crypto world and offers some compression opportunities. Overall n2n performance has been greatly enhanced, reduced bandwidth usage thanks to data compression, and as state of the art security with new crypto options. The added support for routing table manipulation might increase comfort. Besides further honing existing features, this release addresses some bugs. New Features Two lightweight stream ciphers: ChaCha20 (optional, through OpenSSL) & SPECK (integrated) Full Header Encryption (including packet checksumming as …
Cybersecurity

Mice and Elephants: HowTo Detect and Monitor Periodic Traffic
Most people are used to top X: top senders, top receivers, top protocols. So in essence they are looking for elephants. While this is a good practice, mice are also very interesting as they can often be hidden in the noise. In cybersecurity noise is very good for attackers as they often try to hide themselves on it; this is in order to escape security. Many malware are programmed on a for loop fashion: do a), do b) do c) then go back to a) on an infinite loop. In …
News

July 16th and 24th: Community Meeting and Webinar Announcement
This month we’ll meet our community in two different events: When: Thursday, July 16th, 16:00 CET / 10 AM EST What: Live community meeting Where: Discord. You can read more here how to join on the public ntop voice channel for this live event. Abstract: Recently we have started to use discord as platform for interacting with our community in addition to telegram. The advantage of discord is the ability to combine text/voice/screen sharing so that we want to make an experiment, meet our users, let discuss with them, provide support. …
nDPI

Introducing nDPI Risk Analysis for (Cybersecurity) Network Traffic Analysis (was Ripple20)
Earlier last month Ripple20 became popular as it has listed some vulnerabilities found in a custom IP stack used by many IoT devices. Despite the hype on Ripple20, in essence the tool used to fingerprint vulnerable devices sends either malformed or valid (with some values in the allowed range albeit with values deprecated or obsolete) packets that are easy to catch (see Suricata and Zeek rules for detection). In essence IDS rules/scripts are checking whether packets sent on the wire are valid or if they contain unexpected values used by …
nDPI

Howto Identify and Block Telegram-based Botnets
Botnets are a popular way to run malware on a network using the command and control paradigm. Popular protocols used by botnets include IRC and HTTP. Most IDSs can detect bots as long as they can inspect the network traffic. This makes networks administrators blind when bots move to encrypted and cloud-based (i.e. that you cannot block with a simple IP-based ACL) protocols. The popular Telegram messaging system allows people to create a bot in minutes as shown in the code excerpt below.   bot = Bot(token) def run(): """ …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe