Author: admin

  • Home
  • Articles by: admin
ntopng

Threshold vs Statistical Metric Alerts in ntopng
Threshold alerts and statistical alerts are two different methods for monitoring and detecting unusual or potentially problematic events in various systems, such as network monitoring where anomaly detection is essential. They differ in how they define and identify anomalies: Threshold Alerts Threshold alerts are based on fixed, predefined values or thresholds. You set specific thresholds for one or more parameters or metrics within your system. When these parameters cross the predefined thresholds, an alert is triggered. These thresholds are typically static and do not change automatically. You need to set …
ntop

ntopConf 2023 Videos and Slides are Now Available
The ntop conference and training 2023 was a success: more than 100 people attended it, some of them flying to Italy from other continents. This has been a special event as we have celebrated 25 years since the first release of the original ntop application, and 10 years of ntopng. This was our first international event (previous conferences were in Italian) and we are happy of the outcome. For us a conference is a way to update our community about the progresses we have made, how the community uses our …
ntop

How to Monitor What Matters
Yesterday we have been invited to the NetEye Users Group Meeting to give a speech about monitoring and cybersecurity. During the talk we covered out 25 years journey in this industry and the decisions we have made during that time: Network vendors provide (after 25 years) poor monitoring data: flaws, proprietary formats, sampling, device limitations didn’t change the landscape even though the NetFlow RFC 3954 is 20 years old, and IPFIX is basically just a cosmetic change. nDPI is 10 years old and it allowed us to provide contextual information …
ntop

Announcing ntop Professional Training: November 2023
ntop tools range from packet capture, traffic analysis and processing, and sometimes it is not easy to keep up on product updates as well master all the tools. This has been the driving force for organising ntop professional training: . This is to announce that in May we have scheduled the next ntop Professional Training session. It will take place online (Microsoft Teams) on 7th, 9th, 14th, 16th, 21st, 23rd of November, 2023 at 3.00 PM CET (9.00 AM EDT). Training will be held in English language and each session …
ntopng

How to Send ntopng Alerts to PagerDuty
PagerDuty is a popular incident-response platform that allows problem notifications to be delivered in a flexible way to the correct team member. We have integrated it in ntopng Enterprise and this post shows you howto configure it. First of all you need to create a PagerDuty account and select a plan (there is a free one you can choose). Done that within PagerDuty you need to select “Event Orchestration” from the “Automation” menu and create a new event orchestration. Below you can see an example. Once you saved it click …
nDPI

How nDPI Improved Bloom Filters Implementation
A Bloom filter is. probabilistic data-structure used to test whether an element is present in a set. Blooms are affected by false positives, meaning that when a bloom returns true it does not mean that the searched element is part of the set but that it is “likely” to be part of the set. nDPI (and most tools ntop develops) uses Bloom filters in order to speed-up search operations by using a quick membership check that avoids slower checks. For instance if ntopng needs to know whether host A has …
Cybersecurity

How Effective Are IP Blacklists When Used For Detecting Malicious Activities?
A blacklist is an access control mechanism which denies access to selected network resources to peers belonging to a curated list. Blacklists often represent the first line of defence for many networks as they can reduce internal hosts’ risk of establishing communications with peers with a bad reputation. Many companies use blacklists for detecting malicious activities. In ntopng we use IP blacklists to label traffic exchanged with malicious peers. While the concept of blacklist is very simple and many people are familiar with it, we know very little of how …
nDPI

How nDPI Identifies Fully Encrypted Protocols
In the paper How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic it is described a technique used in censorship to identify and block fully encrypted protocols. This technique, limited to TCP flows, uses a few techniques that are applied on the first TCP packet with payload, making it fast and convenient although with a small (< 1%)  percentage of false positives: Ex1: popcount(pkt) ≤ 3.4 or popcount(pkt) ≥ 4.6. len(pkt) len(pkt) Ex2: The first six (or more) bytes of pkt are [0x20, 0x7e]. Ex3: More than …
ntopng

Understanding Timeseries Throughput Calculation
ntopng creates timeseries for traffic by periodically (e.g. every minute) writing into RRD/Influx the traffic volume observed. Below you can see an example. Traffic is used to keep track of the data volume exchanged. Over time timeseries are aggregated (roll-up) to save space, meaning for instance that 60 minute observations are used to compute a hourly observation. A timeseries rollup involves summarising the original time series data over larger time intervals. The purpose of doing a rollup is to reduce the volume of data and make it more manageable while …
ntopng

HowTo Trigger an Alert When Contacting a Website/IP with ntopng
ntopng has native blacklist support that enables generation of alerts when malware sites are contacted. You can enable/disable the list of active blacklist by accessing the blacklist page from the preferences menu of the left sidebar and also configure the list properties such as refresh rate as well enable/disable them. Now suppose you want to trigger an alert when contacting a specific IP address or a website (this regardless if using clear-text protocol such as HTTP or encrypted TLS-based communications). How can you do that? See it below: Define a …
Announce

ntopConf 2023 (25 years of ntop) Registration is Now Open
This is to announce that the registration for the ntop Conference 2023, 25 years since the first release of ntop, is now open. Similar to past conferences, this event is divided into two days: the first day will be allocated for training on ntop products, the second day for the main conference and workshop. You can read the conference and training agenda at the ntopConf 2023 page from which you can also reserve your seat. Finally a few notes. In order to make this event effective we have decided that: …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe