nDPI

Howto Identify and Block Telegram-based Botnets
Botnets are a popular way to run malware on a network using the command and control paradigm. Popular protocols used by botnets include IRC and HTTP. Most IDSs can detect bots as long as they can inspect the network traffic. This makes networks administrators blind when bots move to encrypted and cloud-based (i.e. that you cannot block with a simple IP-based ACL) protocols. The popular Telegram messaging system allows people to create a bot in minutes as shown in the code excerpt below.   bot = Bot(token) def run(): """ …
ntop

ntop Tools Taxonomy
As sometime people is confused about the various options ntopng tools offer, this post is an attempt to clarify them in a single page. [table id=1 /] Enjoy! …
nDPI

Why Traffic Behaviour Analysis is Good (was Encrypting TLS 1.3 Traffic)
In the latest nDPI meetup, we have discussed future directions, including extending the current encrypted traffic analysis features. Currently nDPI supports both fingerprint and behaviour encrypted traffic analysis techniques to provide TLS traffic visibility. At ntop we have never liked too much fingerprinting techniques such as JA3 that are used by many popular IDSs and security tools, simply because they often lead to false positives making them a “nice to have” features but nothing more than that. Recently the IETF is designing a new TLS 1.3 extension named ECHO (Encrypted …
nDPI

How Lockdown Changed Corporate Internet Connectivity
Global lockdown has forced many people to work from remote: empty offices, all remote working until the emergency is over.   In essence during the lockdown remote workers used very few corporate services via VPN, with relatively light traffic (e.g. accounting) and the heavy videoconferencing traffic not propagating in the company networks: this as moderns videoconferencing solutions are all cloud based. So in essence moving to remote working has not put too much pressure on corporate networks beside the creation of VPN accounts or other limited changes. As you can …
Announce

Webinar: Network Monitoring in Post-Lockdown Days
This is to invite our community to a new webinar that will explain how we have enhanced ntopng to take into account network monitoring challenges due to global lockdown. In particular we will show how ntopng can be integrated with VPN and remote access systems, as well commercial firewall and security devices. This is to create a single monitoring console able to offer visibility even when most users are roaming or work from remote. For those who have not attended the webinar can watch the recording below. International Edition Tuesday …
nDPI

You’re invited to the future of nDPI: Python, Cybersecurity and Behaviour. May 15th, 4PM CET
Hi all, this is to invite you to an open discussion about nDPI, its future. In particular Python bindings, cybersecurity extensions and behaviour analysis. We will meet at 4PM CET (10AM EST) live on the Internet. For those who have not been able to join, this is the video of the session. Links: https://github.com/aouinizied/nfstream https://notebooks.gesis.org/binder/jupyter/user/aouinizied-nfstream-tutorials-mg04vt7x/tree Enjoy! …
ntop

Using ntop tools (including PF_RING ZC) on Docker
Software containers are an elegant way to deploy software applications. If you are wondering if ntop supports software containers the answer is yes. Whenever new stable versions of packages are built, containers hosted on hub.docker.com are automatically updated. Instead if you want to build a custom container, you can use the docker files we maintain. Container support is full, including PF_RING ZC that can natively run on Docker as specified in this document. using a simple command like sudo docker run -v /dev/hugepages:/dev/hugepages --cap-add ipc_lock ubuntu18 pfcount -i zc:99@0 this …
nDPI

Trickbot Malware Analysis Using nDPI and ntopng
Trickbot is a malware distributed via malspam, spam emails containing links for downloading malicious files that infect computers.  A pcap file of a trickbot infection named 2019-09-25-Trickbot-gtag-ono19-infection-traffic.pcap can be downloaded at this URL. You can analyse the file using nDPI as follows ndpiReader -i 2019-09-25-Trickbot-gtag-ono19-infection-traffic.pcap -v 2 -J > /tmp/trickbot.txt Let’s now open the trickbot.txt file and search for “Risk”. This is a tag added to nDPI analysed flows when there is a non-zero security risk associated with the analysed traffic. Most problems include: Obsolete TLS protocol with self-signed certificate …
ntopng

How Active Monitoring Works in ntopng
In v4 we have introduced active monitoring in ntopng and since then we are improving in the 4.1.x development versions. In order to enable it you have to selectd the “System” interface from the top menubar and select “Active Monitoring” from the left “System” menu. On that page you will see a table containing all your measurements. The code has been written in a modular way, so that available measurements can be extended as necessary simply adding a new lua script. As you can see from the measurements source, you …
ntopng

Implementing Network Visibility in Covid-19 Days
Ongoing health emergency demands business to enable employee work from home: call it smart working or (better) remote working. This process puts pressure on the company Internet connection as many (if not all) the activities need to be done remotely. Working from home is a good practice in order to avoid extra personal stress and reduce virus spread, this only if company’s Internet lines have enough capacity to handle all the remote workers. How can you measure this extra traffic (with respect to days before the emergency) and optimise your …
ntop

ntopng 4.0: A Refreshed Look with Dark Themes!
The latest ntopng 4.0 has a renewed look. The main changes we have introduced are: An always-on-top status bar. Key information on the health and status of the network is essential for the analyst and it must be always visible and easily accessible. This is why we have introduced an always-on-top fixed status bar with key information such as network throughput, active hosts, flows, and ongoing alerts. This information was previously placed at the bottom of every page so it was difficult to access it and a lot of scrolling …
ntopng

Active Monitoring in ntopng 4.0: ICMP, ICMPv6, HTTP and HTTPS pings with RTT
The latest stable ntopng 4.0 features a Round Trip Time (RTT) monitor which is capable of pinging hosts on a minute-by-minute basis to check: IP reachability with ICMP and ICMPv6 pings Web servers functionality with HTTP and HTTPS pings Checks account for the RTT, that is, the time it takes to reach a certain host and receive a response from it. ntopng shows all the RTT-monitored hosts under the System Interface   For each monitored host ntopng offers the following information The full URL of the monitored host. The URL …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe