Cybersecurity

  • Home
  • Cybersecurity
Cybersecurity

When SNIs Cannot be Trusted
SNI (Server Name Indication) is an optional extension in TLS/QUIC that contains the symbolic host name we’re connecting to. For instance, during the TLS handshake, the SNI allows the server to identify the correct TLS certificate of a server hosting multiple websites. nDPI reports SNIs in order to make it possible to detect name-based services deployed on the same server IP address. Below you can see an example of how nDPI reports SNIs in encrypted traffic. Client applications use the SNI to verify that the website it is connecting to matches …
Cybersecurity

Using Network Fingerprints Beyond Cybersecurity
Last week ntop has been invited to give a talk at neacademy in Napoli, Italy. The topic was network fingerprints and nDPI. Network fingerprints such as JA4 have been made popular by cybersecurity that uses them to spot (with limited false positives) malware and use them to find traffic pattern similarities. During the talk, we explained that it’s possible to improve fingerprint reliability by combining some of them, in addition to use fingerprints for various other activities beyond cybersecurity including (but not limited to) traffic classification and micro-segmentation. This was …
Cybersecurity

A Deep Dive Into Traffic Fingerprints
Last week during SharkFest Europe 2024 we have presented what are network fingerprints and how they work. During the talk we (Luca and Ivan) have described how we have extended nDPI with support of network fingerprints, and how this work has been also integrated in Wireshark. We believe that fingerprints are an interesting technology that can help in better understanding the nature of traffic flows, detect inconsistencies on crafted traffic (e.g. a Windows box that pretends to impersonate an iOS device), and of course in cybersecurity. In the coming months …
Cybersecurity

Can ntopng be considered an IDS (Intrusion Detection System) ?
ntopng is not typically classified as an Intrusion Detection System (IDS) in the traditional sense, but it does have some features that overlap with IDS functionalities. Let me explain the differences and how ntopng might serve a similar role: What is ntopng? ntopng is an open-source network traffic monitoring tool that provides visibility into network traffic and performance. It is primarily used for: Network Monitoring: Tracking traffic flows, bandwidth usage, and the behaviour of network devices. Traffic Analysis: Deep Packet Inspection (DPI) based on nDPI to analyse protocols, applications, and …
Cybersecurity

ipt_geofence: Protecting Networks using Geofencing, Blocklists and Service Analysis
Last week the ntop team has organised the network devroom at FOSDEM 2024, that took place in Brussels on Feb 2-3. During the devroom we have presented one tool named ipt_geofence that we have created for protecting our network infrastructure and generate blacklists that can be used with ntop tools (this task is still ongoing). ipt_geofence, an open-source tool for Linux and FreeBSD that combines in one tool IP geofencing, service (e.g. SSH, Web and mail) analysis, and blocklists. It allows malicious hosts to be blocked and hence protect services …
Cybersecurity

How Effective Are IP Blacklists When Used For Detecting Malicious Activities?
A blacklist is an access control mechanism which denies access to selected network resources to peers belonging to a curated list. Blacklists often represent the first line of defence for many networks as they can reduce internal hosts’ risk of establishing communications with peers with a bad reputation. Many companies use blacklists for detecting malicious activities. In ntopng we use IP blacklists to label traffic exchanged with malicious peers. While the concept of blacklist is very simple and many people are familiar with it, we know very little of how …
Cybersecurity

OT, ICS, SCADA: IEC 60870-5-104 in ntopng
What is OT, ICS, SCADA ? Operational Technology (OT) refers to computing systems that are used to manage industrial operations or process operations, like water treatment, electrical power distribution or wrapping a chocolate in foil. ntopng supports some Industrial control systems (ICS) protocol often managed via a Supervisory Control and Data Acquisition (SCADA) systems. Via nDPI it can detect protocols such as Modbus, IEC 60780 or BACnet. In addition to this, ntopng has extensive detection and monitor capabilitiesfor some protocols OT protocols/ ntopng “Generic” Monitoring ntopng is a monitoring tool …
Announce

Introducing Smart Recording in n2disk: Combining Cybersecurity with Packet-to-Disk
In short Continuous network traffic recorders are applications (or appliances) that write network traffic on disk. In case of issues (e.g. security breach or network outage) they enable network and security analysts to go back in time and see how a problem originated. The main limitation of this practice is that a lot of data it is written to disk even when there is nothing special happening on the network. Similar to the evolution of surveillance cameras that implemented “motion detection” to trigger recording when some meaningful even happen, this …
Cybersecurity

HowTo Use Periodic Traffic Analysis in Cybersecurity
Since v5 ntopng has the ability to detect periodic activities, i.e. activities that are repeated periodically at a given pace (note that each activity can have a different frequency, and ntopng is able to detect them). Periodic activities are not bad per se (e.g. an email application fetches new messages every 5 minutes) but it can be a good indicator whenever periodicity is reported in alerts. For instance looking at the alerts below you can see that a client is making periodic requests to the same server Looking at the …
Cybersecurity

What’s New in ntopng: Network Assets
Hello everybody! Welcome back to the weekly blog post of this serie used to update you with the latest ntopng features and graphical changes. Please let us know your feedback! Today we are going to talk about the Asset Map. Have you ever asked yourself, what are the NTP servers in your network? Or, are all active DNS servers? Well, the Asset Map is useful  exactly in this case. The Asset Map is a map we designed to know what exactly is (are) the DNS, NTP,… server(s) active in a …
Cybersecurity

What’s New in ntopng: Periodic Activities (a.k.a beaconing) !
Hello everybody! Welcome back to the weekly blog post of this serie used to update you with the latest ntopng features and graphical changes. Please let us know your feedback! Today we are going to talk about the Periodicity Map. You are probably asking yourself what’s so bad about periodic activities, right? First of all, let’s take a look at the Periodicity Map and what are the contained information. What we can see here is: The last seen – last time ntopng has seen a periodic activity (flow) The quintuplet …
Cybersecurity

Malware Traffic Analysis in ntopng
ntop users have started to use our tools for malware analysis as contrary to packet sniffers or text-based security tools, ntopng comes with a web interface that simplifies the analysis. For this reason we have recently: Added the ability to upload a pcap file to ntopng using the web GUI, so that you can analyze traffic traces without the need to transfer them to the ntopng host using SCP or similar protocols. Enhanced the list of nDPI flow risks (47 as of today) with the ability to detect webshells and …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe