Cybersecurity

  • Home
  • Cybersecurity
Cybersecurity

What’s New in ntopng: Periodic Activities (a.k.a beaconing) !
Hello everybody! Welcome back to the weekly blog post of this serie used to update you with the latest ntopng features and graphical changes. Please let us know your feedback! Today we are going to talk about the Periodicity Map. You are probably asking yourself what’s so bad about periodic activities, right? First of all, let’s take a look at the Periodicity Map and what are the contained information. What we can see here is: The last seen – last time ntopng has seen a periodic activity (flow) The quintuplet …
Cybersecurity

Malware Traffic Analysis in ntopng
ntop users have started to use our tools for malware analysis as contrary to packet sniffers or text-based security tools, ntopng comes with a web interface that simplifies the analysis. For this reason we have recently: Added the ability to upload a pcap file to ntopng using the web GUI, so that you can analyze traffic traces without the need to transfer them to the ntopng host using SCP or similar protocols. Enhanced the list of nDPI flow risks (47 as of today) with the ability to detect webshells and …
Cybersecurity

Using Blacklists to Catch Malware Communications Using ntopng
A category list is a control mechanism used to label traffic according to a category. In nDPI, the traffic classification engine on top of which ntop applications are built, there are various categories including (but not limited to) mining malware advertisement file sharing video streaming A blacklist is a list of IP addresses or symbolic domain names, that is used to label malicious traffic. These lists are often computed using honeypots, that in essence are hosts or services deployed on a network (usually the Internet) that are easy to break-in …
Cybersecurity

What is CyberScore and How it Works: a Technical Overview
ntop users as familiar with concepts such as flow risk and cyberscore. This week we have presented a conference paper [slides] at 2022 IEEE International Conference on Cyber Security and Resilience where we describe in detail what is cyberscore, how it works, and how we have validated it in real life. In essence this is the explanation of the idea that are powering our tools, validated by the academia and not just by our users. This is in addition to what ntop users are doing every day when using ntop …
Cybersecurity

Introducing nDPI 4.4: Many New Protocols, Improvements and Cybersecurity Features
This is to introduce nDPI 4.4 that includes the development activities of the last six months. As with previous releases we are improving protocol support, automatic testing to harden the code for critical environments, and introducing new cybersecurity features for detecting risks and extracting metadata from protocols. Our idea is to make nDPI more user friendly, going beyond protocol detection, and adding the ability to interpret traffic and tell what is wrong and why. You can read the full changelog, or find below an excerpt of the most relevant changes. …
Cybersecurity

How ntopng monitors IEC 60870-5-104 traffic
Busy times for OT analysts. Last month the number of known OT (operational technology) malware increased from five to seven. First malware discovered is Industroyer2 which was caught in the Ukraine. As nowadays popular, security companies name the malware they discover. That is why for the second malware two names were assigned, Incontroller or Pipedream. This malware was discovered before it was deployed. Industroyer2 [1] is an evolution of Industroyer1, first seen in 2014. Both variants are targeting the electrical energy sector, specifically in Ukraine. As the malware is using …
Cybersecurity

Incident Analysis: How to Correlate Alerts with Flows and Packets
In incident analysis it is important to provide evidence of the problem  at various level of details: Alerts Alerts are the result of traffic analysis (in ntopng based on checks) that have detected specific indicators in traffic that triggered the alert. For instance a host whose behavioural score has exceeded a given threshold or a flow that has is exfiltrating data. Flows Are the result of aggregation of packets belonging to the same connection and are used to compute alerts. Packets This is the most granular data that contains evidence …
Cybersecurity

Short ntop Roadmap for 2022
Those who attended our latest 2021 webinar, had a feeling of what are ntop plans for this year. In summary we keep focusing on cybersecurity and visibility, planning to further enhance our existing tools as follows: nDPI: we plan to improve detection new threats and make it more configurable by end users. The idea is that endusers can further extend the core via configuration files in order to catch malware or contacts to suspicious/infected hosts. We do not want to turn nDPI into a rule-based tool such as many IDS …
Cybersecurity

ntop tools and Log4J Vulnerability
Recently we have received many inquiries about ntop tools being immune to the Log4J vulnerability. As you know at ntop we take code security seriously, hence we confirm that: In ntop we do not use Java or Log4J. ntop tools are immune to the above vulnerability hence there is no action or upgrade required. Enjoy ! …
Cybersecurity

nDPI-based Traffic Enforcement on OPNsense/pfSense/Linux using nProbe
nProbe IPS is an inline application able to both export traffic statistics to NetFlow/IPFIX collectors as well to ntopng, and enforce network traffic using nDPI, ntop’s Deep Packet Inspection framework. This blog post shows you how you can use a new graphical configuration tool we have developed to ease the configuration of IPS rules on OPNsense. Please note that nProbe IPS is also available on pfSense and Linux where you need to configure it using the configuration file as described later in this post and in the nProbe user’s guide. …
Cybersecurity

How to Spot Unsafe Communications using nDPI Flow Risk Score
nDPI it is much more than a DPI library used to detect the application protocol. In the past year, nDPI has grown in terms of cybersecurity features used to detect threats and network issues leveraging on the concept of flow risk. Each nDPI-analysed flow has associated a numerical flow risk that in essence is a bitmap with a bit set to 1 whenever a risk has been detected for such flow. The list of (to date) supported flow risks are: HTTP suspicious user-agent HTTP numeric IP host contacted HTTP suspicious …
Cybersecurity

On Network Visibility and Cybersecurity
Today we had the change to talk about network visibility and cybersecurity during an event organised by the Milan Internet Exchange MIX-IT. In this talk we have presented the current state of development in this area at ntop and provided an outlook of some of the features that we’re developing and that will be released later this summer. These are the presentation slides for those who didn’t have the change to attend the event. Enjoy ! …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe