Monitoring Industrial IoT/Scada Traffic with nDPI and ntopng

Posted · Add Comment

Monitoring Industrial IoT and SCADA traffic can be challenging as most open source monitoring tools are designed for Internet protocols. As this is becoming a hot topic with companies automating production lines, we have decided to enhance ntop tools to provide our user community traffic visibility even in industrial environments. This has required to enhance […]

How to Detect Domain Hiding (a.k.a. as Domain Fronting)

Posted · Add Comment

Domain fronting is a technique that was used in 2010s by mobile apps to attempt to bypass censorship. The technique relies on a “front” legitimate domain that basically acts as a pivot for the forbidden domain. In essence an attacker performs a HTTPS connection where in the DNS (used to resolve the domain name) and […]

Howto Identify and Block Telegram-based Botnets

Posted · Add Comment

Botnets are a popular way to run malware on a network using the command and control paradigm. Popular protocols used by botnets include IRC and HTTP. Most IDSs can detect bots as long as they can inspect the network traffic. This makes networks administrators blind when bots move to encrypted and cloud-based (i.e. that you […]

Why Traffic Behaviour Analysis is Good (was Encrypting TLS 1.3 Traffic)

Posted · Add Comment

In the latest nDPI meetup, we have discussed future directions, including extending the current encrypted traffic analysis features. Currently nDPI supports both fingerprint and behaviour encrypted traffic analysis techniques to provide TLS traffic visibility. At ntop we have never liked too much fingerprinting techniques such as JA3 that are used by many popular IDSs and […]

How Lockdown Changed Corporate Internet Connectivity

Posted · Add Comment

Global lockdown has forced many people to work from remote: empty offices, all remote working until the emergency is over.   In essence during the lockdown remote workers used very few corporate services via VPN, with relatively light traffic (e.g. accounting) and the heavy videoconferencing traffic not propagating in the company networks: this as moderns […]

You’re invited to the future of nDPI: Python, Cybersecurity and Behaviour. May 15th, 4PM CET

Posted · Add Comment

Hi all, this is to invite you to an open discussion about nDPI, its future. In particular Python bindings, cybersecurity extensions and behaviour analysis. We will meet at 4PM CET (10AM EST) live on the Internet. For those who have not been able to join, this is the video of the session. Links: https://github.com/aouinizied/nfstream https://notebooks.gesis.org/binder/jupyter/user/aouinizied-nfstream-tutorials-mg04vt7x/tree […]

Trickbot Malware Analysis Using nDPI and ntopng

Posted · Add Comment

Trickbot is a malware distributed via malspam, spam emails containing links for downloading malicious files that infect computers.  A pcap file of a trickbot infection named 2019-09-25-Trickbot-gtag-ono19-infection-traffic.pcap can be downloaded at this URL. You can analyse the file using nDPI as follows ndpiReader -i 2019-09-25-Trickbot-gtag-ono19-infection-traffic.pcap -v 2 -J > /tmp/trickbot.txt Let’s now open the trickbot.txt […]

Towards Traffic Behaviour Analysis: Introducing nDPI 3.2

Posted · Add Comment

This is to announce the new stable release of nDPI 3.2. The main trend of nDPI is to move from “simple” application protocol detection towards behavioral traffic interpretation. This has been implemented with the integration of modules for detecting attacks (e.g. SQL injections and XSS in HTTP) and behavioral indications on packet length/time/entropy as well […]