ntop

nDPI

How Great Hashing Can (More Than) Double Application Performance
Most ntop applications (ntopng, nProbe, Cento) and libraries (FT) are based on the concept of flow processing, that merely means keeping track of all network communications. In order to implement this, network packets are decoded and, based on a “key” (usually a 5-tuple consisting of protocol and src/dst IP and port), clustered into flows (other keys such as VLAN can be added if necessary). This usually requires a lookup in an hash table, by using an hash function to translate the key into an index for an array with collision …
Cybersecurity

How Attack Mitigation Works (via SNMP)
One of the greatest strengths of ntopng is its ability to correlate data originating at different layers and at multiple sources together. For example, ntopng can look at IP packets, Ethernet frames and, at the same time, poll SNMP devices. This enables ntopng to effectively perform correlations and observe: The behavior of IP addresses (e.g., Is this IP known to be blacklisted?) The MAC addresses carrying IP traffic around in the network The physical location of the MAC addresses (i.e., physical switches traversed by a given MAC address along with …
n2disk

Howto Build a 100 Gbit (Drop-Free) Continuous Packet Recorder using n2disk [Part 3]
In the first post of this series (part 1) we described how to build a 2×10 Gbit continuous packet recorder using n2disk and PF_RING, in the second post (part 2) we described what hardware is required to scale from 10 Gbit to 100 Gbit. One more year has past now and we matured more experience with 100 Gbit recording, it’s time to refresh the previous posts and share more information about the new capture and storage technologies and configurations in order to build a recorder able to dump 100+ Gbit line-rate small-packets sustained …
ntop

ntop Tools Taxonomy
As sometime people is confused about the various options ntopng tools offer, this post is an attempt to clarify them in a single page. [table id=1 /] Enjoy! …
ntop

Using ntop tools (including PF_RING ZC) on Docker
Software containers are an elegant way to deploy software applications. If you are wondering if ntop supports software containers the answer is yes. Whenever new stable versions of packages are built, containers hosted on hub.docker.com are automatically updated. Instead if you want to build a custom container, you can use the docker files we maintain. Container support is full, including PF_RING ZC that can natively run on Docker as specified in this document. using a simple command like sudo docker run -v /dev/hugepages:/dev/hugepages --cap-add ipc_lock ubuntu18 pfcount -i zc:99@0 this …
ntop

ntopng 4.0: A Refreshed Look with Dark Themes!
The latest ntopng 4.0 has a renewed look. The main changes we have introduced are: An always-on-top status bar. Key information on the health and status of the network is essential for the analyst and it must be always visible and easily accessible. This is why we have introduced an always-on-top fixed status bar with key information such as network throughput, active hosts, flows, and ongoing alerts. This information was previously placed at the bottom of every page so it was difficult to access it and a lot of scrolling …
ntop

Say Hello To ntopng 4.0: Cybersecurity, Scripting… and a New User Interface
After over one year of work, we’re proud to announce you that ntopng 4.0 is finally out. In this time we have redesigned ntopng for speed and openness, by breaking apart the existing monolithic C++ engine into a Lua-scriptable micro-engine. This is to enable people to contribute to the project without them being scared of coding in C++. The major breakthroughs we have brought with this release are: A plugin engine that allows anyone with some basic Lua coding skills to tap straight into every single flow, host, or other …
nScrub

Introducing nScrub 1.4 with IPv6 Support
This is to introduce the new nScrub 1.4 stable. Besides a few bug fixes (mainly to the API) this release introduces many improvements, including: Full IPv6 support both in routing and bridge mode. Improved TCP protection, it is now possible to use SYN Proxy in asymmetric mode. Hardware bypass with watchdog support as failover mechanism in case of system failures or to handle maintenance. New plugins SDK to easily extend the core engine with custom protection algorithms. Native systemd support for multiple instances to handle multiple network segments. Support for Ubuntu …
ntop

Introducing PF_RING 7.6: Flow Processing Made Easy with PF_RING FT
This is to announce a new PF_RING major release 7.6. Besides bug fixes and drivers updates to improve compatibility with latest kernels (including those shipped with Debian 10 and CentOS 8) this release includes many enhancements to the PF_RING FT library, which delivers unprecedented flexibility and all the features a flow-based packet processing application requires. Latest additions include:. Flow slicing: the library delivers periodic flow updates, no need to wait for flow termination. Tunnels decoding: packets are decapsulated and information about the tunnel are exposed by the library. More flow …
ntop

Call for Talks for NtopConf ’20
Update Due to SARS-Covid-19 Infection, the conference will be rescheduled once the health situation will improve and travelling will be safe. Please stay tuned by monitoring our blog as we will organize new interactive seminars and tutorials so that our community can meet virtually. Thank you!   This year the annual ntop conference will take place in Milano, Italy on June 9-10, at Università Bocconi, one of the most prestigious university in Italy. As usual the first day will be used to train people on ntop tools and the second …
ntop

Important Geolocation Changes in ntop Products
ntop products have been using geolocation databases provided by MaxMind for a long time, to augment network IP addresses with geographical coordinates (cities, countries) and information on the Autonomous Systems. ntop have been freely packaging and redistributing such databases in ntopng-data. Unfortunately, new privacy regulations, such as GDPR and CCPA, place restrictions that impact our ability to continue distributing  databases in ntopng-data. Reasons are the same that have impacted MaxMind ability to do the redistribution and are explained in detail at the following page. Hence starting late December 2019, in …
ntop

New Directions in Network Traffic Security: Homework for 2020

Summary

With today's traffic, most network IDSs (NIDS) have severe limitations in terms of visibility and ability to be easily circumvented by malware (for instance running a known service on a non-default port or the other way round), and thus need to be used together with traffic analysis applications to produce a comprehensive view of what is happening on the network. For this reason monitoring tools must integrate more security features as possible, and be open to receive alerts from external sources such (e.g. IDSs) as they are still useful on the (increasingly smaller) amount of Internet traffic they are able to analyse effectively. HIDS (Host-based IDSs) will become increasingly important as network probes/IDSs are mostly blind with respect to network lateral movements, this unless you have full network visibility (usually not the case as probes often analyse only the traffic from/to the Internet and know very little of internal LAN communications not being sFlow-like tools a viable option). This article shows how the ntop 2020 roadmap will be taking these facts into account.  

All Details

The pervasive use of encryption has finally changed the network traffic monitoring and security market. Simple packet payload inspection is no longer effective and this has been a bad news for many IDSs/IPS. Looking at Zeek and Suricata protocol dissector list it is evident that most of the supported protocols have hard time to match in today's traffic a simply that traffic is no longer flowing in networks or (take for instance RDP) it has been migrated to encryption making the protocol dissector basically useless on recent protocol versions. Someone might say that in LAN there is still a fair amount of traffic that is unencrypted, but even this traffic will decrease as even in-host container-based communications have to be encrypted, so imagine how people can accept unencrypted traffic on the wire. Said that protocol fingerprinting such as JA3 and HASSH are nice to have features (i.e. you cannot rely 100% on them as you will have many false positives bue to the nature such fingerprints are computed), recent trends in TLS traffic analysis have shown that the idea of deciding if an encrypted stream is good/bad based on the fingerprint is not very effective. The outcome is that without continuous traffic monitoring, security experts will have a hard time for instance slow-DoS attacks as well malware hidden in encrypted streams. Below you can find a typical trace generated by a popular N-IDS. 
Event 'tls' 
{  
   "timestamp":"2019-10-10T16:37:24.293378+0200",
   "dest_ip":"212.39.72.21",
   "src_port":57505,
   "tls":{  
      "subject":"C=BG, ST=Sofia, L=Sofia, O=Bulgarian Telecommunications Company, OU=IT, CN=*.vivacom.bg",
      "ja3s":{},
      "ja3":{},
      "issuerdn":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA",
      "version":"TLSv1",
      "serial":"02:57:7E:6E:4D:E0:EF:70:80:D6:DF:5C:1F:CB:C6:EA",
      "fingerprint":"09:55:46:d2:52:68:d1:e6:cd:b1:2b:e0:ca:15:3f:05:65:3b:cd:ce",
      "notbefore":"2014-12-16T00:00:00",
      "notafter":"2018-02-16T12:00:00"
   },
   "src_ip":"10.214.164.115",
   "proto":"TCP",
   "flow_id":1487440626086869,
   "in_iface":"dummy0",
   "event_type":"tls",
   "dest_port":443
}
As you can see the IDS basically reports nothing about the traffic. Even simple metrics such as number of packets/bytes, duration are omitted. This not to mention DPI that was not taken in account years ago and that is not used at all. In many popular IDS for instance you need to configure the TLS port, so if on port 443 you put non-TLS traffic or put TLS traffic on a port other that 443 you're basically blind. This sounds like a huge problem, at least for us who maintain nDPI and understand the value of deep packet inspection. This makes hard for the consumers of these logs to decide if this stream was good or bad. Information about intra-packet-delay or fragmentation/out-of-order might definitively help to make a verdict on this flow. This is a big problem as the network security market is now populated by companies that often using machine learning (ML) techniques (to be honest in this ML trend, companies often call ML statistical methods such as Holt-Winters that have nothing to do with ML but are fashion when used for "predictions") analyse such logs and decide about the health of the monitored network. The reason resides on the fact that ML is based on features (i.e. a traffic metric in the network traffic monitoring world parlance), if the input is poor, ML can't go too far with it. So we're back to square one: the evolution of this market is limited by the ability of tools to produce meaningful logs, features such, on which ML algorithms can do their best. For this reason, in the past years companies have started to create agents to install on hosts for producing very detailed information that is key when used to track host activities. The practice of installing agents on hosts is kind of unexpected news for us who have been told for years to be completely passive and not to install anything on monitored hosts, so we have to cope with it. If you have read until here, you might wonder what we plan to do at ntop. In our mind it is key to combine network and security monitoring: visibility means security plus monitoring for the reasons explained above. All combined. So what were trying to develop is an ecosystem where:
  • nProbe Agent will evolve (today it is focusing too much on containers and too little on security: this needs to change) and become of a tool for implementing host visibility (yes, we're thinking about a Windows port but we've not yet made a plan). Unfortunately we have based our tool on eBPF, but RedHat (contrary to the rest of the distros) has decided to move eBPF support off Centos/RedHat 8 and put it in a technology preview release. So the eBPF adoption seems mixed in the Linux community.
  • nProbe and nProbe Cento will be improved in metrics richness as those provided by nDPI and be used for monitoring network lateral movements in addition to what they do today.
  • ntopng will become the center of this ecosystem able to collect data not only from ntop tools but also from the outside (read it as non-ntop, such as firewalls, HIDSs, NIDSs, anti-malware tools). Next week at Suricon we will  talk about using ntopng as Suricata web front-end, and using Suricata as security feed for ntopng. This is just the first step, as in the upcoming ntopng v4 we plan to integrate additional external feeds and merge them up seamlessly. This is because people buy products from leading networking/security companies and (as we did 15 years ago when opened the original ntop to the outside world integrating SNMP, NetFlow and sFlow) and we cannot tolerate the practice to have many monitoring consoles, instead of having a single ntopng-based monitoring console that merges all the available information to have a single view of the network. Note that we do NOT want to turn ntopng into a SIEM, but rather use and correlate external feeds to enrich our view of the network.
Read more

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe