ntopng

ntop

Using ElasticSearch to Store and Correlate Ntopng Alarms
With the introduction of ntopng endpoints and recipients, it is now possible to handle alerts in a flexible fashion by means of recipients. ntopng embeds a SQLite database for turn-key alert storage and reporting. However in large organizations with many alerts scalability of this solution is limited due to the limited number of records (16k) that can be handled. In the latest ntopng 4.1.x versions it is now possible to export alerts in an external ElasticSearch database (not available in the community edition). This post shows you how to use …
ntopng

Using ntopng Recipients and Endpoints for Flexible Alert Handling
In the latest ntopng 4.1.x versions (and soon 4.2) we have completely reworked the way alerts are delivered to subscribers. Up to 4.0 the ntopng engine was configured in a single way for all alerts: go to the preferences page and specify where to deliver alerts. This was suboptimal for many reasons, including the fact that it was not possible to send alerts to different recipients on different channels, or selectively decide when send alerts out. For this reason we have introduced the concept of Endpoints server account configuration where …
nDPI

Monitoring Industrial IoT/Scada Traffic with nDPI and ntopng
Monitoring Industrial IoT and SCADA traffic can be challenging as most open source monitoring tools are designed for Internet protocols. As this is becoming a hot topic with companies automating production lines, we have decided to enhance ntop tools to provide our user community traffic visibility even in industrial environments. This has required to enhance nDPI to detect these protocols and enhance ntopng, our monitoring console, to visualize this traffic by providing enhanced protocol dissection on top of which alerts can be triggered. To date, nDPI supports modbus, DNP3 and …
Cybersecurity

How Attack Mitigation Works (via SNMP)
One of the greatest strengths of ntopng is its ability to correlate data originating at different layers and at multiple sources together. For example, ntopng can look at IP packets, Ethernet frames and, at the same time, poll SNMP devices. This enables ntopng to effectively perform correlations and observe: The behavior of IP addresses (e.g., Is this IP known to be blacklisted?) The MAC addresses carrying IP traffic around in the network The physical location of the MAC addresses (i.e., physical switches traversed by a given MAC address along with …
Cybersecurity

Mice and Elephants: HowTo Detect and Monitor Periodic Traffic
Most people are used to top X: top senders, top receivers, top protocols. So in essence they are looking for elephants. While this is a good practice, mice are also very interesting as they can often be hidden in the noise. In cybersecurity noise is very good for attackers as they often try to hide themselves on it; this is in order to escape security. Many malware are programmed on a for loop fashion: do a), do b) do c) then go back to a) on an infinite loop. In …
nDPI

Howto Identify and Block Telegram-based Botnets
Botnets are a popular way to run malware on a network using the command and control paradigm. Popular protocols used by botnets include IRC and HTTP. Most IDSs can detect bots as long as they can inspect the network traffic. This makes networks administrators blind when bots move to encrypted and cloud-based (i.e. that you cannot block with a simple IP-based ACL) protocols. The popular Telegram messaging system allows people to create a bot in minutes as shown in the code excerpt below.   bot = Bot(token) def run(): """ …
nDPI

Trickbot Malware Analysis Using nDPI and ntopng
Trickbot is a malware distributed via malspam, spam emails containing links for downloading malicious files that infect computers.  A pcap file of a trickbot infection named 2019-09-25-Trickbot-gtag-ono19-infection-traffic.pcap can be downloaded at this URL. You can analyse the file using nDPI as follows ndpiReader -i 2019-09-25-Trickbot-gtag-ono19-infection-traffic.pcap -v 2 -J > /tmp/trickbot.txt Let’s now open the trickbot.txt file and search for “Risk”. This is a tag added to nDPI analysed flows when there is a non-zero security risk associated with the analysed traffic. Most problems include: Obsolete TLS protocol with self-signed certificate …
ntopng

How Active Monitoring Works in ntopng
In v4 we have introduced active monitoring in ntopng and since then we are improving in the 4.1.x development versions. In order to enable it you have to selectd the “System” interface from the top menubar and select “Active Monitoring” from the left “System” menu. On that page you will see a table containing all your measurements. The code has been written in a modular way, so that available measurements can be extended as necessary simply adding a new lua script. As you can see from the measurements source, you …
ntopng

Implementing Network Visibility in Covid-19 Days
Ongoing health emergency demands business to enable employee work from home: call it smart working or (better) remote working. This process puts pressure on the company Internet connection as many (if not all) the activities need to be done remotely. Working from home is a good practice in order to avoid extra personal stress and reduce virus spread, this only if company’s Internet lines have enough capacity to handle all the remote workers. How can you measure this extra traffic (with respect to days before the emergency) and optimise your …
ntop

ntopng 4.0: A Refreshed Look with Dark Themes!
The latest ntopng 4.0 has a renewed look. The main changes we have introduced are: An always-on-top status bar. Key information on the health and status of the network is essential for the analyst and it must be always visible and easily accessible. This is why we have introduced an always-on-top fixed status bar with key information such as network throughput, active hosts, flows, and ongoing alerts. This information was previously placed at the bottom of every page so it was difficult to access it and a lot of scrolling …
ntopng

Active Monitoring in ntopng 4.0: ICMP, ICMPv6, HTTP and HTTPS pings with RTT
The latest stable ntopng 4.0 features a Round Trip Time (RTT) monitor which is capable of pinging hosts on a minute-by-minute basis to check: IP reachability with ICMP and ICMPv6 pings Web servers functionality with HTTP and HTTPS pings Checks account for the RTT, that is, the time it takes to reach a certain host and receive a response from it. ntopng shows all the RTT-monitored hosts under the System Interface   For each monitored host ntopng offers the following information The full URL of the monitored host. The URL …
Announce

Introducing ntopng for MacOS. Finally.
For a long time out MacOS users asked a native ntopng package. Even though we use MacOS and Linux to develop our tools, we didn’t consider important to revamp the MacOS installer (ntopng 1.x has a native MacOS installer) as there are solutions such as brew.sh that allow you to install packages. However such tools are not for all Mac users who not necessarily like to use the command line. Thus we have created a native package that installs in one click all the required components (e.g. Redis) needed by …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe