Hello everybody! Welcome back to the weekly blog post of this serie used to update you with the latest ntopng features and graphical changes. Please let us know your feedback! Today we are going to talk about Host Traffic Analysis. When analyzing traffic generated by a host, one of the main metrics we are interested […]
Howto use Kafka (instead of ZMQ) For Reliable Flow Collection and IPC
Historically, we have used ZMQ for interconnecting nProbe to ntopng, as this is a fast and simple messaging system. However one of they key advantage of ZMQ of being broker-less is sometime a problem. In case of maintenance, traffic peaks, or unreliable communications, the ZMQ communication between nProbe and ntopng will drop flows with the […]
What’s New in ntopng: Alert Severities
Hello everybody ! We are going to use this new blog-post serie to explain ntopng new features and graphic changes; let we know your feedback! Today we are going to talk about Alert Severities. In ntopng, Alert Severities, are really important because they are used to understand how severe a problem is. Unfortunately we noticed […]
Malware Traffic Analysis in ntopng
ntop users have started to use our tools for malware analysis as contrary to packet sniffers or text-based security tools, ntopng comes with a web interface that simplifies the analysis. For this reason we have recently: Added the ability to upload a pcap file to ntopng using the web GUI, so that you can analyze […]
Using Blacklists to Catch Malware Communications Using ntopng
A category list is a control mechanism used to label traffic according to a category. In nDPI, the traffic classification engine on top of which ntop applications are built, there are various categories including (but not limited to) mining malware advertisement file sharing video streaming A blacklist is a list of IP addresses or symbolic […]
HowTo Use ntopng for Pcap Analysis
Many times traffic analysts receive pcap files containing some traffic to analyse. The usual steps for analysing the pcap file with ntopng have been for a long time: Save the pcap file to disk and upload it to the host where ntopng is running. Stop the ntopng service and restart it from shell as ‘ntopng […]
HowTo Visualise ntopng Alerts in Kibana
ntopng can export both flows and alerts in Elastic according to the Elastic Common Schema (ECS) format. You can dump flows (not alerts) in Elastic starting ntopng with -F “es;<mapping type>;<idx name>;<es URL>;<http auth>”. For instance you can do ntopng -F “es;ntopng;ntopng-%%Y.%%m.%%d;http://localhost:9200/_bulk;” We do not advise to use Elastic as flow collector, as when the […]
How to Configure Flow Risk Exclusions in nDPI and ntopng
Flow risks are the mechanism nDPI implements for detecting issues in network traffic whose theoretical design is documented in this paper Using Deep Packet Inspection in CyberTraffic Analysis we have written last year. While we are reworking the definition of risk exceptions in ntopng to make them fully configurable with a matter of clicks, you […]
How We Simplified Data Search in ntopng
ntopng users are familiar with the search box present at the top of each page. It was originally designed to find hosts and jump to their details page. Over the years we have added a lot of new information in ntopng, and limiting its scope only to hosts was not a good idea. The image […]
Dispatching Alerts: How to Master Notifications in ntopng
Alerts in ntopng are the result of traffic analysis based on checks. Checks detect that specific indicators on traffic require attention: for instance a host whose behavioural score has exceeded a given threshold or a flow that is exfiltrating data. Checks process traffic information with respect to a specific Network element, and for this reason […]