ntopng

Hello everybody ! We are going to use this new blog-post serie to explain ntopng new features and graphic changes; let we know your feedback! Today we are going to talk about Alert Severities. In ntopng, Alert Severities, are really important because they are used to understand how severe a problem is. Unfortunately we noticed that there are too many alerts with high score and high severities, confusing ntopng users on which is a critical problem and which is not, independently from the network. For this reason we decided to …

Many times traffic analysts receive pcap files containing some traffic to analyse. The usual steps for analysing the pcap file with ntopng have been for a long time: Save the pcap file to disk and upload it to the host where ntopng is running. Stop the ntopng service and restart it from shell as ‘ntopng -i uploaded_file.pcap’ Once the analysis is over, stop ntopng, delete the uploaded pcap, and restart ntopng as a service. These steps are too complex for many people, and do not ease the adoption of ntopng …

ntopng can export both flows and alerts in Elastic according to the Elastic Common Schema (ECS) format. You can dump flows (not alerts) in Elastic starting ntopng with -F “es;<mapping type>;<idx name>;<es URL>;<http auth>”. For instance you can do ntopng -F "es;ntopng;ntopng-%%Y.%%m.%%d;http://localhost:9200/_bulk;" We do not advise to use Elastic as flow collector, as when the record cardinality increases the database slows down and you are forced to use an Elastic cluster even on mid-size networks. We definitively advise you to enable -F clickhouse instead that is able to handle billion …

ntopng users are familiar with the search box present at the top of each page. It was originally designed to find hosts and jump to their details page. Over the years we have added a lot of new information in ntopng, and limiting its scope only to hosts was not a good idea. The image below is how we have improved it. In the new search we do not limit our scope to hosts but to everything inside ntopng, as a a mini embedded search engine. The first column shows …

Alerts in ntopng are the result of traffic analysis based on checks. Checks detect that specific indicators on traffic require attention: for instance a host whose behavioural score has exceeded a given threshold or a flow that is exfiltrating data. Checks process traffic information with respect to a specific Network element, and for this reason they are divided into families (e.g. host, interface, flow, …). Regardless of the family, they can cover a security aspect, or they can monitor the network performance, for this reason they belong to different categories …

Today we’ll discuss the ntopng integration with Checkmk, a popular open source infrastructure monitoring tool to which ntopng adds traffic visibility. If IT infrastructure monitoring and network usage monitoring would see each other on Tinder, they would both for sure swipe right and match. Bringing the big picture perspective of IT infrastructure monitoring together with the in-depth information from network usage monitoring is thus a logical step. That’s why ntop and tribe29, the developers of the IT monitoring solution Checkmk partnered and jointly built a seamless integration of both tools. …