Alerts List per License ======================= some ntopng alerts are available with a specific license. Here a list of all the alerts divided by family and their availability depending on the license. **Host Behavioural Checks** ~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------+-----------+-----+--------------+--------------+---------------+ | | Community | Pro | Enterprise M | Enterprise L | Enterprise XL | +===========================+===========+=====+==============+==============+===============+ | Countries Contacts | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | Dangerous Host | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | DNS Flood | | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | DNS Server Contacts | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | DNS Traffic | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | Domain Names Contacts | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | Flow Flood | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | Flows Anomaly | | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | Host External Check (REST)| x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | Host User Check Script | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | ICMP Flood | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | NTP Server Contacts | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | NTP Traffic | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | P2P Traffic | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | Packets Exceeded | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | Remote Connection | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | RST Scan | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | Scan Detection | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | Score Anomaly | | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | Score Threshold Exceeded | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | SMTP Server Contacts | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | SNMP Flood | | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | SYN Flood | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | SYN Scan | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ | FIN Scan | x | x | x | x | x | +---------------------------+-----------+-----+--------------+--------------+---------------+ **Interface Behavioural Checks** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------+-----------+-----+--------------+--------------+---------------+ | | Community | Pro | Enterprise M | Enterprise L | Enterprise XL | +==========================================+===========+=====+==============+==============+===============+ | Alerts Drops | x | x | x | x | x | +------------------------------------------+-----------+-----+--------------+--------------+---------------+ | DHCP Storm | | x | x | x | x | +------------------------------------------+-----------+-----+--------------+--------------+---------------+ | Ghost Networks | x | x | x | x | x | +------------------------------------------+-----------+-----+--------------+--------------+---------------+ | Idle Hash Table Entries | | x | x | x | x | +------------------------------------------+-----------+-----+--------------+--------------+---------------+ | No Traffic Activity | x | x | x | x | x | +------------------------------------------+-----------+-----+--------------+--------------+---------------+ | Packet Drops | | x | x | x | x | +------------------------------------------+-----------+-----+--------------+--------------+---------------+ | Periodic Activity Not Executed | x | x | x | x | x | +------------------------------------------+-----------+-----+--------------+--------------+---------------+ | Slow Periodic Activity | x | x | x | x | x | +------------------------------------------+-----------+-----+--------------+--------------+---------------+ | Throughput Exceeded | x | x | x | x | x | +------------------------------------------+-----------+-----+--------------+--------------+---------------+ | Unexpected Application Behaviour | | | | x | x | +------------------------------------------+-----------+-----+--------------+--------------+---------------+ | Unexpected ASN Behaviour | | | | x | x | +------------------------------------------+-----------+-----+--------------+--------------+---------------+ | Unexpected Device Connected/Disconnected | | | x | x | x | +------------------------------------------+-----------+-----+--------------+--------------+---------------+ | Unexpected Network Behaviour | | | | x | x | +------------------------------------------+-----------+-----+--------------+--------------+---------------+ | Unexpected Score Behaviour | | | | x | x | +------------------------------------------+-----------+-----+--------------+--------------+---------------+ | Unexpected Traffic Behaviour | | | x | x | x | +------------------------------------------+-----------+-----+--------------+--------------+---------------+ **Local Networks Behavioural Checks** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------+-----------+-----+--------------+--------------+---------------+ | | Community | Pro | Enterprise M | Enterprise L | Enterprise XL | +============================+===========+=====+==============+==============+===============+ | Broadcast Domain Too Large | x | x | x | x | x | +----------------------------+-----------+-----+--------------+--------------+---------------+ | Egress Traffic | x | x | x | x | x | +----------------------------+-----------+-----+--------------+--------------+---------------+ | Flow Flood Victim | x | x | x | x | x | +----------------------------+-----------+-----+--------------+--------------+---------------+ | Ingress Traffic | x | x | x | x | x | +----------------------------+-----------+-----+--------------+--------------+---------------+ | Inner Traffic | x | x | x | x | x | +----------------------------+-----------+-----+--------------+--------------+---------------+ | IP/MAC Reassoc/Spoofing | x | x | x | x | x | +----------------------------+-----------+-----+--------------+--------------+---------------+ | Network Discovery | x | x | x | x | x | +----------------------------+-----------+-----+--------------+--------------+---------------+ | Network Issues | x | x | x | x | x | +----------------------------+-----------+-----+--------------+--------------+---------------+ | Network Score per Host | | x | x | x | x | +----------------------------+-----------+-----+--------------+--------------+---------------+ | SYN Flood Victim | x | x | x | x | x | +----------------------------+-----------+-----+--------------+--------------+---------------+ | SYN Scan Victim | x | x | x | x | x | +----------------------------+-----------+-----+--------------+--------------+---------------+ **SNMP Behavioural Checks** ~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------+-----------+-----+--------------+--------------+---------------+ | | Community | Pro | Enterprise M | Enterprise L | Enterprise XL | +================================+===========+=====+==============+==============+===============+ | Duplex Status Change | | | x | x | x | +--------------------------------+-----------+-----+--------------+--------------+---------------+ | High Interface Discards/Errors | | | x | x | x | +--------------------------------+-----------+-----+--------------+--------------+---------------+ | Interface Errors Exceeded | | | x | x | x | +--------------------------------+-----------+-----+--------------+--------------+---------------+ | LLDP/CDP Topology Monitor | | | x | x | x | +--------------------------------+-----------+-----+--------------+--------------+---------------+ | MAC Detection | | | x | x | x | +--------------------------------+-----------+-----+--------------+--------------+---------------+ | MAC Port Changed | | | x | x | x | +--------------------------------+-----------+-----+--------------+--------------+---------------+ | Oper. Status Change | | | x | x | x | +--------------------------------+-----------+-----+--------------+--------------+---------------+ | SNMP Device Restart | | | x | x | x | +--------------------------------+-----------+-----+--------------+--------------+---------------+ | Threshold Crossed | | | x | x | x | +--------------------------------+-----------+-----+--------------+--------------+---------------+ | Too Many MACs on Non-Trunk | | | x | x | x | +--------------------------------+-----------+-----+--------------+--------------+---------------+ | Traffic Change Detected | | | | x | x | +--------------------------------+-----------+-----+--------------+--------------+---------------+ **Flow Behavioural Checks** ~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | | Community | Pro | Enterprise M | Enterprise L | Enterprise XL | +=======================================+===========+=====+==============+==============+===============+ | Anonymous Subscriber | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Binary Application Transfer | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Blacklisted Country | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Blacklisted Flow | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Broadcast Non-UDP Traffic | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Clear-Text Credentials | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Crawler/Bot | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Desktop/File Sharing | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | DNS Data Exfiltration | | | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | DNS Invalid Characters | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Elephant flow | | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Error Code | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | External Alert | | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Flow User Check Script | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Fragmented DNS Message | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | HTTP Obsolete Server | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | HTTP Susp Content | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | HTTP Susp Header | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | HTTP Susp URL | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | HTTP Susp User-Agent | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | HTTP/TLS/QUIC Numeric Hostname/SNI | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | ICMP Data Exfiltration | | | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | IEC Invalid Command Transition | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | IEC Invalid Transition | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | IEC Unexpected TypeID | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Invalid DNS Query | | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Known Proto on Non-Standard Port | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Large DNS Packet (512+ bytes) | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Lateral Movement Detection | | | | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Long Lived | | | | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Low Goodput | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Malformed packets | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Malicious JA3 Fingerp | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Malicious JA3 SHA1 Cert | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Minor Issues | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Missing SNI TLS Extn | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | ModbusTCP Invalid Transition | | | | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | ModbusTCP Too Many Exceptions | | | | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | ModbusTCP Unexpected Function Code | | | | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Not Purged | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Obsolete SSH Client Version or Cipher | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Obsolete SSH Server Version or Cipher | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Old TLS Version | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Periodic Flow | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Periodicity Changed | | | | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Possible Exploit | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Possible RCE | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Possible SQL Inj | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Punicody IDN | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Rare Destination | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Remote Access | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Remote to Local Insecure Protocol | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Remote to Remote Flow | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Risky ASN | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Risky Domain | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | SMB insecure | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Susp DGA Domain name | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Susp Entropy | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Susp Device Protocol | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Suspicious DNS traffic | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TCP Connection Issues | | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TCP Connection Refused | | | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TCP No Data Exchanged | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TCP Packets Issues | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TCP With No Answer | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TCP Zero Window | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TLS (probably) Not Carrying HTTPS | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TLS Cert About To Expire | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TLS Cert Expired | | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TLS Cert Validity Too Long | | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TLS Cert Issues | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TLS Cert Self-Signed | | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TLS Fatal Alert | | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TLS Susp ESNI Usage | | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TLS Suspicious Extension | | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TLS Uncommon ALPN | | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | TLS Unsafe Ciphers | | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Unexpected DHCP | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Unexpected DNS | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Unexpected NTP | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Unexpected SMTP | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Unidirectional Flow | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | Unsafe protocol | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | VLAN Bidirectional Flow | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | WEb Mining | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ | XSS Attack | x | x | x | x | x | +---------------------------------------+-----------+-----+--------------+--------------+---------------+ **System Behavioural Checks** ~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------+-----------+-----+--------------+--------------+---------------+ | | Community | Pro | Enterprise M | Enterprise L | Enterprise XL | +========================================+===========+=====+==============+==============+===============+ | Intrusion Detection and Prevention Log | x | x | x | x | x | +----------------------------------------+-----------+-----+--------------+--------------+---------------+ | Periodic Activity Not Executed | x | x | x | x | x | +----------------------------------------+-----------+-----+--------------+--------------+---------------+ | Slow Periodic Activity | x | x | x | x | x | +----------------------------------------+-----------+-----+--------------+--------------+---------------+ | System Alerts Drops | x | x | x | x | x | +----------------------------------------+-----------+-----+--------------+--------------+---------------+ | Vulnerability Scan Changes | | | | x | x | +----------------------------------------+-----------+-----+--------------+--------------+---------------+ **Syslog Behavioural Checks** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------+-----------+-----+--------------+--------------+---------------+ | | Community | Pro | Enterprise M | Enterprise L | Enterprise XL | +================+===========+=====+==============+==============+===============+ | Fortinet | | | | x | x | +----------------+-----------+-----+--------------+--------------+---------------+ | Host Log | x | x | x | x | x | +----------------+-----------+-----+--------------+--------------+---------------+ | Kerberos/NXLog | | | | x | x | +----------------+-----------+-----+--------------+--------------+---------------+ | nBox | x | x | x | x | x | +----------------+-----------+-----+--------------+--------------+---------------+ | OpenVPN | | | | x | x | +----------------+-----------+-----+--------------+--------------+---------------+ | OPNsense | | | | x | x | +----------------+-----------+-----+--------------+--------------+---------------+ | SonicWALL | | | | x | x | +----------------+-----------+-----+--------------+--------------+---------------+ | Sophos | | | | x | x | +----------------+-----------+-----+--------------+--------------+---------------+ | Suricata | x | x | x | x | x | +----------------+-----------+-----+--------------+--------------+---------------+