Available AlertsΒΆ
ntopng alerts are evaluated with WebUIUserScripts. Checks are executed for hosts, interfaces, SNMP devices, and other network elements, and are configurable under Checks from the Settings left sidebar.
Checks are desiged to verify specific conditions and when they are not met, trigger an alert. Below you can find the list of check families and available alerts
- Host Behavioural Checks
- DNS Server Contacts Alert
- Dangerous Host
- Score Anomaly
- NTP Server Contacts
- DNS Server Contacts Alert
- SYN Flood Alert
- SYN Scan Alert
- ICMP Flood Alert
- Packets Alert
- Remote Connection
- DNS Traffic Alert
- Countries Contacts Alert
- Scan Detection Alert
- Score Threshold Exceeded
- NTP Traffic Alert
- P2P Traffic Alert
- Flows Anomaly
- Host User Check Script
- Host External Check (REST)
- Local Traffic Volume Rules
- Interface Behavioural Checks
- Ghost Networks
- Idle Hash Table Entries Alert
- Interface Alerts Drops
- No activity on interface
- Periodic Activity Not Executed
- Slow Periodic Activity
- Throughput Alert
- Unexpected Application Behaviour
- Unexpected ASN Behaviour
- Unexpected Network Behaviour
- DHCP Storm
- DHCP Starvation
- Unexpected Device Connected/Disconnected
- Local Networks Behavioural Checks
- SNMP Behavioural Checks
- Flow Behavioural Checks
- Anonymous Subscriber
- Blacklisted Flow
- Clear-Text Credentials
- DNS fragmented messages
- DNS Invalid Characters
- Malformed packets
- External Alert
- Suspicious User Agent
- Suspicious HTTP header
- Suspicious HTTP URL
- Malicious DNS query
- Punicody IDN
- ICMP Data Exfiltration
- Known Application on Non-Standard Port
- Deprecated SSH protocol
- Outdated TLS versions
- Domain Generation Algorithm (DGA)
- Remote Code Execution
- Missing TLS SNI
- Unidirectional Traffic
- TCP connection refused
- Non-printable characters
- The Remote desktop session has ended
- Possible SQL Injection
- Possible XSS
- Unsafe protocol
- HTTP Suspicious Content
- TLS flow will not be used to transport HTTP content
- TLS Certificate Issues
- SMB insecure
- Blacklisted Country
- Large DNS Packet (512+ bytes)
- HTTP Numeric IP Host
- WEb Mining
- Unexpected DNS Server
- Unexpected NTP Server
- Remote to Local Insecure Protocol
- Elephant flow
- Possible exploit
- Binary Application Transfer
- Error Code
- Lateral Movement Detection
- No Data Exchanged
- TCP Retransmission Issues
- Zero TCP Window
- Numeric IP Address
- Detects anomalies in active flows numbers
- Suspicious Entropy
- Long Lived
- Not Purged
- TLS Unsafe Ciphers
- TLS Certificate About To Expire
- TLS Certificate Expired
- Obsolete SSH Client version or Cipher
- Malicious JA3 Signature
- Low goodput
- HTTP Crawler/Bot
- DNS Data Exfiltration
- Device Application Not Allowed
- Lateral Movement Detection
- Obsolete SSH Server Version or Cipher
- Periodicity Changed Detection
- Potentially Dangerous Protocol
- Remote Access
- Suspicious DNS traffic
- Suspicious TLS ESNI Usage
- TLS (probably) not carrying HTTPS
- Self-Signed Certificates
- TLS certificate validity longer than 13 months
- Unexpected DHCP
- Unexpected SMTP Server
- Unidirectional UDP Flow
- VLAN Bidirectional Flow
- IEC Invalid Command Transition
- IEC Invalid Transition
- IEC Unexpected TypeID
- System Behavioural Checks
- Syslog Checks