ntopng generates alerts to report the occurrence of events and user-configurable thresholds. Bahavioral Checks are responsible for the generation of alerts. Enabling and disabling a Check enables or disables the corresponding alerts.
Alerts include, but are not limited to:
- The detection of a new device
- The status change of a switch port detected via SNMP
- The contact of a malware host
- A user activity
Certain alerts are configurable. For example, alerts can be triggered when certain user-configurable thresholds are crossed. As soon as ntopng detects a certain threshold is crossed, it immediately triggers the corresponding alert.
Examples of thresholds include:
- “The traffic generated by an host falls below a certain threshold”
- “The number of SYN sent by an host exceeds a certain number so it is considered a scanner”
- “Packet drops of an interface exceeds a given percentage of the total number of monitored packets”
- “The total traffic originated at a network exceeds a certain threshold”
ntopng Bahavioral Checks perform the evaluation of thresholds periodically, at predefined time intervals.
Alerts associated with a threshold have a duration, that is, they are active for a certain period of time. This period of time starts then the threshold is first met and stops when the threshold is no longer met. For this reason, such alerts are said to be engaged or past, depending on whether the triggering threshold is still met or not.
When the threshold is first met, ntopng puts the corresponding alert in an engaged state. The set of alerts that are currently engaged is available from the engaged alerts page identified by the hourglass icon.
When the triggering threshold of an engaged alert is no longer met, the alert becomes past an it will no longer be visible in the engaged alerts page. Alerts, once released, become available from the all alerts page identified by the inbox icon, and their duration is indicated in the corresponding column.
Alerts associated with events don’t have a duration associated. They are triggered at the time of the event but any duration is not meaningful for them. For this reason, such alerts are never engaged or released, they are just considered past as soon as they are detected, and they are placed under the all alerts page without any duration indicated.
During its execution, ntopng can detect anomalous or suspicious flows for which it triggers special flow alerts. Such alerts not only carry the event that caused the alert to be fired, they also carry all the flow details, including source and destination IP addresses, layer-7 application protocol, and ports.
Flow alerts are always associated with events and thus they are never engaged or released and are placed in the past alerts directly.
Alerts that require human attention and should be manually handled (e.g. related to security issues), are also placed in the page identified by the eye icon, until they are acknowledged.
Behavior alerts are new types of alerts introduced lately. Differently from the usual alerts, configured using a static threshold, they have the ability to learn throught the time and change their threshold dinamically.
This is achived by using one of the three foresighting alghoritm developed by nDPI: Simple Exponential Smoothing, Double Exponential Smoothing, Triple Exponential Smoothing (Holt-Winters alghoritm).
These alghoritms have the ability to foresight the future and give a prediction of the analized value. Based on this foresighted value the alert is triggered.
The alert is triggered only if the real value is lesser or greater then certain thresholds that nDPI calculates (it gives a lower and upper bound).
Behavior Alerts are available only with ntopng Enterprise L license.
ntopng keeps track of user activities that are related to system management and security, storing them as alerts. These activities include:
- Users management: user added or remove, password changed
- Live traffic downloaded
- Traffic extraction (live or PCAP downloaded)
- Host JSON downloaded
- Flows data downloaded
- Alerts settings changes: alerts disabled or enabled, alerts data deleted
- Failed or successful logins
- Traffic recording enabled or disabled
- Hosts/interfaces data deleted
- SNMP device added or removed
User activities are available in the System Interface, under the Past Alerts page:
Event and threshold alerts are always associated with a severity that tells the importance of such occurrence. For example, the contact of a blacklisted host is emphasized with a warning, whereas a threshold crossed by an host is highlighted with an error. Currently, severity levels available those defined in RFC 3164, namely:
- Emergency: system is unusable
- Critical: critical conditions
- Error: error conditions
- Warning: warning conditions
- Notice: normal but significant condition
Every alert has an entity (subject for which the alert has been generated). The list of entities supported by ntopng are:
- Host: Layer-3 IP address
- Interface: monitored ntopng interface
- Network: ntopng local network
- SNMP device: device added to ntopng from the SNMP page
- SNMP device interface: device added to ntopng from the SNMP page
- Flow: monitored flow
- MAC Address: Layer-2 Mac address
- Host Pool: the user-created host pool
- Process: the ntopng process itself
- User: the ntopng GUI user
For example, an alert triggered for host
192.168.1.2 that has exceeded a traffic threshold will have “host” as entity and “192.168.1.2” as entity value. Similarly, network
192.168.2.0/24 that has exceeded a traffic threshold will have “network” as entity and “192.168.2.0/24” as entity value.
Entities are not shown when browsing ntopng alert pages as they are clear from the context and alert messages. Understanding how entities work can be useful when propagating alerts to third-party endpoints such as syslog.
The full list of alerts is available under the Settings section, page Behavioral Checks.