ntopng generates alerts to report the occurrence of events and user-configurable thresholds.
Events include, but are not limited to:
- The detection of a new device
- The status change of a switch port detected via SNMP
- The contact of a malware host
- A user activity
Events are monitored continuously by ntopng and the corresponding alerts can be triggered at any time withouth any pre-defined, periodic check.
User-configurable thresholds can be set from the web GUI and are programmatically evaluated by ntopng. As soon as ntopng detects a certain threshold is crossed, it immediately triggers the corresponding alert. Examples of thresholds include:
- “The traffic generated by an host falls below a certain threshold”
- “The number of SYN sent by an host exceeds a certain number so it is considered a scanner”
- “Packet drops of an interface exceeds a given percentage of the total number of monitored packets”
- “The total traffic originated at a network exceeds a certain threshold”
Thresholds can be configured for:
- Local hosts
- Local networks
The following figure shows all the thresholds that can be set on every interface.
ntopng performs the evaluation of thresholds periodically at predefined time intervals:
- Every minute
- Every 5 minutes
- Every hour
Thresholds can be set at different intervals simply by selecting the corresponding tab.
Events vs. Thresholds¶
Alerts associated with a threshold have a duration, that is, they are active for a certain period of time. This period of time starts then the threshold is first met and stops when the threshold is no longer met. For this reason, such alerts are said to be engaged or released, depending on whether the triggering threshold is still met or not.
When the threshold is first met, puts the corresponding alert in an engaged state. The set of alerts that are currently engaged is available from the engaged alerts page.
When the triggering threshold of an engaged alert is no longer met, the alert is released an it will no longer be visible in the engaged alerts page. Alerts, once released, become available from the past alerts page and their duration is indicated in the corresponding column
Alerts associated with events don’t have a duration associated. They are triggered at the time of the event but any duration is not meaningful for them. For this reason, such alerts are never engaged or released, they are just stored as soon as they are detected, and they are placed under the past alerts page without any duration indicated.
During its execution, ntopng can detect anomalous or suspicious flows for which it triggers special flow alerts. Such alerts not only carry the event that caused the alert to be fired, they also carry all the flow details, including source and destination ip addresses, layer-7 application protocol, and ports.
Flow alerts are always associated with events and thus they are never engaged or released and are placed in a dedicated flow alerts page
ntopng keeps track of user activities that are related to system management and security, storing them as alerts. These activities include:
- Users management: user added or remove, password changed
- Live traffic downloaded
- Traffic extraction (live or PCAP downloaded)
- Host JSON downlaoded
- Flows data downloaded
- Alerts settings changes: alerts disabled or enabled, alerts data deleted
- Failed or successful logins
- Remote assistance enabled or disabled
- Traffic recording enabeld or disabled
- Hosts/interfaces data deleted
- SNMP deviced added or removeed
User activities are available in the Past Alerts page as standard event alerts.
Event and threshold alerts are always associated with a severity that tells the importance of such occurrence. For example, the contact of a blacklisted host is emphasized with a warning, whereas a threshold crossed by an host is highlighted with an error. Currently, severity levels available are three:
- Info. Used for informative alerts, such as devices connections and disconnections or user activities, that don’t directly represent any anomalous event or threshold. Identified with a light blu badge.
- Warning. Used for alerts that deserve further investigation, such as a SYN probing. Identified with an orange badge.
- Error. Used with user-configurable thresholds, for example a traffic threshold crossed by an host. Identified with a red badge.
Every alert has an entity and an entity value associated. The entity is the subject for which the alert has been generated. The list of entities supported by ntopng are:
- Hosts: Layer-3 IP addresses
- Interfaces: monitored ntopng interfaces
- Networks: ntopng local networks
- SNMP devices: devices added to ntopng from the SNMP page
- Flows: monitored flows
- Devices: Layer-2 Mac addresses
- Host Pools: the user-created host pools
- Process: the ntopng process itself
- User: the ntopng UI user
For example, an alert triggered for host
192.168.1.2 that has exceeded a traffic threshold will have “host” as entity and “192.168.1.2” as entity value. Similarly, network
192.168.2.0/24 that has exceeded a traffic threshold will have “network” as entity and “192.168.2.0/24” as entity value.
Entities are not shown when browsing ntopng alert pages as they are clear from the context and alert messages. Understanding how entities work can be useful when propagating alerts to third-party endpoints such as syslog.
The list of currently supported alerts, divided by entity, is outlined below:
- Mac Addresses
- New Device (event): Generated when a new Mac address is seen for the first time by ntopng on a particular interface.
- Device Connection (event): Generated when a previously-seen Mac address starts doing traffic after an inactivity period.
- Device Disconnection (event): Generated when a Mac address goes idle after an activity period.
- IP/MAC Change (event): Generated when the Mac address seen for a given IP changes, for example when the DHCP re-uses an IP address.
- Device Protocols (event): Generated when an anomalous protocol is detected. See device protocols for more details.
- Host Pools
- Host Pool Connection (event): Generated when ntopng starts seeing traffic for at least one host belonging to a pool.
- Host Pool Disconnection (event): Generated when the last host of a pool becomes idle after an activity period.
- SNMP Devices
- Interface Status Change (event): Indicates whether an interface of an SNMP configured device has changed its status, for example by going from Up to Down, or vice versa.
- Unresponsive Device (event): Indicates whether a configured SNMP device no longer responds to SNMP queries.
- Interface alerted (event): Every flow is reported with this type when there is an engaged alert with severity error that is currently engaged for the interface.
- Remote to Remote Flow (event): Indicates whether a flow has both the client and the server in ntopng remote networks.
- Blacklisted Flow (event): Generated for flows that have the blacklisted client or the blacklisted server (or both).
- Web Mining (event): Used for flows that are supposed to perform mining activities.
- Suspicious Activity (event): Indicates whether there is a suspicious flow behavior, namely when there is one of the following:
- Suspicious TCP SYN Probing (or server port down)
- Suspicious TCP Probing
- TCP connection refused
- SSL certificate mismatch
- Other Entities
- TCP SYN Flood (threshold): Indicates whether an host is exceeding a configurable number of SYN per second. In the alert message it is also indicated if an host is a flooder of if it is a victim of a SYN flood.
- Flows Flood (threshold): Indicates whether an host is creating a number of flows that exceeds a configurable maximum number of flows per second. In the alert message it is also indicated if an host is a flooder of if it is a victim of a flow flood.
- Threshold Cross (threshold): Indicates whether an host, a network or an interface has crossed a configurable threshold. Thresholds can be configured from host, network and interface details page.
- Process (event): Indicates ntopng process status changes, including normal and anomalous restarts.
Alerts used only for the ntopng Edge edition are:
- Blocked Flow (event): Generates an alert for every flow that is blocked by ntopng Edge due to configured policies.
- Quota Exceeded (event): Signals a quota exceeded for one of the defined users.
- NFQ Flushed (event): Indicates whether a flush of the underlying ntopng Edge netfilter queue has been flushed.
Not all the types of alerts are generated by default. Alert generation on a per-type basis can be controlled from the ntopng preferences.