How to Configure Flow Risk Exclusions in nDPI and ntopng

Posted · Add Comment

Flow risks are the mechanism nDPI implements for detecting issues in network traffic whose theoretical design is documented in this paper Using Deep Packet Inspection in CyberTraffic Analysis we have written last year. While we are reworking the definition of risk exceptions in ntopng to make them fully configurable with a matter of clicks, you can easily configure risk exceptions by adding them to a protos.txt file. Such file can be passed to ntopng on the configuration file by adding a line such as


and creating the /etc/ntopng/protos.txt file.

This said how do we define flow risk exceptions in nDPI? These are the directives you have to use:

  • IP address based exceptions (caveat for the time being we support only IPv4)
  • Hostname based exceptions
  • Custom protocol ports
  • Custom encryption certificate authorities

Usage examples:

  • Q. In my network I have HTTP running on 8008: how can I silence “Known Protocol on Non Standard Port” alerts?
    A. Add the following entry in the protos.txt file
    Note that HTTP is the name of an existing protocol known to nDPI. Make sure the string case matches the existing protocol name. If the protocol name string does not exist, a new port-based protocol is defined in nDPI.
  • Q. My device is old, and it has several cybersecurity issues (e.g. obsolete TLS ciphers). However the device is well protected in the network and thus such issues should be ignored. How can I silence them?
    A. Add the following entry in the protos.txt file (note: 0 means mask all exceptions)
  • Q. I see many DGA alerts for domain How can I silence them?
    A. Add the following entry in the protos.txt file (note: 0 means mask all exceptions)
  • Q. In my network we have self-signed TLS certificates created with a custom CA. How can I tell nDPI not to generate these alerts?
    A. Open ntopng (or wireshark) to see the issuer DN string inside the TLS flows, copy the string, and add a new line in the protos.txt file as follows:
    trusted_issuer_dn:”CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US”

If you want to fully explore what you can define in the protos.txt file, please see this comprehensive example file that contains all the possible exceptions you can define.

Enjoy !