How to Configure Flow Risk Exclusions in nDPI and ntopng

Posted · Add Comment

Flow risks are the mechanism nDPI implements for detecting issues in network traffic whose theoretical design is documented in this paper Using Deep Packet Inspection in CyberTraffic Analysis we have written last year. While we are reworking the definition of risk exceptions in ntopng to make them fully configurable with a matter of clicks, you can easily configure risk exceptions by adding them to a protos.txt file. Such file can be passed to ntopng on the configuration file by adding a line such as

--ndpi-protocols=/etc/ntopng/protos.txt

and creating the /etc/ntopng/protos.txt file.

This said how do we define flow risk exceptions in nDPI? These are the directives you have to use:

  • IP address based exceptions (caveat for the time being we support only IPv4)
    ip_risk_mask:a.b.c.d/CIDR=mask
  • Hostname based exceptions
    host_risk_mask:”name”=mask
  • Custom protocol ports
    tcp|udp:port@ExistingProtocolName
  • Custom encryption certificate authorities
    trusted_issuer_dn:”CN=….”

Usage examples:

  • Q. In my network I have HTTP running on 8008: how can I silence “Known Protocol on Non Standard Port” alerts?
    A. Add the following entry in the protos.txt file
    tcp:8008@HTTP
    Note that HTTP is the name of an existing protocol known to nDPI. Make sure the string case matches the existing protocol name. If the protocol name string does not exist, a new port-based protocol is defined in nDPI.
  • Q. My device 1.2.3.4 is old, and it has several cybersecurity issues (e.g. obsolete TLS ciphers). However the device is well protected in the network and thus such issues should be ignored. How can I silence them?
    A. Add the following entry in the protos.txt file (note: 0 means mask all exceptions)
    ip_risk_mask:1.2.3.4=0
  • Q. I see many DGA alerts for domain sms.it. How can I silence them?
    A. Add the following entry in the protos.txt file (note: 0 means mask all exceptions)
    host_risk_mask:”.sms.it”=0
  • Q. In my network we have self-signed TLS certificates created with a custom CA. How can I tell nDPI not to generate these alerts?
    A. Open ntopng (or wireshark) to see the issuer DN string inside the TLS flows, copy the string, and add a new line in the protos.txt file as follows:
    trusted_issuer_dn:”CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US”

If you want to fully explore what you can define in the protos.txt file, please see this comprehensive example file that contains all the possible exceptions you can define.

Enjoy !