Say Hello to ntopng 4.2: Flexible Alerting, Major Speedup, Scada, Cybersecurity

Posted · Add Comment

We are pleased to introduce ntopng 4.2 that introduces several new features and breakthroughs while consolidating the changes introduced with 4.0. The main goals of this release include

  • Enhance and simplify how alerts are delivered to consumers
  • Many internal components of ntopng have been rewritten in order to improve the overall ntopng performance, reduce system load, and capable of processing more data while reducing memory usage with respect to 4.0.
  • Cybersecurity extensions have been greatly enhanced by leveraging on the latest nDPI enhancements that enabled the creation of several user scripts able to supervise many security aspects of modern systems.
  • Behavioral traffic analysis and lateral traffic movement detection for finding cybersecurity threats in traffic noise.
  • Initial Scada support with native IEC 60870-5-104 support. We acknowledge switch.ch for having supported this development.
  • Consolidation of Suricata and external alerts integration to further open ntopng to the integration of commercial security devices.
  • SNMP support has been enhanced in terms of speed, SNMPv3 protocol support, and variety of supported devices.
  • New REST API that enabled the integration of ntopng with third party applications such as CheckMK.

As the list of new features and enhancements we plan to write new posts, make videos and organise online training sessions to introduce our community to this new release.

Flexible Alerts Handling

The way alerts are delivered to interested recipients has been completely reworked. Before version 4.2, all the generated alerts were delivered to all recipients, causing issues such as:

  • Recipients flooded with too many alerts
  • Recipients getting alerts they’re not interested into

For these reasons, we wanted to rethink and redesign the way alerts were delivered to recipients as described in the user’s guide We wanted to obtain enough flexibility to:

  • Avoid flooding recipients with too unwanted alerts by introducing flexible alerts delivery.
  • Selectively send alerts to a recipient subset based on:
    • Severity-based criteria (e.g., only send alerts with severity error or higher to that particular recipient)
    • Type-based criteria (e.g., only send security-related alerts to that particular recipient)

For the sake of example, the way alerts are now delivered to recipients, allows you to create policies such as

  • Send security-related alerts to an Elasticsearch instance managed by the SecOps
  • Send network-related alerts via email to the NetOps
  • Send ntopng login attempts and configuration changes on the Discord channel of the DevOps
  • Send alerts with severity error or higher to SecOps, NetOps, and DevOps together

See this post for a comprehensive discussion and additional examples.

Scalable SNMP v2c/v3 support

This 4.2 release also carries an almost-completely rewritten SNMP engine. The new engine

  • Supports SNMP v2c and v3
  • Features SNMP bulk requests to greatly improve speed
  • Polls multiple devices in parallel to increase throughput

This is a great step forward compared to the SNMP engine featured in version 4.0 which was definitely slower.

With the new engine is also possible to enforce SNMP attack mitigation to toggle the administrative status of an SNMP port to down, when a malicious host is connected to it.

Additional New Features

Among the new features shipped with version 4.2 it is worth mentioning

  • Traffic Behavioral Analysis
    • Periodic Traffic
    • Lateral Movements
    • TLS with self-signed certificates, issuerDN, subjectDN
  • Support for Industrial IOT and Scada with modbus, DNP3 and IEC60870
  • Active monitoring
    • Support for ICMP v4/v6, HTTP, HTTPS and native Speedtest for measuring the available bandwidth.
    • Ability to generate alerts upon unreachable, or slow hosts or services.
  • Detection of unexpected servers.
  • DHCP, NTP, SMTP, DNS.
  • Services map.
  • Enhance nIndex integration to maximize flows dump performance and provide better flow drill-down features.
  • MacOS package.

For a comprehensive list of features, changes, and fixes, have a look at the CHANGELOG.

So now it’s time for you to give version 4.2 a try! And feel free to join the discussion!