How to Detect Malware Hosts and Scanners Using ntopng

Posted · Add Comment

Hosts directly connected to the Internet are often contacted by scanners and malware hosts. Since a few releases ntopng integrates a blacklist that is refreshed daily. Whenever a host part of this list contacts your ntopng instance and alert is triggered and displayed in the flow alerts.

This feature allows you to see who has contacted you with (usually) bad things in mind. Instead, if you want to see in realtime who blacklisted hosts are contacting you, you can click in the hosts menu and select “Blacklisted Hosts” as shown in the picture below.

If you want to see in detail what these hosts did to you, you can drill down at flow level using the flow index (don’t forget to start ntopng with “-F nindex”) that shows you what flows have been reported between your host and the scanner.

As you can imagine from the above picture, the scanner is probing ports as ntopng reports 1 packet TCP flows, and receives back an ICMP flow what will likely contain a port unreachable message. To decide if this is the case, in case you have enabled continuous traffic recording with ntopng, you can click on the pcap extract icon that will extract packets from the above conversations between your host and the scanner. ntopng will open a dialog window that already contains the scanner IP address and the timeframe of your search. At this point just click on the extract button.

ntopng will then return a pcap file via HTTP that you can open with wireshark to have evidence of what really happened.

We have done our best to simplify the whole investigation path and avoid you using the command line. Everything happens inside ntopng with a few mouse clicks.

Happy scanners hunting!