All Blog Posts

News

ntopConf2022: News, Announcements and Future Plans

Last week the ntopConf 2022 was held in presence in Milan at Bocconi University and about 100 people attended it. Presentation material including slides and videos are available at the conference page so even if you have missed this event you can see what happened and presented. On a nutshell: This July we will release new software versions including a major nProbe 10 release. We are modifying our tools to accommodate the SaaS model as some of our users provide services and we want to simplify their lives. We are …
nDPI

How to Configure Flow Risk Exclusions in nDPI and ntopng

Flow risks are the mechanism nDPI implements for detecting issues in network traffic whose theoretical design is documented in this paper Using Deep Packet Inspection in CyberTraffic Analysis we have written last year. While we are reworking the definition of risk exceptions in ntopng to make them fully configurable with a matter of clicks, you can easily configure risk exceptions by adding them to a protos.txt file. Such file can be passed to ntopng on the configuration file by adding a line such as --ndpi-protocols=/etc/ntopng/protos.txt and creating the /etc/ntopng/protos.txt file. …
ntop

Best Practices for Using ntop Tools on Containers

Many people use software containers to simplify application deployment. As you know ntop tools are also available on docker hub for quick deployment using Docker or other container management tools such as Portainer or Kubernetes. When using containers, there are a few things to keep in mind: Service Persistency ntopng relies on third party services such as Redis (required) and InfluxDB (optional) to operate. In order not to loose information at container restart, you need to persistently store data or configure ntop tools to rely on such services on an …
Cybersecurity

How ntopng monitors IEC 60870-5-104 traffic

Busy times for OT analysts. Last month the number of known OT (operational technology) malware increased from five to seven. First malware discovered is Industroyer2 which was caught in the Ukraine. As nowadays popular, security companies name the malware they discover. That is why for the second malware two names were assigned, Incontroller or Pipedream. This malware was discovered before it was deployed. Industroyer2 [1] is an evolution of Industroyer1, first seen in 2014. Both variants are targeting the electrical energy sector, specifically in Ukraine. As the malware is using …
ntop

Registration for ntopConf 2022 (June 23-24) is now Open

This year the ntop community will meet in Milan, Italy on June 23-24. Conference will take place the first day, whereas the second day will be used for training. We’ll be talking about network traffic monitoring, cybersecurity, and discuss future roadmap items. It is a good chance to get together after pandemic restrictions, as well for us to meet our community. You can read more about this event and read the program at this page where you can also find the registration link. Note: this is a free (no cost) …
nProbe

HowTo Use TLS for Securing Flow Export/Collection

One of the main limitations of flow-based protocols such as IPFIX and NetFlow is that the traffic is sent in cleartext. This means that it can be observed in transit and that it is pretty simple to send fake flow packets that can then pollute the collected information. As of today, unencrypted protocols need to be avoided and thus some workarounds to this problem need to be identified. Often people use VPNs to export flows, but this is not a simple setup with cloud services or on complex networks, so …
PF_RING

How PF_RING is Used to Fight Internet Censorship: Refraction Networking

Internet censorship is a global phenomenon (see Figure 1) that aims to throttle or entirely block access to certain Internet resources. National or regional governments impose Internet censorship by using sophisticated networking appliances—strategically placed at the edge of their networks at various Internet inter-connection points—capable of inspecting and discarding network packets destined to sites with restricted content. Users that try to evade censorship have traditionally relied on techniques based on “domain fronting” and VPNs. However, these censorship circumvention tools are increasingly becoming harder to deploy and do not offer strong …
Announce

ntop Conference 2022: Call for Speakers

This is to announce the dates of the ntop conference 2022 that will take place in Milan at UniBocconi: June 23rd conference, 24th training. We are currently looking for speakers as we want to hear your voice. Topics include (but are not limited to): Cybersecurity IoT monitoring Integration of Kibana/Grafana/CheckMK/Nagios with ntop tools Attacks and DDoS Sharing of experience monitoring networks using ntop tools Encrypted traffic analysis Deep Packet Inspection All details are available at this page. …
ntop

ntop Professional Training: May 2022

This is to announce that the next ntop professional training will take place in May 2022. All those who are using ntop tools for business are invited to attend this session. The idea is to divide the training in 5 session of 90 minutes each, so that you can attend the training without having to leave your daily activities. At this page can read more about training content, costs, and registration information Make sure to join it ! …
ntopng

How We Simplified Data Search in ntopng

ntopng users are familiar with the search box present at the top of each page. It was originally designed to find hosts and jump to their details page. Over the years we have added a lot of new information in ntopng, and limiting its scope only to hosts was not a good idea. The image below is how we have improved it. In the new search we do not limit our scope to hosts but to everything inside ntopng, as a a mini embedded search engine. The first column shows …
ntopng

Dispatching Alerts: How to Master Notifications in ntopng

Alerts in ntopng are the result of traffic analysis based on checks. Checks detect that specific indicators on traffic require attention: for instance a host whose behavioural score has exceeded a given threshold or a flow that is exfiltrating data. Checks process traffic information with respect to a specific Network element, and for this reason they are divided into families (e.g. host, interface, flow, …). Regardless of the family, they can cover a security aspect, or they can monitor the network performance, for this reason they belong to different categories …
Cybersecurity

Incident Analysis: How to Correlate Alerts with Flows and Packets

In incident analysis it is important to provide evidence of the problem  at various level of details: Alerts Alerts are the result of traffic analysis (in ntopng based on checks) that have detected specific indicators in traffic that triggered the alert. For instance a host whose behavioural score has exceeded a given threshold or a flow that has is exfiltrating data. Flows Are the result of aggregation of packets belonging to the same connection and are used to compute alerts. Packets This is the most granular data that contains evidence …