All Blog Posts

cento

Introducing nProbe Cento 1.12: Combining Visibility and Cybersecurity at 100 Gbit

This is to announce the released of cento 1.12 that is a maintenance release for ntop’s 100 Gbit probe. In this version we have integrated support of the latest nDPI features to combine processing speed with latest innovations in application detection an cybersecurity. Cento’s JSON output has been greatly enhanced and it includes all the nDPI-dissected information by streaming JSON-based data to Kafka or ElasticSearch/Syslog consumers. This to make cento useful to cybersecurity analysis by combining visibility and security at 100 Gbit by streaming. Enjoy! Changelog New Features Core engine …
n2disk

Introducing n2disk 3.6: full L7 support, fast flow export, replay rate control

This is to announce a new n2disk release 3.6. This release adds full support for indexing and retrieving traffic based on the Layer-7 application protocol. This can now be enabled even when flow export is disabled, and it is possible to use the extraction tool to extract selected application traffic using the Layer-7 protocol as part of the nBPF filter. n2disk is now also able to use the main storage as a cache, and in the meantime archive pcap files moving them from the fast to a slower storage, even …
ntop

Introducing PF_RING 7.8: ZC support for new Intel adapters and much more

This is to announce a new PF_RING major release 7.8. The main changes in this release include: The new ice ZC driver supporting E800 Series 100 Gigabit Intel adapters. Hardware timestamp support  for packet trailers and keyframes generated by Arista 7150 Series and Metawatch. This also includes device information such as the Device ID and the Port ID. BPF support for all ZC devices and queues, both to filter received or transmitted traffic. ZC API extensions to further simplify its use, which is one of the main advantages of this …
nDPI

Released nDPI 3.4: increased detection speed, statistical analysis, fuzzing, cybersecurity

This is to announce the release of nDPI 3.4 that is a major step ahead with respect to 3.2: Detection speed has been greatly optimised Many new functions for statistical protocol analysis have been introduced. This is to expand nDPI into traffic analysis beyond simple flow-based analysis. Fuzzing and code analysis (credits to catenacyber and lnslbrty) made nDPI more stable and robust than ever Completely rewritten QUIC dissector (credits to IvanNardi) with support of the latest protocol versions Added 24 security risks for speeding up the adoption of nDPI in …
ntopng

A Step-by-Step Guide on How to Write a ntopng Plugin from Scratch

In ntopng you can write plugins to extend it with custom features. This short tutorial explains you how to do that step-by-step. Here we drive you through the creation of a plugin for generating alerts when an unexpected DNS server is observed: this is useful to spot hosts that have a custom DNS configured or scanners applications. The plugin source code described in this post can be found here and is has been authored by Daniele Zulberti and Luca Argentieri. These are the steps to implement the plugin. Step 1: …
ntop

Using ElasticSearch to Store and Correlate Ntopng Alarms

With the introduction of ntopng endpoints and recipients, it is now possible to handle alerts in a flexible fashion by means of recipients. ntopng embeds a SQLite database for turn-key alert storage and reporting. However in large organizations with many alerts scalability of this solution is limited due to the limited number of records (16k) that can be handled. In the latest ntopng 4.1.x versions it is now possible to export alerts in an external ElasticSearch database (not available in the community edition). This post shows you how to use …
ntopng

Using ntopng Recipients and Endpoints for Flexible Alert Handling

In the latest ntopng 4.1.x versions (and soon 4.2) we have completely reworked the way alerts are delivered to subscribers. Up to 4.0 the ntopng engine was configured in a single way for all alerts: go to the preferences page and specify where to deliver alerts. This was suboptimal for many reasons, including the fact that it was not possible to send alerts to different recipients on different channels, or selectively decide when send alerts out. For this reason we have introduced the concept of Endpoints server account configuration where …
nDPI

How Great Hashing Can (More Than) Double Application Performance

Most ntop applications (ntopng, nProbe, Cento) and libraries (FT) are based on the concept of flow processing, that merely means keeping track of all network communications. In order to implement this, network packets are decoded and, based on a “key” (usually a 5-tuple consisting of protocol and src/dst IP and port), clustered into flows (other keys such as VLAN can be added if necessary). This usually requires a lookup in an hash table, by using an hash function to translate the key into an index for an array with collision …
nDPI

How to Dump, Index, and Layer-7 Filter Network Traffic at High Speed

n2disk is an application that many of the ntop community uses to dump traffic up to 100 Gbit. What few people know is that n2disk can index data not just using packet header information (i.e. IP, port. VLAN, MAC…) but also using nDPI to produce an index that contains application protocol information. This filtering can happen: During packet capture (i.e. instruct n2disk to avoid dumping specific protocols such as Netflix or YouTube that take up a lot of disk space and that are usually harmless). While extracting packets from stored …
News

September Webinars: ntopng Scripting and API Integrations

Save the date! Two webinars have been planned for the cycle of this month. We start on Thursday, September 17th, 16:00 CEST / 10 AM EST, with “How to Write an ntopng Plugin“. In this workshop, we will see how to create an ntopng Lua plugin to generate alerts and opportunely update the ‘score’ indicator of compromise for hosts and flows. During the workshop, we will walk the audience through a typical workflow which can then be reused to write any kind of plugin. We will start with a simple …
nDPI

Monitoring Industrial IoT/Scada Traffic with nDPI and ntopng

Monitoring Industrial IoT and SCADA traffic can be challenging as most open source monitoring tools are designed for Internet protocols. As this is becoming a hot topic with companies automating production lines, we have decided to enhance ntop tools to provide our user community traffic visibility even in industrial environments. This has required to enhance nDPI to detect these protocols and enhance ntopng, our monitoring console, to visualize this traffic by providing enhanced protocol dissection on top of which alerts can be triggered. To date, nDPI supports modbus, DNP3 and …
Cybersecurity

How Attack Mitigation Works (via SNMP)

One of the greatest strengths of ntopng is its ability to correlate data originating at different layers and at multiple sources together. For example, ntopng can look at IP packets, Ethernet frames and, at the same time, poll SNMP devices. This enables ntopng to effectively perform correlations and observe: The behavior of IP addresses (e.g., Is this IP known to be blacklisted?) The MAC addresses carrying IP traffic around in the network The physical location of the MAC addresses (i.e., physical switches traversed by a given MAC address along with …