doubt about detecting malware

[matteoluc]

I downloaded and analyzed some .pcap files from the "malware-traffic-analysis" blog and I have noticed that ntopng gives some warnings both in the "flow" section next to the "L4 Proto" type by adding a yellow triangle next to TCP, and in the "Alert" section reporting "sospicious activity". In your slides "Network Security Using ntopng" I also saw "Malware detected" alert.

Till now I have never seen these 3 warnings with the data I collect in the analyzed network, but the only thing I get is the "blacklist host" alert. The sampling on the packets I analyze is 1: 10000, so not to overload the crossover routers. Could this be the problem of the lost of information? or am I wrong in configuring anything?

I also seen that, with my data, in the "flows" section the "info" field of each flow is always empty and furthermore in the "info" section of each DNS flow there isn't the "DNS query" field.

My aim is to detect malware in my network.

[simonemainardi]

I downloaded and analyzed some .pcap files from the "malware-traffic-analysis" blog and I have noticed that ntopng gives some warnings both in the "flow" section next to the "L4 Proto" type by adding a yellow triangle next to TCP,

Hover the mouse over the yellow triangle and it will give you the explanation. Alternatively, you can visit the flow "Info" page to get this information under "Flow Status".

and in the "Alert" section reporting "sospicious activity".

the alert message describes the explanation as well

In your slides "Network Security Using ntopng" I also saw "Malware detected" alert.

Currently, "Malware detected" alerts are no longer issued for flows because "Blacklisted Host" alerts are issued for both flow endpoints if they are blacklisted.

I also seen that, with my data, in the "flows" section the "info" field of each flow is always empty and furthermore in the "info" section of each DNS flow there isn't the "DNS query" field.

If you do a 1:10000 sampling then very likely you missed the packets that are necessary to populate the "Info" field and thus it appears as empty. Remember that "Info" is populated with Deep Packet Inspection - extracted information.

[matteoluc]

I correct, sampling done in my network is 1: 1000. why the "info" field of each stream is empty? (and I get only "blacklist host" warnings) For example, I noticed that the web filter "flashstart" can see the DNS queries, indeed only there I can see them, instead through ntopng info no. How can I fix this problem?

[simonemainardi]

why the "info" field of each stream is empty? (and I get only "blacklist host" warnings)

If you do a 1:1000 sampling then very likely you missed the packets that are necessary to populate the "Info" field and thus it appears as empty. Remember that "Info" is populated with Deep Packet Inspection - extracted information.

If you use a pcap file, does the Info field get populated correctly?

[matteoluc]

yes, with pcap the "info" field is full. So for the sampling, do I lose all info of all streams? What would be the recommended sampling?

[simonemainardi]

yes, with pcap the "info" field is full.

this is expected.

So for the sampling, do I lose all info of all streams?

not necessary all, but very likely a lot. If you just pick one packet out of 1000, how would you expect to get all the contents of every stream?

What would be the recommended sampling?

If you want accurate deep packet inspection and thus get all the info fields populated, you should not do any sampling.

[matteoluc]

the strange thing is that with my data I have never seen both the "info" field full, and previously quoted warnings, so it means I lose all this info. I'll do some tests by changing the number of discarded packages.

[matteoluc]

the problem may be the version of the netflow flow? in my case I use netflow v5

[simonemainardi]

Deep packet inspection technology is only available when monitoring raw packets. It is technically not possible to do it on NetFlow because it does not contain raw monitored traffic packets.