Implementing core Internet resources misuse script

ntop / ntopng

Web-based Traffic and Security Network Traffic Monitoring

http://www.ntop.org

GNU General Public License v3.0

6.24k stars 654 forks source link

Implementing core Internet resources misuse script #4984

Closed lucaderi closed 3 years ago

lucaderi commented 3 years ago

One of the core Internet principles is that some basic services such as NTP server, NTP server, printers.... is limited. This means for instance that unless a host is a SMTP server, the number of SMTP servers a host can contact is limited to a few hosts (<5 let's say). In the example below this host has contacted 150+ SMTP servers and this is clearly a problem.

It is requested to create a plugin that can monitor NTP, SMTP, DNS (more will follow), set a threshold on each of them, server connections. This is gonna be a host script.

lucaderi commented 3 years ago

Use https://www.malware-traffic-analysis.net/2020/12/07/index.html with 2020-12-07-Qakbot-with-Cobalt-Strike-and-spambot-activity.pcap.zip for reproducing it

lucaderi commented 3 years ago

This ticket will trigger an alert on a host that will stay open and will be automatically acknowledged once #4293 will be implemented.

lucaderi commented 3 years ago

I see several issue in the current code

Some changes have been requested by @simonemainardi and need to be addressed
The plugins counts the number of different hosts contacted and not "Trigger an alert when an Host contacts too many times an NTP Server" (i.e. how many times a NTP server is contacted)
The defaults set are wrong. Please use 5 for NTP, DNS, and SMTP.
Implement some exceptions for avoid triggering alerts for key hosts, such as DNS or a SMTP server. This similar to other plugins.

martinscheu commented 3 years ago

Hi @MatteoBiscosi in my tests the outcome is correct.

MatteoBiscosi commented 3 years ago

Hi @martinscheu , great! thank you for your feedback.