Feature Request - Exclude lists for checks should be way more flexible

[solarexpedition]

As we are working with ntopng for some monthes now, we think more flexible exclude lists in ntopng would massively help to narrow down the amount of alarms. At the moment, in a network with a lot of traffic, it is almost impossible to configure an alarming system which does not produce thousands of alarms, every day.

Some ideas:

1. It should be possible to list excludes line by line, and not only by comma. This would be more readable by humans.
2. It should be possible to add comments (for example with a # in front of the line), because a list of IPs does not explain why an IP is excluded.
3. It should be possible to add ports too, as for example something on an ip on a specific port is ok, but on another port not. Otherwise with an ip exclude, everything on an ip is excluded, even if several applications on host would trigger similar problems.
4. It would be nice if one can limit alarms only to connections from local -> local, local -> remote, remote -> local, remote -> remote. Like this I could for example analyze all TLS issues in my network, but wont get alarms for systems in the internet.
5. It would be really very helpful if there exists a way more documentation how these checks work, and which combinations in the protocols will trigger alarms for them.

[lucaderi]

1. implemented
2. no longer necessary
3. good idea
4. good idea
5. did you look ay our user's guide?

[solarexpedition]

2- I can see the comment field on some checks, but in the checks where I put a list of IPs, comments are not possible. 5- Yes I did. Actually 156 behavioural checks are implemented in ntop. In the users guide from nDPI I can find only documentation for 45 checks. It would be very helpful if there are also more examples, like what kind of network-traffic, sample of a packet and thresholds triggers such an alert. I miss here useful informations and somehow education how to use and configure these checks.