search

ntop / ntopng

Web-based Traffic and Security Network Traffic Monitoring
http://www.ntop.org
GNU General Public License v3.0
6.26k stars 656 forks source link

The ntopng alert function like Cisco ACL settings with WhiteList #8696

Open Yoshihiro-jp opened 1 month ago

Yoshihiro-jp commented 1 month ago

What would you like to add or change?: Add the alert and executing user own script function in the ntopng if some traffic not listed in the whitelist were detected like Cisco ACL.

【Support Protocol in the Whitelist】 1. ARP 2. ICMP 3. UDP Note: No need to support TCP. the environment has no TCP traffic. They want to check only ARP, ICMP and UDP traffic. 【Whitelist format】 PROTOCOL:SRC_ADDR:DST_ADDR:DST_PORT Note: the DST_PORT is mandatory when the Protocol was the UDP in the Whitelist. 【Whitelist examples】 Example Whitelist#1 ~ #layer2  ARP:10.10.10.1:10.10.10.2  #layer3 ICMP:10.10.10.1:10.10.10.2 #layer4 UDP:10.10.10.1:10.10.10.2:123 ~ If the above lines are all set in the whitelist it works like below. 1. If any ARP traffic other than FROM: 10.10.10.1 TO: 10.10.10.2 was detected, trigger an alert (execute shell script). 2. If any ICMP traffic other than FROM: 10.10.10.1 TO: 10.10.10.2 was detected, trigger an alert (execute shell script). 3. If any UDP traffic other than FROM: 10.10.10.1 TO: 10.10.10.2 and port number udp/123 was detected, trigger an alert (execute shell script). Example Whitelist#2 ~ #layer2  #layer3 #layer4 UDP:10.10.10.1:10.10.10.2:123 ~ 1. If any UDP traffic other than FROM: 10.10.10.1 TO: 10.10.10.2 and port number udp/123 was detected, trigger an alert (execute shell script). 2. If any ARP traffic is detected, trigger an alert (execute shell script). 3. If any ICMP traffic is detected, trigger an alert (execute shell script). Note: No alert would be triggered if traffic using other protocol aside from ICMP,UDP and ARP were detected. Examples: No alert would be triggered if traffic with protocol number 132 (SCTP) found. No alert would be triggered if traffic with protocol number 47 (GRE) found. **Why do you and others need this?**: Our client request
lucaderi commented 1 month ago

@Yoshihiro-jp Do you need us to support wildcards ( meaning any port)? Example UDP:10.10.10.1:10.10.10.2: ?

Yoshihiro-jp commented 1 month ago

@Yoshihiro-jp Do you need us to support wildcards ( meaning any port)? Example UDP:10.10.10.1:10.10.10.2: ? Dear @lucaderi No need to support the wildcards. He would writes all IP addresses in the Whitelist.

regards, Yoshihiro