![]() The number of ICMP echo is over a threshold The number of ICMP port/destination unreachable is over a threshold (host only) the number of egress flows from the same client port towards remote hosts is over a threshold The number of active flows with low retransmissions etc is over a threshold ![]() The number of active flows with low throughput is over a threshold For alert generation extend the host alert min/5min/hour/daily mechanisms already present (/lua/host_a?page=alerts&tab=alert_settings)Įxtend the current host/interface alert framework for emitting alerts when Generate (local) host alerts when those ratio significantly divert from 1:1. It would be desirable to generate an alert when the latency crosses a given threshold or when it deviates significantly from a baseline.įor every host (interface / mac) compute the Network latency it is now computed for Autonomous Systems. Implement a configurable alert when a host uploads/downloads a file larger than X bytes over SSH/HTTP/HTTPS Probing or server down: 10.1.1.4 > ]Īn host uploads/downloads a file larger than X bytes over SSH/HTTP/HTTPS See if it is possible to load a malware typology (such as C&C or Zeus or Dshield) from the downloaded blacklisted files (e.g., )Įven though those alerts are already supported, it is requested to selectively enable/disable them for any given host. In inline mode (ntopng Edge) it is requested to implement block policies based on the same blacklist.Īugment malware alerts with the type of malware It is requested to define a list of blacklisted countries and generate alerts when there is an access to any of the blacklisted countries. Traffic to/from blacklisted countries/continentsĪs ntopng uses GeoIP, it knows what traffic belongs to what country. Soon this feature, currently available for SSH, should/will be implemented for other protocols such as HTTP (both server and browser version taken from the user-agent string) or OS version (e.g. This way we can implement a minimal yet effective control over old software versions that can lead to security issues. It would be nice to specify (under preferences, on a file or similar) for local hosts, the minimum protocol version we consider safe and trigger alerts if some of local hosts are running old protocol versions. With 34c5bce is now possible to report SSH client/server version Active flows with potential issues (e.g., low throughput, retransmissions)Ī more detailed description of any condition is described below.Network latency variations (thresholds / baselining).An host uploads/downloads a file larger than X bytes over SSH/HTTP/HTTPS.Probing or server down alerts (unidirectional traffic).Augment malware alerts with the type of malware.Traffic to/from blacklisted countries/continents.Detected application versions (e.g., SSH client / SSH server too old, OS outdated, vulnerable HTTP server).Discussions with users brought to light a series of conditions for which it would be desirable to have alerts generated.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |