ntopng helping you troubleshoot

michmoor

Hey everyone,
Curious as to how many of you out there have used ntopng in order to further troubleshoot issues specifically around Suricata/Snort.

So to explain the setup, I have Suricata alerts sent to syslog server (Graylog) from where I create Event Notifications. So for every trigger I get an email alert. Helps with addressing issues as close to real-time as possible. So today i received an alert:

SURICATA TLS invalid handshake message

I dont have any SIEM or pcap engine so this message is not very useful. I knew the hosts making the connection. Looked up the EVE log in Graylog. Still it wasnt clear what the heck was wrong.
So i have ntopng running on the box so i decided to do some digging. There is an alerts tab. I checked it out and zoomed in on the timeframe of the Suricata Alert. Wouldn't you know it, ntopng also didnt like the flow of that traffic either but gave a much more descriptive

Other Issues Application on Non-Standard Port  [Score: 100] [TLS Certificate Validity: 04/12/2022 23:20:51 - 07/15/2024 23:20:51] [Main Direction: Srv  Cli], Missing TLS SNI  [Score: 100] [TLS Certificate Validity: 04/12/2022 23:20:51 - 07/15/2024 23:20:51] [Main Direction: Srv  Cli], Too Long TLS Certificate Validity  [Score: 100] [TLS Certificate Validity: 04/12/2022 23:20:51 - 07/15/2024 23:20:51] [Main Direction: Srv  Cli], TLS not carrying HTTPS  [Score: 100] [TLS Certificate Validity: 04/12/2022 23:20:51 - 07/15/2024 23:20:51] [Main Direction: Srv  Cli]

As you can see, NTOPNG is much more descriptive regarding the problem. I was able to very easily rule out this alert and suppress it.

ntopng. Have you used it? What is the overall usefulness of it for you? In my case it was very useful. Curious to see how it works for me overtime.

keyser

@michmoor It’s not a useless tool that’s for sure :-)
Can be pretty good to get a feel for the current traffic and some history. But it is really only a “near real time” analytics tool, so it’s not worth much when it comes to forensics.

Also - the LUA scripts/engine is fairly buggy - at least when using Redis RRD files for storage. When it has been running for a while the script integration will start failing for pieces of the data collection and analytics. Later on alerting and so on dies. So you need to restart it fairly often to have a somewhat true and usefull content picture.

Rumours says its much more stable when using influxDB for storage, but I haven’t tried it.

michmoor

@keyser

@keyser said in ntopng helping you troubleshoot:

so it’s not worth much when it comes to forensics.

Oh i absolutely agree. Im just trying to see how much i can do on a budget of nothing. :)
Considering NTOPNG is the community edition and there really isnt much in the way of usefulness that can really be gathered by the traffic identification i figured it was neat that the flows Suricata saw NTOP saw and reported it. That certainly wont be the case all the time.

From what i can tell, ntop is really good at figuring out current top talkers.
For more historical data im looking at NFSEN but i cant get that to run on Ubuntu 20.04. Documentation is very dated.