[SOLVED] Ntop GEO MAP

feerab

Hans from Berlin

Thank you very much dragoangel!

robvanhooren

Omg This was awesomeee.

Also, my plex server is getting flows categorized as unknown application. Is there a way to create my category for Plex?

There's some automated ones like netflix and that kind of stuff.

yes.

plex should actually be recognized by ntopng (as of v3.9) but the pfS pkg is 3.8 at the moment.

for now you have to do custom protocols by hand.

see redmine #9912 for a bit of a howto.

(that will get the protocols 'known'; afterwards, you can set them to an appropriate category in the ntop gui).

gacpac

@robvanhooren sorry but redmine #9912 where?

robvanhooren

the bugtracker is in the pfSense menu (top right corner of the GUI)

it opens the redmine site

or, you can go directly to request #9912 here

hope that helps?

R.

gniting

@dragoangel After applying this patch, I am seeing a flood of msgs in the system log with the following text:
As of two days ago, I am seeing a ton of entries in the system log with the following msg:

Attack from "192.168.7.1" on service 100 with danger 10.
Did not receive identification string from 192.168.7.1 port 3736

192.168.7.1 the IP of the pfsense box itself. If I turn off ntopng, the msgs go away. Any ideas?

dragoangel

@ibbetsion this logs not related to patch. They logged without it too if you enable ntopng and do not configure it. Disable alerts in ntopng itself, and please look to all setting).

dragoangel

This now broken again due MaxMind require LicenseKeys usage now https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/

manjotsc

@dragoangel

alt text

manjotsc

@dragoangel As temporary solution I uploaded latest files on web server, and It seems to be working fine again.

ntopng.inc.txt

dragoangel

@manjotsc I understand that I can simply put files even on pfsense with geoip. Question about that this plugins must already be officially fixed by netgate to support new API with authorization

manjotsc

@dragoangel I think they are waiting for PfSense 2.5 release, because I tried installing Ntopng 3.8 manually, but ntopng 3.8 needs some package dependencies that only supported in FreeBSD12.

manjotsc

@dragoangel Problem Solved Working Now

https://www.youtube.com/watch?v=GkPA4kb3Xoo

alt text

dragoangel

@manjotsc devel version of pfsense 2.5 has same ntopng. Thanks for video.

manjotsc

@dragoangel hmmm, sorry maybe I am confused.

dragoangel

@manjotsc yep, I doesn't know, but looks like pkg maintainer simply lost.
Direct link by simple parameters works so I updated https://forum.netgate.com/topic/141150/solved-ntop-geo-map/6 as well

manjotsc

@dragoangel Atleast this time it got solved quickly as compared to before, which was broken for months.

Sigsegv

I'm not sure if anyone else is running into issues with the above patch and the new access key requirement from maxmind, but mine still wouldn't update the GeoIP database..

It seems like fetch has an issue with the new URL, so changed the /usr/local/pkg/ntopng.inc file to use curl.. These changes are made after applying the above mentioned patch:

function ntopng_update_geoip() {
global $config;
$curlcmd = "/usr/local/bin/curl";

    $geolite_city = "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=YOURKEYHERE&suffix=tar.gz";
    $geoip_asnum = "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN&license_key=YOURKEYHERE&suffix=tar.gz";

    $output_dir_city = "/usr/local/share/ntopng/GeoCity.tar.gz";
    $output_dir_asn = "/usr/local/share/ntopng/GeoASN.tar.gz";

    mwexec("{$curlcmd} --output {$output_dir_city} \"{$geolite_city}\"");
    mwexec("{$curlcmd} --output {$output_dir_asn} \"{$geoip_asnum}\"");

    ntopng_fixup_geoip();

    /* Do not (re)start services on package (re)install, only on manual GeoIP updates via the GUI */
    if ($_POST['Submit'] == "Update GeoIP Data") {
            init_config_arr(array('installedpackages', 'ntopng', 'config', 0));
            $ntopng_config = $config['installedpackages']['ntopng']['config'][0];
            ntopng_services_stop();
            if ($ntopng_config['enable'] == "on") {
                    start_service("ntopng");
            }
    }

}

pponce

@Sigsegv Fetch still works. you just need to modify the execution of the command and put quotes around the url to fetch.

I made the same changes as mentioned above but these two lines were edited in the following way:

        mwexec("{$fetchcmd} -o {$output_dir}/GeoLite2-City.tar.gz -T 5 \"{$geolite_city}\"");
        mwexec("{$fetchcmd} -o {$output_dir}/GeoLite2-ASN.tar.gz -T 5 \"{$geoip_asnum}\"");

then it should work.

Sigsegv

@pponce said in [SOLVED] Ntop GEO MAP:

@Sigsegv Fetch still works. you just need to modify the execution of the command and put quotes around the url to fetch.

I made the same changes as mentioned above but these two lines were edited in the following way:
        mwexec("{$fetchcmd} -o {$output_dir}/GeoLite2-City.tar.gz -T 5 \"{$geolite_city}\"");
        mwexec("{$fetchcmd} -o {$output_dir}/GeoLite2-ASN.tar.gz -T 5 \"{$geoip_asnum}\"");
then it should work.

OK cool. Really, my point of posting was that the patch provided no longer works, therefore, I came up with a workaround using curl.

I'm happy to modify the patch to fix the escape sequence.