NTOPNG - Is it safe to use on the WAN IF?
I was recently testing NTOPNG and I found it pretty useful.
Would this be safe to use on the WAN interface? I mean how is it capturig all the information?
Is it connecting to a kind of API on pf so any bugs in NTOPNG would't be a security issue? Or is it directly listening on the interface so that there is a chance of buffer overflows and other bugs that would allow breakig into pfSense or runnig a DoS attack (if someone sends a special malformed package that NTOPNG captures)? Or does it work in a completely different way?
I hope so! (Not a very useful response but this is what I have just started using it for - since it is specifically WAN traffic I am trying to identify.)
It does include some alert items that suggest it is intended for the WAN interface (eg: Suspicious Activity: "Probing or Server Down" messages).
As for how it is capturing this information, you are probably best advised to look at the ntop website http://www.ntop.org/products/traffic-analysis/ntop/ they speak about being based on libpcap and collecting flows through nprobe.