Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The ntopng alert function like Cisco ACL settings with WhiteList #8696

Open
Yoshihiro-jp opened this issue Sep 4, 2024 · 2 comments
Open

The ntopng alert function like Cisco ACL settings with WhiteList #8696

Yoshihiro-jp opened this issue Sep 4, 2024 · 2 comments
Assignees
@lucaderi @MatteoBiscosi
Labels
Feature Request

Comments

@Yoshihiro-jp
Copy link
Contributor

What would you like to add or change?:
Add the alert and executing user own script function in the ntopng if some traffic not listed in the whitelist were detected like Cisco ACL.

【Support Protocol in the Whitelist】 1. ARP 2. ICMP 3. UDP

Note: No need to support TCP. the environment has no TCP traffic. They want to check only ARP, ICMP and UDP traffic.

【Whitelist format】
PROTOCOL:SRC_ADDR:DST_ADDR:DST_PORT

Note: the DST_PORT is mandatory when the Protocol was the UDP in the Whitelist.

【Whitelist examples】
Example Whitelist#1

#layer2 
ARP:10.10.10.1:10.10.10.2 
#layer3
ICMP:10.10.10.1:10.10.10.2
#layer4
UDP:10.10.10.1:10.10.10.2:123

If the above lines are all set in the whitelist it works like below.

  1. If any ARP traffic other than FROM: 10.10.10.1 TO: 10.10.10.2 was detected, trigger an alert (execute shell script).
  2. If any ICMP traffic other than FROM: 10.10.10.1 TO: 10.10.10.2 was detected, trigger an alert (execute shell script).
  3. If any UDP traffic other than FROM: 10.10.10.1 TO: 10.10.10.2 and port number udp/123 was detected, trigger an alert (execute shell script).

Example Whitelist#2

#layer2 
#layer3
#layer4
UDP:10.10.10.1:10.10.10.2:123

  1. If any UDP traffic other than FROM: 10.10.10.1 TO: 10.10.10.2 and port number udp/123 was detected, trigger an alert (execute shell script).
  2. If any ARP traffic is detected, trigger an alert (execute shell script).
  3. If any ICMP traffic is detected, trigger an alert (execute shell script).

Note: No alert would be triggered if traffic using other protocol aside from ICMP,UDP and ARP were detected.

Examples:
No alert would be triggered if traffic with protocol number 132 (SCTP) found.
No alert would be triggered if traffic with protocol number 47 (GRE) found.

Why do you and others need this?:
Our client request
@lucaderi
Copy link
Member

lucaderi commented Sep 4, 2024

@Yoshihiro-jp Do you need us to support wildcards (* meaning any port)? Example UDP:10.10.10.1:10.10.10.2:* ?

@Yoshihiro-jp
Copy link
Contributor Author

@Yoshihiro-jp Do you need us to support wildcards (* meaning any port)? Example UDP:10.10.10.1:10.10.10.2:* ?
Dear @lucaderi
No need to support the wildcards.
He would writes all IP addresses in the Whitelist.

regards,
Yoshihiro

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lucaderi lucaderi

@MatteoBiscosi MatteoBiscosi

Labels
Feature Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lucaderi @MatteoBiscosi @Yoshihiro-jp