DOCSLIB.ORG

A Review on Security Onion Tools for Intrusion Detection

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

International Journal of Scientific & Engineering Research Volume 12, Issue 3, March-2021 599 ISSN 2229-5518 A Review on Security Onion Tools for Intrusion Detection MAHAWISH, MOBEEN, BUSHRA, MISBAH PERVEEN, SOOMAL FATIMA, MAHAM* Dept. of Software Engineering Bahria University Karachi Campus *Dept. of Software Engineering Bahria University Karachi Campus Abstract— part of human lives and the use of web applications such as online banking, health care Intrusion detection has always been the facilities, cloud, online shopping, and data area of interest for network analysts as well centers, require an efficient security mechanism as the research community. Especially with for computer networks. This means that the the adoption of sophisticated techniques internet is a big concern and there is a need to protect data from intrusion and exploitation employed by malicious adversaries, it is against vulnerabilities. becoming more difficult to detect and block the malware and threat activities within a An IDS (Intrusion Detection System) is a Cyber-Physical System (CPS). To better security management tool used to scan malicious perform security jobs and acquiring network traffic for computer networks [1]. IDS protectsa monitoring data, the Security Operations CPS by providing three major security functions analyst focuses on the tools advantageous for including monitor, detect, and respond to Network Security Monitoring (NSM) which unauthorized and illegal activities [2][3]. collects, maintains, process, and present the Typically, an IDS is divided into two data helpful for detection of intrusions. The categories including Host-Based (HIDS) and Security Onion (SO) is a proper low-cost Network-Based (NIDS). The HIDS is solution for NSM,IJSER It is a Linux based responsible for monitoring a particular host or distribution for managing logs, security, and system [2] and avoids intruders to compromise provides multiple tools for intrusion system security policies. HIDS collects data of detections including Network IDS and Host network events, file systems, and system calls to IDS. check whether any inconvenient action has been This paper presents a review of Security encountered or not. Detection in intrusion is Onion tools used for analyzing & inspecting examined by file system integrity and memory usage [4]. Tripwire [5], USSEC [6] and Samhain network packets helpful for security analysts [7] are on shelf HIDS to protect a CPS. We have also reviewed the feature and functionalities of SO in terms of NIDS are deployed to monitor the traffic tools used for Host and Network visibilities, between all the devices on the network. NIDS Analyst tools, architecture, NSM data types, works like a bodyguard that monitor both inside and performed analysis upon the usage of and outside of property [2]. It monitors packets, different IDS tools in the literature. matches patterns from already existing signature attacks, or sometimes statistical analysis to Keywords—Intrusion Detection, Security detect unusual behavior. Snort [8], Zeek [9], and Onion,Network Security Monitoring (NSM) Suricata [30] are the instances of open-source network IDS. ML-based methodologies (i.e., Genetic Algorithm, SVM [10], and Artificial I. INTRODUCTION Neural Networks [11]) are used to detect zero- The internet has become an essential day attacks.Similarly, Deep Learning IJSER © 2021 http://www.ijser.org International Journal of Scientific & Engineering Research Volume 12, Issue 3, March-2021 600 ISSN 2229-5518 approaches are often used to enhance the logical and weighted group result sets, and geo- performance of anomaly-based IDS using a IPP mapping. ELSA is a centralized Syslog mimetic classifier [12]. framework [37] that provides an asynchronous web-based query interface that normalized logs, Issues still exist, DDoS (Distributed Denial and also include tools to show logs, email alerts, of Service attack), bypass the IDS filters and organized queries, and graphing. attack computer networks [13]. To handle security issues, a more organized This section describes the basics of SO, its and central approach is needed to proactively usage, configuration, and management. hunt for malicious threats on the networks. SO [13, 14] is a Linux-based distribution that A. Using Security Onion provides a set of tools that offer log management, network security monitoring, and Gonzales et al. [16] on the behalf of The IDS capabilities for multiple types of HIDS and National University Information Security Lab NIDS. Environment (ISLE) provides an overview of the virtual testing environment for cybersecurity In this paper, we aim to achieve a cavernous training assignments. They provide examples of understanding of the functionalities, deployment attacks including malware, botnet, and honeypot modes and tools included in the SOdistribution, traffic, etc. The tool used in the proposed which consequently makes the detection process framework provides insight and also allow to more robust and effective. share of practices adopted in industries. The goal The rest of the paper is segmented as follows. of the paper is to propose a framework for Section II presents a brief background of security onion.A critical review of existing work national and academic cyber defense using is presented in section III.. Section IVdiscusses security onion. the deployment methods and types of data, configuration, Host, Network, and Analyst B. Configuring Security Onion tools.Section V,asimplified SO architecture has been discussed. Lastly, section VI concludes the Ashely et al. [18] discussed how to block paper. attacks including SQL Injection (SQLi), Cross- Site Scripting (XSS), and web application II. BACKGROUND attacks using SO. This paper gives several labs that test for various Web application In the Security Onion solution, host security is IJSERvulnerabilities includes Cross XSS, SQL maintained by OSSEC [6], it performs real-time network analysis by performing functionalities injection, and OS injections, against a well- includingsystem Logs, file integrity, and known attacks Web application virtual machine monitoring the policies of network endpoints. called DVWA. The study performed on the behalf of SANS shows the capabilities of SO IDS logs and Zeek tool, provide full packet tools and services to protect an environment. capture, which gives a daunting amount of data to analysts. To handle this extensive amount of C. Monitoring and Logging data SOintegrates Sguil, Squert, and ELSA. Roger Meyer [19] on behalf of the SANS Sguil Provides Graphical User Interface (GUI) [27],GUI is written in TCL/TK whose main Institute of InfoSec detects attacks on web function is to view alerts of Snort or Suricata, applications from log files it allows us to view OSSEC, Zeek HTTP events, and PRADS alerts the detailed analysis of a user’s actions. HTTP [29]. files have a complete log of user’s request and response record, by having a record of these logs Additionally, Sguil permits ananalyst to query well-known attacks can be recognized and block all packets to hunt malicious activity. The against exploitations. Sguildatabase based web application interface is supported by the squert tool. It allows to query Another Paper provided by Sunil Gupta [20] Sguil database and provides numerous data for the SANS Institute of InfoSec describes the visualization such as time series representation, use of SO to detect the network exploitations for IJSER © 2021 http://www.ijser.org International Journal of Scientific & Engineering Research Volume 12, Issue 3, March-2021 601 ISSN 2229-5518 effective logging and monitoring. In this paper,the author provided the SO with an Hjelmvik Erik [21] also describes the usage appropriate solution for individual entities or of SO for the analysis of network and system groups with minimum. budget and this paper intrusions using the provided tool. It explores also highlight the advantages provided to many activities that gain growing attractiveness security analyst with researchers. D. Managing Security Taxonomy of SO Deployment Types of Tools Methods Data Network Host Visibility Standalone Session Data Analyst Tools Visibility Tools Tools Ful Packet Distributed Syslog Squert Capture Zeek Transaction Osquery ELSA Data Stenographer Alert Data Beats Sguil Strelka Statistical Wazuh CapME IJSERData Suricata Meta Data Kibana In this mode, it runs on a single physical machine that has multiple interfaces monitoring III. TAXONOMY OF SECURITY ONION different network segments. Easy to use and convenient to monitor single location networks. This section presents a taxonomy of security onion for understanding its overall architecture 2) Distributed that consequently helps in devising a It runs on single server machine running deployment methodology of the SIEM solution components related to a server, the client in accordance with the needs of a particular machines forward queries to the server, all sent cyber-physical system.The taxonomy is broadly queries disseminated to the suitable sensors with based on three main categories including the information requested back to the client. All deployment methods, types of data and tools. the traffic between client and server is encrypted. A. Deployment Methods Table 1: Comparison of deployment methods The Security Onioncan be deployed in many scenarios such as evaluation and production Deployment Scalable Perform- Through Cost mode [21] which gives the following Mode -ance put deployment options as discussed below: Standalone No Low Low Low 1) Standalone Distribute
Recommended publications
  • Monitoring Network Traffic Using Ntopng

    Monitoring Network Traffic Using Ntopng

    Monitoring Network Traffic using ntopng Luca Deri <[email protected]> © 2013 - ntop.org Outlook • What are the main activities of ntop.org ? • ntop’s view on network monitoring. • From ntop to ntopng. • ntopng architecture and design. • Using ntopng. • Advanced monitoring with ntopng. • Future roadmap items. "2 © 2013 - ntop.org About ntop.org [1/2] • Private company devoted to development of open source network traffic monitoring applications. • ntop (circa 1998) is the first app we released and it is a web-based network monitoring application. • Today our products range from traffic monitoring, high-speed packet processing, deep-packet inspection, and IDS/IPS acceleration. "3 © 2013 - ntop.org About ntop.org [2/2] • Our software is powering many commercial products... "4 © 2013 - ntop.org ntop Goals • Provide better, yet price effective, traffic monitoring solution by enabling users to have increased traffic visibility. • Go beyond standard metrics and increase traffic visibility by analysing key protocols in detail. • Provide users comprehensive and accurate traffic reports able to offer at a fraction of price what many commercial products do together. • Promote open-source software, while protecting selected IPRs. "5 © 2013 - ntop.org ntop’s Approach to Traffic Monitoring • Ability to capture, process and (optionally) transmit traffic at line rate, any packet size. • Leverage on modern multi-core/NUMA architectures in order to promote scalability. • Use commodity hardware for producing affordable, long-living (no vendor lock), scalable (use new hardware by the time it is becoming available) monitoring solutions. • Use open-source to spread the software, and let the community test it on unchartered places. "6 © 2013 - ntop.org Some History • In 1998, the original ntop has been created.
  • Implementing Cisco Cyber Security Operations

    Implementing Cisco Cyber Security Operations

    2019 CLUS Implementing Cisco Cyber Security Operations Paul Ostrowski / Patrick Lao / James Risler Cisco Security Content Development Engineers LTRCRT-2222 2019 CLUS Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot#LTRCRT-2222 by the speaker until June 16, 2019. 2019 CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda • Goals and Objectives • Prerequisite Knowledge & Skills (PKS) • Introduction to Security Onion • SECOPS Labs and Topologies • Access SECFND / SECOPS eLearning Lab Training Environment • Lab Evaluation • Cisco Cybersecurity Certification and Education Offerings 2019 CLUS LTRCRT-2222 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Goals and Objectives: • Today's organizations are challenged with rapidly detecting cybersecurity breaches in order to effectively respond to security incidents. Cybersecurity provides the critical foundation organizations require to protect themselves, enable trust, move faster, add greater value and grow. • Teams of cybersecurity analysts within Security Operations Centers (SOC) keep a vigilant eye on network security monitoring systems designed to protect their organizations by detecting and responding to cybersecurity threats. • The goal of Cisco’s CCNA Cyber OPS (SECFND / SECOPS) courses is to teach the fundamental skills required to begin a career working as an associate/entry-level cybersecurity analyst within a threat centric security operations center. • This session will provide the student with an understanding of Security Onion as an open source network security monitoring tool (NSM).
  • Securing Infrastructure-As-A-Service Public Clouds Using Security Onion

    Securing Infrastructure-As-A-Service Public Clouds Using Security Onion

    Securing Infrastructure-as-a-Service Public Clouds Using Security Onion MIKAIL, Abdullahi and PRANGGONO, Bernardi <http://orcid.org/0000-0002- 2992-697X> Available from Sheffield Hallam University Research Archive (SHURA) at: http://shura.shu.ac.uk/23927/ This document is the author deposited version. You are advised to consult the publisher's version if you wish to cite from it. Published version MIKAIL, Abdullahi and PRANGGONO, Bernardi (2019). Securing Infrastructure-as-a- Service Public Clouds Using Security Onion. Applied System Innovation, 2 (1). Copyright and re-use policy See http://shura.shu.ac.uk/information.html Sheffield Hallam University Research Archive http://shura.shu.ac.uk Article Securing Infrastructure-as-a-Service Public Clouds Using Security Onion Abdullahi Mikail and Bernardi Pranggono * Department of Engineering and Mathematics, Sheffield Hallam University, Howard Street, Sheffield S1 1WB, UK; [email protected] * Correspondence: [email protected] Received: 17 December 2018; Accepted: 23 January 2019; Published: 30 January 2019 Abstract: The shift to Cloud computing has brought with it its specific security challenges concerning the loss of control, trust and multi-tenancy especially in Infrastructure-as-a-Service (IaaS) Cloud model. This article focuses on the design and development of an intrusion detection system (IDS) that can handle security challenges in IaaS Cloud model using an open source IDS. We have implemented a proof-of-concept prototype on the most deployed hypervisor—VMware ESXi—and performed various real-world cyber-attacks, such as port scanning and denial of service (DoS) attacks to validate the practicality and effectiveness of our proposed IDS architecture.
  • Ntopng User's Guide

    Ntopng User's Guide

    ! !!" ! ! ! ! ! ! ! ! ! ! ! ! ntopng User’s Guide" High-Speed Web-based Traffic Analysis and Flow Collection " ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! Version 1.2" August 2014!" ! ! © 1998-14 - ntop.org" ntopng User’s Guide v.1.2 1.Table of Contents" ! 1. What’s New?"......................................................................................3" 2.It’s time for a completely new ntop."............................................................5" 3. Introduction"..............................................................................................6" 3.1. The main design principles"................................................................7" 3.2. What ntopng can do for me?"..............................................................7" 3.3. ntopng Architecture"..........................................................................9" 3.4. Download ntopng"............................................................................10" 4.Using ntopng"...........................................................................................11" 4.1. Compiling ntopng Source Code".......................................................11" 4.2. Installing a Binary ntopng"................................................................11" 4.3. ntopng Command Line Options".......................................................11" 4.4. ntopng on Windows".........................................................................16" 5. API Scripting Lua".....................................................................................18"
  • Getting the Most from Your Linux Cluster

    Getting the Most from Your Linux Cluster

    Linux Clusters Institute: Intro to Networking Bill Abbott Sysadmin – Office of Advanced Research Computing Rutgers University August 2019 1 Background Survey • Familiarity with… • Ethernet • InfiniBand /OmniPath • Fibre Channel • TCP/IP • Firewalls and DMZ • Switches and routers • Tools: • Basic: ip/ifconfig, netstat, ethtool, top • Advanced: tcpdump, iptraf-ng, ntop • Performance: iperf3, bbcp, iftop August 2019 2 What are We Trying to Accomplish? • Speed • Latency vs Bandwidth • Reliability • Accessibility • Public • Campus • Inside/outside • VPN • DMZ August 2019 3 TCP/IP Necessary Background Needed: • Public vs Private (RFC 1918) Addressing • 10.xx.xx.xx • 192.168.xx.xx • 172.16-31.xx.xx • Subnetting • Gateway(s) • DNS • IPv6 August 2019 4 A TCP/IP example You work at Company A. You have to contact Company B’s web department to acquire some data. • You have to call on the phone but don’t know the number, just the company name. • You call 411 and ask, and they give you the number. • You call that number and ask for extension 80. • The person who answers says hello, and you say hello. • The person tells you to call extension 443 instead. • The person who answers says hello, and you say hello. • You request the data, and the person reads it to you. • You both say goodbye. August 2019 5 Ethernet vs InfiniBand (IB) and OmniPath (OPA) • Most clusters have both Ethernet and IB or OPA • Advantages and disadvantages of each • (Relatively) slow Ethernet for external access, file copying, etc. • IB and OPA for MPI • RDMA vs IP • Management (PXE,
  • Passively Monitoring Networks at Gigabit Speeds Using Commodity Hardware and Open Source Software

    Passively Monitoring Networks at Gigabit Speeds Using Commodity Hardware and Open Source Software

    Passively Monitoring Networks at Gigabit Speeds Using Commodity Hardware and Open Source Software Luca Deri, NETikos S.p.A. not only in terms of volume but also in terms of type, as Abstract—Passive network monitoring is a complex these applications redefined the concept of client and server. activity that mainly consists in packet capturing and Usually a server is a host that provides a service to several classification. Unfortunately this architecture often cannot clients. In terms of IP traffic: be applied to gigabit networks, as the amount of data to • A client establishes one or more connections with a capture is too large for the monitoring applications. server, uses the server, and then closes the connections. This paper describes the challenges and lessons learnt by the author while monitoring networks at gigabit speeds and • Servers can exchange data with both clients and above. Finally, it describes an architecture able to servers, whereas clients talk only with servers. successfully monitor networks at high speeds using • Client to server connections are often asymmetrical commodity hardware and open source software. (e.g. in HTTP the client sends little data with respect to the server). Index Terms—Passive Network Monitoring, Packet Capture, NetFlow, sFlow. • Packets such as ICMP port unreachable or TCP packets with the RST flag set are relatively rare, and they are used to indicate that there is a problem somewhere. I. PASSIVE NETWORK MONITORING: STATE OF THE ART • Servers and applications usually listen on well-known ears ago, many computer specialists predicted the need ports. Yto have more bandwidth available because people were supposed to need it mostly for multimedia applications.
  • 20 Linux System Monitoring Tools Every Sysadmin Should Know

    20 Linux System Monitoring Tools Every Sysadmin Should Know

    20 Linux System Monitoring Tools Every SysAdmi... http://www.cyberciti.biz/tips/top-linux-monitoring-t... About Forum Howtos & FAQs Low graphics Shell Scripts RSS/Feed nixcraft - insight into linux admin work powered by Howtos: Linux / UNIX: Speed up SSH X11 Forwarding - Jan 05, 2011 20 Linux System Monitoring Tools Every SysAdmin Should Know by Vivek Gite on June 27, 2009 · 177 comments Need to monitor Linux server performance? Try these built-in command and a few add-on tools. Most Linux distributions are equipped with tons of monitoring. These tools provide metrics which can be used to get information about system activities. You can use these tools to find the possible causes of a performance problem. The commands discussed below are some of the most basic commands when it comes to system analysis and debugging server issues such as: 1. Finding out bottlenecks. 2. Disk (storage) bottlenecks. 3. CPU and memory bottlenecks. 4. Network bottlenecks. #1: top - Process Activity Command The top program provides a dynamic real-time view of a running system i.e. actual process activity. By default, it displays the most CPU-intensive tasks running on the server and updates the list every five seconds. 1 of 45 01/13/2011 01:26 AM 20 Linux System Monitoring Tools Every SysAdmi... http://www.cyberciti.biz/tips/top-linux-monitoring-t... Fig.01: Linux top command Commonly Used Hot Keys The top command provides several useful hot keys: Hot Usage Key t Displays summary information off and on. m Displays memory information off and on. Sorts the display by top consumers of various system resources.
  • Network Traffic and Security Monitoring Using Ntopng and Influxdb

    Network Traffic and Security Monitoring Using Ntopng and Influxdb

    Network Traffic and Security Monitoring Using ntopng and InfluxDB Luca Deri <[email protected]> @lucaderi © 2018 - ntop.org 1 Part I: Welcome to ntopng © 2018 - ntop.org 2 About Me • (1997) Founder of the ntop.org project with the purpose of creating a simple, and open source web-based traffic monitoring application. • Lecturer at the University of Pisa, Italy. • Author of various open source projects ◦n2n: peer-to-peer layer 2 VPN. ◦nDPI: deep-packet-inspection library. ◦PF_RING: high-speed packet capture and transmission. © 2018 - ntop.org 3 About ntop.org • ntop develops open source network traffic monitoring applications. • ntop (circa 1998) is the first app we released and it is a web-based network monitoring application. • Today our products range from traffic monitoring, high-speed packet processing, deep-packet inspection, and IDS/IPS acceleration (bro and suricata). © 2018 - ntop.org 4 ntop’s Approach to Traffic Monitoring • Ability to capture, process and (optionally) transmit traffic at line rate, any packet size. • Leverage on modern multi-core/NUMA architectures in order to promote scalability. • Use commodity hardware for producing affordable, long-living (no vendor lock), scalable (use new hardware by the time it is becoming available) monitoring solutions. • Use open-source to spread the software, and let the community test it on unchartered places. © 2018 - ntop.org 5 Motivation For Traffic Monitoring If you can’t measure it, you can’t improve it (Lord Kelvin, 1824 – 1907) If you can’t measure it, you can’t manage it (Peter Drucker, 1909 – 2005) © 2018 - ntop.org 6 What Happens in Our Network? • Do we have control over our network? • It’s not possible to imagine a healthy network without a clear understanding of traffic flowing on our network.
  • Evaluating the Availability of Forensic Evidence from Three Idss: Tool Ability

    Evaluating the Availability of Forensic Evidence from Three Idss: Tool Ability

    Evaluating the Availability of Forensic Evidence from Three IDSs: Tool Ability EMAD ABDULLAH ALSAIARI A thesis submitted to the Faculty of Design and Creative Technologies Auckland University of Technology in partial fulfilment of the requirements for the degree of Masters of Forensic Information Technology School of Engineering, Computer and Mathematical Sciences Auckland, New Zealand 2016 i Declaration I hereby declare that this submission is my own work and that, to the best of my knowledge and belief, it contains no material previously published or written by another person nor material which to a substantial extent has been accepted for the qualification of any other degree or diploma of a University or other institution of higher learning, except where due acknowledgement is made in the acknowledgements. Emad Abdullah Alsaiari ii Acknowledgement At the beginning and foremost, the researcher would like to thank almighty Allah. Additionally, I would like to thank everyone who helped me to conduct this thesis starting from my family, supervisor, all relatives and friends. I would also like to express my thorough appreciation to all the members of Saudi Culture Mission for facilitating the process of studying in a foreign country. I would also like to express my thorough appreciation to all the staff of Saudi Culture Mission for facilitating the process of studying in Auckland University of Technology. Especially, the pervious head principal of the Saudi Culture Mission Dr. Satam Al- Otaibi for all his motivation, advice and support to students from Saudi in New Zealand as well as Saudi Arabia Cultural Attaché Dr. Saud Theyab the head principal of the Saudi Culture Mission.
  • Network Troubleshooting Using Ntopng Luca Deri &lt;Deri@Ntop.Org&gt;

    Network Troubleshooting Using Ntopng Luca Deri <[email protected]>

    Network Troubleshooting Using ntopng Luca Deri <[email protected]> Outlook • Part 1: Introduction to ntopng ◦ntopng architecture and design. ◦ntopng as a flow collector. ◦Exploring system activities using ntopng. • Part 2: ntopng+Wireshark Monitoring Use Cases ◦Using ntopng. ◦ntopng and Wireshark. ◦Advanced monitoring with ntopng. ◦Future roadmap items. 2 SharkFest 2015 - Computer History Museum June 22-15, 2015 About ntop.org • ntop develops open source network traffic monitoring applications. • ntop (circa 1998) is the first app we released and it is a web-based network monitoring application. • Today our products range from traffic monitoring, to high-speed packet processing, deep-packet inspection, and IDS/IPS acceleration (snort, Bro and suricata). 3 SharkFest 2015 - Computer History Museum June 22-15, 2015 ntop’s Approach to Traffic Monitoring • Ability to capture, process and (optionally) transmit traffic at line rate, any packet size. • Leverage on modern multi-core/NUMA architectures in order to promote scalability. • Use commodity hardware for producing affordable, long-living (no vendor lock), scalable (use new hardware by the time it is becoming available) monitoring solutions. • Use open-source to spread the software, and let the community test it on unchartered places. 4 SharkFest 2015 - Computer History Museum June 22-15, 2015 Some History • In 1998, the original ntop has been created. • It was a C-based app embedding a web server able to capture traffic and analyse it. • Contrary to many tools available at that time, ntop used a web GUI to report traffic activities. • It is available for Unix and Windows under GPL. 5 SharkFest 2015 - Computer History Museum June 22-15, 2015 ntop Architecture Cisco NetFlow HTTP/HTTPS RRD InMon sFlow 6 SharkFest 2015 - Computer History Museum June 22-15, 2015 Why was ntop obsolete? • Its original LAN-oriented design prevented ntop from handling more than a few hundred Mbit.
  • Realtime High-Speed Network Traffic Monitoring Using Ntopng

    Realtime High-Speed Network Traffic Monitoring Using Ntopng

    Realtime High-Speed Network Traffic Monitoring Using ntopng Luca Deri *†, Maurizio Martinelli*, Alfredo Cardigliano† IIT/CNR* ntop† Pisa, Italy {deri, cardigliano}@ntop.org, {luca.deri, maurizio.martinelli}@iit.cnr.it Abstract—Monitoring network traffic has become monitoring tools that are able to spot bottlenecks and security increasingly challenging in terms of number of hosts, protocol issues while providing accurate information for proliferation and probe placement topologies. Virtualised troubleshooting the cause. This means that while NetFlow/ environments and cloud services shifted the focus from dedicated sFlow can prove a quantitative analysis in terms of traffic hardware monitoring devices to virtual machine based, software traffic monitoring applications. volume and TCP/UDP ports being used, they are unable to This paper covers the design and implementation of ntopng, an report the cause of the problems. For instance, NetFlow/IPFIX open-source traffic monitoring application designed for high- can be used to monitor the bandwidth used by the HTTP speed networks. ntopng’s key features are large networks real- protocol but embedded NetFlow probes are unable to report time analytics and the ability to characterise application that specific URLs are affected by large service time. protocols and user traffic behaviour. ntopng was extensively Today a single application may be based on complex validated in various monitoring environments ranging from cloud-based services comprised of several processes small networks to .it ccTLD traffic analysis. distributed across a LAN. Until a few years ago web Keywords—Traffic monitoring, real-time analytics, open-source applications were constructed using a combination of web software, monitoring of virtual and cloud environments.
  • Realtime High-Speed Network Traffic Monitoring Using Ntopng

    Realtime High-Speed Network Traffic Monitoring Using Ntopng

    Realtime High-Speed Network Traffic Monitoring Using ntopng Luca Deri, IIT/CNR and ntop; Maurizio Martinelli, IIT/CNR; Alfredo Cardigliano, ntop https://www.usenix.org/conference/lisa14/conference-program/presentation/deri-luca This paper is included in the Proceedings of the 28th Large Installation System Administration Conference (LISA14). November 9–14, 2014 • Seattle, WA ISBN 978-1-931971-17-1 Open access to the Proceedings of the 28th Large Installation System Administration Conference (LISA14) is sponsored by USENIX Realtime High-Speed Network Traffic Monitoring Using ntopng ! Luca Deri, IIT/CNR, ntop Maurizio Martinelli, IIT/CNR Alfredo Cardigliano, ntop ! ! ! Abstract facilitating the monitoring of virtual environments. Monitoring network traffic has become increasingly These are only partial solutions because either v5 Net- challenging in terms of number of hosts, protocol pro- Flow (or v9 with basic information elements only) or liferation and probe placement topologies. Virtualised inaccurate, sample-based sFlow are supported. Network environments and cloud services shifted the focus from managers need traffic monitoring tools that are able to dedicated hardware monitoring devices to virtual ma- spot bottlenecks and security issues while providing accurate information for troubleshooting the cause. This chine based, software traffic monitoring applications. This paper covers the design and implementation of means that while NetFlow/sFlow can prove a quantita- ntopng, an open-source traffic monitoring application tive analysis in terms of traffic volume and TCP/UDP designed for high-speed networks. ntopng’s key fea- ports being used, they are unable to report the cause of tures are large networks real-time analytics and the abil- the problems.