What’s next is the ability to protect a network by mitigating external attackers. Having attack mitigation via SNMP implemented in ntopng is just a preliminary step towards making ntopng not just a monitoring and visualisation tool but also something which proactively prevents attackers from harming the network. Once the issues have been resolved, the SNMP port can be turned up again from the preferences. It is up to the network administrator now to intervene and do any necessary cleanup operation on the attacker host. Within a minute from the increase in the host score, mitigation causes the port on the SNMP device to be turned downįrom this point on, attacker host 192.168.2.149 is effectively disconnected from the network and, thus, it becomes harmless.
This score is high enough to ensure the attack mitigation via SNMP kicks in. Due to this suspicious activity, there is a significant increase in the score of 192.168.2.149 Indeed, there are many alerted “TCP Connection Refused” flows having 192.168.2.149 as source – apu is the DNS name of 192.168.2.149. The port scan is immediately detected by ntopng ntopng, using traffic and SNMP data is able to identify host 192.168.2.149 as a PcEngines connected to interface gigabitethernet15 of switch 192.168.2.168. For this example, an attacker host 192.168.2.149 is configured to run a port scan ( nmap -sS) towards 192.168.2.222.
NTOPNG PURGE DATA MAC
The physical location of the MAC addresses (i.e., physical switches traversed by a given MAC address along with trunk and access ports).
The MAC addresses carrying IP traffic around in the network.The behavior of IP addresses (e.g., Is this IP known to be blacklisted?).This enables ntopng to effectively perform correlations and observe: For example, ntopng can look at IP packets, Ethernet frames and, at the same time, poll SNMP devices. One of the greatest strengths of ntopng is its ability to correlate data originating at different layers and at multiple sources together.
0 kommentar(er)
