From 8f25e6862cea7290812c2ba4e16496915fd22ab1 Mon Sep 17 00:00:00 2001 From: Matteo Biscosi Date: Mon, 21 Aug 2023 15:23:19 +0000 Subject: [PATCH] Updated alert documentation with license table (#7773) --- doc/src/alerts/alerts_list_per_license.rst | 205 ++++++++++++ ...uating_alerts.rst => available_alerts.rst} | 3 +- doc/src/alerts/host_checks.rst | 298 ++++++++++-------- doc/src/alerts/index.rst | 3 +- doc/src/alerts/interface_checks.rst | 149 +++++---- doc/src/alerts/local_network_checks.rst | 84 ++++- doc/src/alerts/snmp_checks.rst | 84 ++++- doc/src/alerts/syslog_checks.rst | 13 +- doc/src/alerts/system_checks.rst | 86 ++--- 9 files changed, 659 insertions(+), 266 deletions(-) create mode 100644 doc/src/alerts/alerts_list_per_license.rst rename doc/src/alerts/{evaluating_alerts.rst => available_alerts.rst} (96%) diff --git a/doc/src/alerts/alerts_list_per_license.rst b/doc/src/alerts/alerts_list_per_license.rst new file mode 100644 index 0000000000..60aa180fd4 --- /dev/null +++ b/doc/src/alerts/alerts_list_per_license.rst @@ -0,0 +1,205 @@ +Alerts List per License +======================= + +some ntopng alerts are available with a specific license :ref:`WebUIUserScripts`. Here a list of all the alerts divided by family and their availability depending on the license. + +**Host Behavioural Checks** +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| | Community | Pro | Enterprise M | Enterprise L | Enterprise XL | ++===========================+===========+=====+==============+==============+===============+ +| Countries Contacts | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| Dangerous Host | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| DNS Flood | | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| DNS Server Contacts | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| DNS Traffic | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| Domain Names Contacts | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| Flow Flood | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| Flows Anomaly | | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| Host External Check (REST)| x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| Host User Check Script | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| ICMP Flood | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| NTP Server Contacts | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| NTP Traffic | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| P2P Traffic | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| Packets | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| Remote Connection | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| RST Scan | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| Scan Detection | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| Score Anomaly | | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| Score Threshold Exceeded | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| SMTP Server Contacts | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| SNMP Flood | | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| SYN Flood | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| SYN Scan | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ +| FIN Scan | x | x | x | x | x | ++---------------------------+-----------+-----+--------------+--------------+---------------+ + + +**Interface Behavioural Checks** +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++------------------------------------------+-----------+-----+--------------+--------------+---------------+ +| | Community | Pro | Enterprise M | Enterprise L | Enterprise XL | ++==========================================+===========+=====+==============+==============+===============+ +| Alerts Drops | x | x | x | x | x | ++------------------------------------------+-----------+-----+--------------+--------------+---------------+ +| DHCP Storm | | x | x | x | x | ++------------------------------------------+-----------+-----+--------------+--------------+---------------+ +| Ghost Networks | x | x | x | x | x | ++------------------------------------------+-----------+-----+--------------+--------------+---------------+ +| Idle Hash Table Entries | | x | x | x | x | ++------------------------------------------+-----------+-----+--------------+--------------+---------------+ +| No Traffic Activity | x | x | x | x | x | ++------------------------------------------+-----------+-----+--------------+--------------+---------------+ +| Packet Drops | | x | x | x | x | ++------------------------------------------+-----------+-----+--------------+--------------+---------------+ +| Periodic Activity Not Executed | x | x | x | x | x | ++------------------------------------------+-----------+-----+--------------+--------------+---------------+ +| Slow Periodic Activity | x | x | x | x | x | ++------------------------------------------+-----------+-----+--------------+--------------+---------------+ +| Throughput | x | x | x | x | x | ++------------------------------------------+-----------+-----+--------------+--------------+---------------+ +| Unexpected Application Behaviour | | | | x | x | ++------------------------------------------+-----------+-----+--------------+--------------+---------------+ +| Unexpected ASN Behaviour | | | | x | x | ++------------------------------------------+-----------+-----+--------------+--------------+---------------+ +| Unexpected Device Connected/Disconnected | | | x | x | x | ++------------------------------------------+-----------+-----+--------------+--------------+---------------+ +| Unexpected Network Behaviour | | | | x | x | ++------------------------------------------+-----------+-----+--------------+--------------+---------------+ +| Unexpected Score Behaviour | | | | x | x | ++------------------------------------------+-----------+-----+--------------+--------------+---------------+ +| Unexpected Traffic Behaviour | | | x | x | x | ++------------------------------------------+-----------+-----+--------------+--------------+---------------+ + + +**Local Networks Behavioural Checks** +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++----------------------------+-----------+-----+--------------+--------------+---------------+ +| | Community | Pro | Enterprise M | Enterprise L | Enterprise XL | ++============================+===========+=====+==============+==============+===============+ +| Broadcast Domain Too Large | x | x | x | x | x | ++----------------------------+-----------+-----+--------------+--------------+---------------+ +| Egress Traffic | x | x | x | x | x | ++----------------------------+-----------+-----+--------------+--------------+---------------+ +| Flow Flood Victim | x | x | x | x | x | ++----------------------------+-----------+-----+--------------+--------------+---------------+ +| Ingress Traffic | x | x | x | x | x | ++----------------------------+-----------+-----+--------------+--------------+---------------+ +| Inner Traffic | x | x | x | x | x | ++----------------------------+-----------+-----+--------------+--------------+---------------+ +| IP/MAC Reassoc/Spoofing | x | x | x | x | x | ++----------------------------+-----------+-----+--------------+--------------+---------------+ +| Network Discovery | x | x | x | x | x | ++----------------------------+-----------+-----+--------------+--------------+---------------+ +| Network Issues | x | x | x | x | x | ++----------------------------+-----------+-----+--------------+--------------+---------------+ +| Network Score per Host | | x | x | x | x | ++----------------------------+-----------+-----+--------------+--------------+---------------+ +| SYN Flood Victim | x | x | x | x | x | ++----------------------------+-----------+-----+--------------+--------------+---------------+ +| SYN Scan Victim | x | x | x | x | x | ++----------------------------+-----------+-----+--------------+--------------+---------------+ + + +**SNMP Behavioural Checks** +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++--------------------------------+-----------+-----+--------------+--------------+---------------+ +| | Community | Pro | Enterprise M | Enterprise L | Enterprise XL | ++============================+===========+=====+==============+==============+===============+ +| Duplex Status Change | | | x | x | x | ++--------------------------------+-----------+-----+--------------+--------------+---------------+ +| High Interface Discards/Errors | | | x | x | x | ++--------------------------------+-----------+-----+--------------+--------------+---------------+ +| Interface Errors Exceeded | | | x | x | x | ++--------------------------------+-----------+-----+--------------+--------------+---------------+ +| Interface Load Threshold | | | x | x | x | ++--------------------------------+-----------+-----+--------------+--------------+---------------+ +| LLDP/CDP Topology Monitor | | | x | x | x | ++--------------------------------+-----------+-----+--------------+--------------+---------------+ +| MAC Detection | | | x | x | x | ++--------------------------------+-----------+-----+--------------+--------------+---------------+ +| MAC Port Changed | | | x | x | x | ++--------------------------------+-----------+-----+--------------+--------------+---------------+ +| Oper. Status Change | | | x | x | x | ++--------------------------------+-----------+-----+--------------+--------------+---------------+ +| SNMP Device Restart | | | x | x | x | ++--------------------------------+-----------+-----+--------------+--------------+---------------+ +| Threshold Crossed | | | x | x | x | ++--------------------------------+-----------+-----+--------------+--------------+---------------+ +| Too Many MACs on Non-Trunk | | | x | x | x | ++--------------------------------+-----------+-----+--------------+--------------+---------------+ +| Traffic Change Detected | | | | x | x | ++--------------------------------+-----------+-----+--------------+--------------+---------------+ + + +**System Behavioural Checks** +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++----------------------------------------+-----------+-----+--------------+--------------+---------------+ +| | Community | Pro | Enterprise M | Enterprise L | Enterprise XL | ++========================================+===========+=====+==============+==============+===============+ +| Intrusion Detection and Prevention Log | x | x | x | x | x | ++----------------------------------------+-----------+-----+--------------+--------------+---------------+ +| Periodic Activity Not Executed | x | x | x | x | x | ++----------------------------------------+-----------+-----+--------------+--------------+---------------+ +| Slow Periodic Activity | x | x | x | x | x | ++----------------------------------------+-----------+-----+--------------+--------------+---------------+ +| System Alerts Drops | x | x | x | x | x | ++----------------------------------------+-----------+-----+--------------+--------------+---------------+ +| Vulnerability Scan Changes | | | | x | x | ++----------------------------------------+-----------+-----+--------------+--------------+---------------+ + + +**Syslog Behavioural Checks** +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++----------------+-----------+-----+--------------+--------------+---------------+ +| | Community | Pro | Enterprise M | Enterprise L | Enterprise XL | ++================+===========+=====+==============+==============+===============+ +| Fortinet | | | | x | x | ++----------------+-----------+-----+--------------+--------------+---------------+ +| Host Log | x | x | x | x | x | ++----------------+-----------+-----+--------------+--------------+---------------+ +| Kerberos/NXLog | | | | x | x | ++----------------+-----------+-----+--------------+--------------+---------------+ +| nBox | x | x | x | x | x | ++----------------+-----------+-----+--------------+--------------+---------------+ +| OpenVPN | | | | x | x | ++----------------+-----------+-----+--------------+--------------+---------------+ +| OPNsense | | | | x | x | ++----------------+-----------+-----+--------------+--------------+---------------+ +| SonicWALL | | | | x | x | ++----------------+-----------+-----+--------------+--------------+---------------+ +| Sophos | | | | x | x | ++----------------+-----------+-----+--------------+--------------+---------------+ +| Suricata | x | x | x | x | x | ++----------------+-----------+-----+--------------+--------------+---------------+ diff --git a/doc/src/alerts/evaluating_alerts.rst b/doc/src/alerts/available_alerts.rst similarity index 96% rename from doc/src/alerts/evaluating_alerts.rst rename to doc/src/alerts/available_alerts.rst index e1f5c6500a..7a40067a4e 100644 --- a/doc/src/alerts/evaluating_alerts.rst +++ b/doc/src/alerts/available_alerts.rst @@ -13,13 +13,12 @@ Checks are desiged to verify specific conditions and when they are not met, trig :maxdepth: 2 host_checks - host_rules - host_volume_check interface_checks local_network_checks snmp_checks flow_checks system_checks syslog_checks + host_rules diff --git a/doc/src/alerts/host_checks.rst b/doc/src/alerts/host_checks.rst index cbf992f803..18b6709107 100644 --- a/doc/src/alerts/host_checks.rst +++ b/doc/src/alerts/host_checks.rst @@ -7,13 +7,14 @@ Host checks are performed on active hosts. ____________________ -**DNS Server Contacts Alert** -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Checks for DNS Server Contacts. -DNS servers are sensitive to all network-based attacks. There are many ways attackers can cause a large amount of network traffic to the DNS servers, such as TCP/UDP/ICMP floods, rendering the service unavailable to other network users by saturating the network connection to the DNS servers. +**Countries Contacts** +~~~~~~~~~~~~~~~~~~~~~~ +Checks for Countries Contacts. -The alert is sent when number of different DNS servers contacted exceeds the threshold. +The endpoint sends too many requests to different countries - the recognition is based on IP location, overcoming the threshold > 100 Contacts (Minute). + +The alert is sent when the threshold is exceeded. *Category: Cybersecurity* @@ -36,18 +37,128 @@ The alert is sent when a dangerous host is detected. *Not Enabled by Default* -**Score Anomaly** -~~~~~~~~~~~~~~~~~ +**DNS Flood** +~~~~~~~~~~~~~ -Checks for score anomaly. +Checks for DNS Flood. -Anomalies score represents how abnormal the behavior of the host is, based on its past behavior. +DNS Flood Alert + +DNS flood is a type of DDoS attack in which the attacker targets one or more DNS servers, attempting to hamper resolution of resource records of that zone and its sub-zones. + +The alert is sent when the number of sent/received SYNs/sec exceeds the threshold. *Category: Cybersecurity* *Not Enabled by Default* +**DNS Server Contacts** +~~~~~~~~~~~~~~~~~~~~~~~ +Checks for DNS Server Contacts. + +DNS servers are sensitive to all network-based attacks. There are many ways attackers can cause a large amount of network traffic to the DNS servers, such as TCP/UDP/ICMP floods, rendering the service unavailable to other network users by saturating the network connection to the DNS servers. + +The alert is sent when number of different DNS servers contacted exceeds the threshold. + + +*Category: Cybersecurity* + +*Not Enabled by Default* + + +**DNS Traffic** +~~~~~~~~~~~~~~~~~~~~~~ +Checks for DNS Traffic. + +DNS traffic exceeds the threshold > (1 MB) + +The alert is sent when the threshold is exceeded. + +*Category: Network* + +*Not Enabled by Default* + + +**Domain Name Contacts** +~~~~~~~~~~~~~~~~~~~~~~~ +Checks for Domain Names Contacts. + +The alert is sent when the number of different Domain Names contacted from an host exceeds the threshold. + +*Category: Cybersecurity* + +*Not Enabled by Default* + + +**Flow Flood** +~~~~~~~~~~~~~ + +Checks for Flow Flood. + +Flow Flood alert. + +Flow flood is a type of DDoS attack in which the attacker targets one or more hosts by sending a huge amout of flows towards them. + +The alert is sent when the number of flows/sec exceeds the threshold. + +*Category: Cybersecurity* + +*Not Enabled by Default* + + +**Flows Anomaly** +~~~~~~~~~~~~~~~~~ + +Checks for a Flow Anomaly + +Flow-based anomaly detection centers around the concept of the network flow. A flow record is an indicator that a certain network flow took place and that two network endpoints have communicated with each other. + +The alert is sent when the system detects anomalies in active flows number. + +*Category: Network* + +*Not Enabled by Default* + + +**Host External Check (REST)** +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Trigger a host alert from an external script via REST API. For further information please visit :ref:`RESTAPIDocV2 target` and check the *rest/v2/trigger/host/alert.lua* API. +Please note that the Check must be enabled from the Settings as any other Behavioural Checks before pushing alerts via REST API. + +*Category: Network* + +*Not Enabled by Default* + + +**Host User Check Script** +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Trigger a host alert based on a custom Lua user script. For further information please visit :ref:`ApiHostChecks target` + +*Category: Network* + +*Not Enabled by Default* + + +**ICMP Flood** +~~~~~~~~~~~~~~~~~~~~ + +Checks for ICMP Flood. + +The ICMP flood, is a common Denial of Service (DoS) attack in which an attacker takes down a victim’s computer by overwhelming it with ICMP echo requests, also known as pings. +The attack involves flooding the victim’s network with request packets, knowing that the network will respond with an equal number of reply packets. + + +The alert is sent when the number of sent/received ICMP Flows/sec exceeds the threshold. + + +*Category: Network* + +*Not Enabled by Default* + + **NTP Server Contacts** ~~~~~~~~~~~~~~~~~~~~~~~ @@ -62,14 +173,55 @@ The alert is sent when the number of different NTP servers contacted exceeds the *Not Enabled by Default* -**DNS Server Contacts Alert** -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +**NTP Traffic** +~~~~~~~~~~~~~~~~~~~~~ +Checks for NTP Traffic. -Checks for DNS Server Contacts. +Network Time Protocol (NTP) server, could be flooded with traffic (DDoS attack). When NTP traffic exceeds the threshold > (1 MB) the alert is triggered. -DDoS attacks typically occur with a botnet. The attacker uses a network of malware-infected computers to send large amounts of traffic to a target, such as a server. The goal is to overload the target and slow or crash it. +The alert is sent when the threshold is crossed. -The alert is sent when the number of different DNS servers contacted exceeds the threshold. + +*Category: Network* + +*Not Enabled by Default* + + +**P2P Traffic** +~~~~~~~~~~~~~~~~~~~~~ + +Checks for P2P Traffic. + + +As P2P traffic continues to grow. This growth in traffic causes network congestion, performance deterioration.When P2P traffic exceeds the threshold the alert is triggered. + +The alert is sent when the threshold is crossed. + +*Category: Network* + +*Not Enabled by Default* + + +**Packets** +~~~~~~~~~~~~~~~~~ + +Checks for Packets. + +Detects and reports on packets based on behavior characteristics of the sender or characteristics of the packets. Foresees possible attack vectors by packet-per-second or percentage-increase-over-time thresholds. + +The alert is sent when the packet delta (sent + received) exceeds the threshold. + +*Category: Network* + +*Not Enabled by Default* + + +**Score Anomaly** +~~~~~~~~~~~~~~~~~ + +Checks for score anomaly. + +Anomalies score represents how abnormal the behavior of the host is, based on its past behavior. *Category: Cybersecurity* @@ -105,37 +257,6 @@ The alert is sent when the number of sent/received SYNs/min exceeds the threshol *Not Enabled by Default* -**ICMP Flood Alert** -~~~~~~~~~~~~~~~~~~~~ - -Checks for ICMP Flood. - -The ICMP flood, is a common Denial of Service (DoS) attack in which an attacker takes down a victim’s computer by overwhelming it with ICMP echo requests, also known as pings. -The attack involves flooding the victim’s network with request packets, knowing that the network will respond with an equal number of reply packets. - - -The alert is sent when the number of sent/received ICMP Flows/sec exceeds the threshold. - - -*Category: Network* - -*Not Enabled by Default* - - -**Packets Alert** -~~~~~~~~~~~~~~~~~ - -Checks for Packets. - -Detects and reports on packets based on behavior characteristics of the sender or characteristics of the packets. Foresees possible attack vectors by packet-per-second or percentage-increase-over-time thresholds. - -The alert is sent when the packet delta (sent + received) exceeds the threshold. - -*Category: Network* - -*Not Enabled by Default* - - **Remote Connection** ~~~~~~~~~~~~~~~~~~~~~ @@ -149,32 +270,6 @@ The alert is sent whenever an host has at least one active flow using a remote a *Not Enabled by Default* -**DNS Traffic Alert** -~~~~~~~~~~~~~~~~~~~~~~ -Checks for DNS Traffic. - -DNS traffic exceeds the threshold > (1 MB) - -The alert is sent when the threshold is exceeded. - -*Category: Network* - -*Not Enabled by Default* - - -**Countries Contacts Alert** -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Checks for Countries Contacts. - -The endpoint sends too many requests to different countries - the recognition is based on IP location, overcoming the threshold > 100 Contacts (Minute). - -The alert is sent when the threshold is exceeded. - - -*Category: Cybersecurity* - -*Not Enabled by Default* - **Scan Detection Alert** ~~~~~~~~~~~~~~~~~~~~~~~~ Checks for a scan detection. @@ -198,64 +293,3 @@ The alert is sent when the threshold is passed. *Not Enabled by Default* - -**NTP Traffic Alert** -~~~~~~~~~~~~~~~~~~~~~ -Checks for NTP Traffic. - -Network Time Protocol (NTP) server, could be flooded with traffic (DDoS attack). When NTP traffic exceeds the threshold > (1 MB) the alert is triggered. - -The alert is sent when the threshold is crossed. - - -*Category: Network* - -*Not Enabled by Default* - - -**P2P Traffic Alert** -~~~~~~~~~~~~~~~~~~~~~ - -Checks for P2P Traffic. - - -As P2P traffic continues to grow. This growth in traffic causes network congestion, performance deterioration.When P2P traffic exceeds the threshold the alert is triggered. - -The alert is sent when the threshold is crossed. - -*Category: Network* - -*Not Enabled by Default* - -**Flows Anomaly** -~~~~~~~~~~~~~~~~~ - -Checks for a Flow Anomaly - -Flow-based anomaly detection centers around the concept of the network flow. A flow record is an indicator that a certain network flow took place and that two network endpoints have communicated with each other. - -The alert is sent when the system detects anomalies in active flows number. - -*Category: Network* - -*Not Enabled by Default* - -**Host User Check Script** -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Trigger a host alert based on a custom Lua user script. For further information please visit :ref:`ApiHostChecks target` - -*Category: Network* - -*Not Enabled by Default* - -**Host External Check (REST)** -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Trigger a host alert from an external script via REST API. For further information please visit :ref:`RESTAPIDocV2 target` and check the *rest/v2/trigger/host/alert.lua* API. -Please note that the Check must be enabled from the Settings as any other Behavioural Checks before pushing alerts via REST API. - -*Category: Network* - -*Not Enabled by Default* - diff --git a/doc/src/alerts/index.rst b/doc/src/alerts/index.rst index e4ce260229..a63b3cae9e 100644 --- a/doc/src/alerts/index.rst +++ b/doc/src/alerts/index.rst @@ -11,7 +11,8 @@ Contrary to tools based on signatures, ntopng is a behavioural-based tool. Below .. toctree:: :maxdepth: 2 - evaluating_alerts + available_alerts + alerts_list_per_license available_recipients risk_and_check_exclusion developing_alerts diff --git a/doc/src/alerts/interface_checks.rst b/doc/src/alerts/interface_checks.rst index ea53650550..cab31b8968 100644 --- a/doc/src/alerts/interface_checks.rst +++ b/doc/src/alerts/interface_checks.rst @@ -5,6 +5,35 @@ These checks are performed per network interface monitored by ntopng. ____________________ + +**Alerts Drops** +~~~~~~~~~~~~~~~~ + +Checks for dropped alerts. + +The alerts could be dropped when too many are queued/generated. + +The alert is sent when the system drops the alert. + +*Category: Internals* + +*Enabled by Default* + + +**DHCP Storm** +~~~~~~~~~~~~~~ + +Checks for DHCP flooding. + +DHCP storm occurs when DHCP router gets too many packets requests in a minute - by blocking totally the router functioning. + +The alert is triggered when DHCP storm is detected. + +*Category: Cybersecurity* + +*Enabled by Default* + + **Ghost Networks** ~~~~~~~~~~~~~~~~~~~~~~ @@ -18,30 +47,20 @@ The alert is sent when the unknown network is discovered. *Enabled by Default* -**Idle Hash Table Entries Alert** +**Idle Hash Table Entries** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Checks for Idle Entries. +Trigger an alert when the percentage of idle entries in the hash table over the total number of entries exceeds the threshold. - - - -**Interface Alerts Drops** -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Checks for dropped alerts. - -The alerts could be dropped when too many are queued/generated. - -The alert is sent when the system drops the alert. - -*Category: Cybersecurity* +*Category: Internals* *Enabled by Default* -**No activity on interface** -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +**No Traffic Activity** +~~~~~~~~~~~~~~~~~~~~~~~ Checks for activities on the interface. @@ -53,6 +72,19 @@ The alert is sent when no activity on the interface is noticed. *Enabled by Default* +**Packet Drops** +~~~~~~~~~~~~~~~~ + +Checks for dropped packets. + +The packets could be dropped when too many are analyzed. + +The alert is sent when the system drops packets. + +*Category: Internals* + +*Enabled by Default* + **Periodic Activity Not Executed** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -84,7 +116,7 @@ Alert is sent when periodic activity is taking too long to execute. *Enabled by Default* -**Throughput Alert** +**Throughput** ~~~~~~~~~~~~~~~~~~~~ Checks for throughput rate. @@ -112,7 +144,6 @@ Alert is sent when unusual app behaviour is detected. *Enabled by Default* - **Unexpected ASN Behaviour** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Checks for ASN Behaviour. @@ -126,49 +157,6 @@ The alert is sent when unexpected behaviour is seen in ASN. *Not Enabled by Default* -**Unexpected Network Behaviour** -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Checks for Unexpected Behaviour. - -Network behavior anomaly detection is focused on networks for abnormal behavior in order to detect threats or flaws. - -Alert is triggered when unexpected behaviour comes from the specific network. - -*Category: Cybersecurity* - -*Not Enabled by Default* - - -**DHCP Storm** -~~~~~~~~~~~~~~ - -Checks for DHCP flooding. - -DHCP storm occurs when DHCP router gets too many packets requests in a minute - by blocking totally the router functioning. - -The alert is triggered when DHCP storm is detected. - -*Category: Cybersecurity* - -*Enabled by Default* - - -**DHCP Starvation** -~~~~~~~~~~~~~~~~~~~ - -Checks for DHCP starvation. - - -DHCP starvation attacks and DHCP spoofing. In DHCP starvation attacks, an attacker floods the DHCP server with DHCP requests to use up all the available IP addresses.The “starved” DHCP server will not respond to new DHCP requests until a new address becomes available. - - -Ntopng sends an alert in case DHCP starvation occurs. - -*Category: Cybersecurity* - -*Enabled by Default* - - **Unexpected Device Connected/Disconnected** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Check for MAC addresses. @@ -182,3 +170,42 @@ By jumping there, users are able to configure denied/allowed MAC addresses (unex *License: Pro* *Disabled by Default* + + +**Unexpected Network Behaviour** +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Checks for Unexpected Behaviour. + +Network behavior anomaly detection is focused on networks for abnormal behavior in order to detect threats or flaws. + +Alert is triggered when unexpected behaviour comes from the specific network. + +*Category: Cybersecurity* + +*Not Enabled by Default* + + +**Unexpected Score Behaviour** +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Checks for Unexpected Behaviour. + +Score behavior anomaly detection is focused on score for abnormal behavior in order to detect threats or flaws. + +Alert is triggered when unexpected behaviour comes from the interface. + +*Category: Cybersecurity* + +*Not Enabled by Default* + + +**Unexpected Traffic Behaviour** +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Checks for Unexpected Behaviour. + +Traffic behavior anomaly detection is focused on the interface for abnormal behavior in order to detect threats or flaws. + +Alert is triggered when unexpected behaviour comes from the interface. + +*Category: Cybersecurity* + +*Not Enabled by Default* diff --git a/doc/src/alerts/local_network_checks.rst b/doc/src/alerts/local_network_checks.rst index fac96f8b9c..15f204de63 100644 --- a/doc/src/alerts/local_network_checks.rst +++ b/doc/src/alerts/local_network_checks.rst @@ -6,7 +6,7 @@ These checks are performed on local networks (see -m command line option). ____________________ **Broadcast Domain Too Large** -~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Checks broadcast domains. @@ -21,8 +21,8 @@ The Alert is sent when the broadcast domain is too large. -**Egress Traffic Alert** -~~~~~~~~~~~~~~~~~~~~~~~~ +**Egress Traffic** +~~~~~~~~~~~~~~~~~~ Checks for Egress Traffic Bytes exceed. @@ -36,8 +36,8 @@ The alert is sent when the egress traffic bytes exceeds. -**Flow Flood Victim Alert** -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +**Flow Flood Victim** +~~~~~~~~~~~~~~~~~~~~~ Checks for Flow Flood. @@ -52,7 +52,7 @@ The alert is sent in case of server flow flood. **High Network Score** -~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~ Checks for High Network Score. @@ -66,8 +66,8 @@ The alert is sent when the high network score is detected. *Not Enabled by Default* -**Ingress Traffic Alert** -~~~~~~~~~~~~~~~~~~~~~~~~~ +**Ingress Traffic** +~~~~~~~~~~~~~~~~~~~ Checks for Ingress Traffic. @@ -80,12 +80,36 @@ The alert is sent when the ingress bytes exceed the threshold. *Not Enabled by Default* -**Inner Traffic Alert** -~~~~~~~~~~~~~~~~~~~~~~~ +**Inner Traffic** +~~~~~~~~~~~~~~~~~ + +Checks for Inner Traffic. + +Inner traffic is a network traffic originated from internal networks and destined for other internal networks. When the Inner Bytes delta exceeds the threshold the system detects the change. + +The alert is sent when the inner bytes exceed the threshold. + +*Category: Network* + +*Not Enabled by Default* -**Network Discovery Detected** -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +**IP/MAC Reassoc/Spoofing** +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Checks for IP or MAC Reassociation/Spoofing. + +This alert might indicate an ARP spoof attempt. + +The alert is sent when an IP address, previously seen with a MAC address, is now seen with another MAC address. Only works for the builtin alert recipient. + +*Category: Network* + +*Not Enabled by Default* + + +**Network Discovery** +~~~~~~~~~~~~~~~~~~~~~ Checks for Network Discovery. @@ -98,8 +122,36 @@ The alert is sent when a network discovery is detected. *Enabled by Default* -**SYN Flood Victim Alert** -~~~~~~~~~~~~~~~~~~~~~~~~~~ +**Network Issues** +~~~~~~~~~~~~~~~~~~~~~ + +Checks for Network Discovery. + +Network issues, like packets loss, could identify an issue in the network. + +The alert is sent when network issues (retransmissions, high number of fragments and packet loss) are identified. + +*Category: Network* + +*Enabled by Default* + + +**Network Score per Host** +~~~~~~~~~~~~~~~~~~~~~ + +Checks for the score of the hosts in a network. + +An high score (as average per host) on many hosts of a network could mean a possible issue with the network itself. + +The alert is sent when the average score per host of a network is higher then a threshold. + +*Category: Network* + +*Enabled by Default* + + +**SYN Flood Victim** +~~~~~~~~~~~~~~~~~~~~ Checks for SYN Flood. @@ -112,8 +164,8 @@ The alert is sent when the number of received SYN exceeds the threshold. *Not Enabled by Default* -**SYN Scan Victim Alert** -~~~~~~~~~~~~~~~~~~~~~~~~~ +**SYN Scan Victim** +~~~~~~~~~~~~~~~~~~~ Checks for SYN Scan. diff --git a/doc/src/alerts/snmp_checks.rst b/doc/src/alerts/snmp_checks.rst index 37fa9ffe58..55bcf21e93 100644 --- a/doc/src/alerts/snmp_checks.rst +++ b/doc/src/alerts/snmp_checks.rst @@ -6,7 +6,7 @@ These checks are executed after a periodic SNMP poll session, in order to detect ____________________ **Duplex Status Change** -~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~ Check for Duplex Status. @@ -22,10 +22,10 @@ The alert is sent when Duplex status is changed. *Enabled by Default* -**Interface Errors** -~~~~~~~~~~~~~~~~~~~~ +**High Interface Discards/Errors** +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Checks for Interface Errors. +Checks for Interface Discards and Errors. An interface discard happens when the device has decided to discard a packet for some reasons. It could be a corrupt packet, the device is busy, buffer overflows, packet size issues, or other issues. @@ -36,8 +36,22 @@ The alert is sent when an interface error is seen. *Enabled by Default* -**Interface Load Threshold Alerts** -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +**Interface Errors Exceeded** +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Checks for Interface Errors. + +An high rate of errors in comparison with packets could represent many issues on a device. + +The alert is sent when the errors counter of an interface exceed 5% of packets. + +*Category: SNMP* + +*Enabled by Default* + + +**Interface Load Threshold** +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Checks if the threshold for port load is respected. @@ -67,6 +81,20 @@ Alert is sent when changes in the SNMP network topology are discovered. *Enabled by Default* +**MAC Detection** +~~~~~~~~~~~~~~~~~ + +Checks if a MAC has disappeared/appeared on an interface or device. + +To detect and locate possible unwanted MACs on a device/network. + +Alert is sent when a MAC address appear or disapper from an interface or device. + +*Category: SNMP* + +*Enabled by Default* + + **MAC Port Changed** ~~~~~~~~~~~~~~~~~~~~ @@ -74,7 +102,7 @@ Checks if a MAC has been moved between interfaces or devices. If a MAC address is continuously moved between the two interfaces, Layer 2 loops might occur. To detect and locate loops, you can view the MAC address move information. To display the MAC address move records after the device is started, use the display mac-address mac-move command. -Alert is sent when MAc address moved between interfaces. +Alert is sent when MAC address moved between interfaces. *Category: SNMP* @@ -82,7 +110,7 @@ Alert is sent when MAc address moved between interfaces. **Oper. Status Change** -~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~ Checks if the operational state of an interface has been changed. @@ -122,3 +150,43 @@ Alert is sent when a restart for an SNMP device has been seen. *Enabled by Default* + +**Threshold Crossed** +~~~~~~~~~~~~~~~~~~~~~ + +Checks for threshold configured in the SNMP Device Rules page. + +Alert is sent when a threshold from one of the devices configured is exceeded. + +*Category: SNMP* + +*Enabled by Default* + + +**Too Many MACs on Non-Trunk** +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Checks the number of MACs on a Non-Trunk port. + +An higher number of MACs on a Non-Trunk port could possibly mean that an unwanted MAC connected to the port. + +Alert is sent when the number of MACs detected on a non-trunk port exceeds the configured threshold. + +*Category: SNMP* + +*Enabled by Default* + + +**Traffic Change Detected** +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Checks the traffic from an SNMP device. + +No more traffic from an SNMP device could mean that the device is down or some problem arose (likewise a device that abruptly starts sending traffic). + +Alert is sent when a device starts/stops sending traffic. + +*Category: SNMP* + +*Enabled by Default* + diff --git a/doc/src/alerts/syslog_checks.rst b/doc/src/alerts/syslog_checks.rst index ecef41cbec..6ce80ea905 100644 --- a/doc/src/alerts/syslog_checks.rst +++ b/doc/src/alerts/syslog_checks.rst @@ -1,14 +1,14 @@ .. _SyslogChecks target: -Syslog Checks -############# +Syslog Behavioural Checks +######################### Syslog checks are called whenever ntopng collects logs as described in :ref:`Syslog target`. They are not real checks but rather are triggered whenever a syslog event is received. Below you can find the various syslog families. ____________________ **Fortinet** -~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~ Collects syslog logs from Fortinet devices. This is mainly used to implement Identity Management, to track all connection/disconnection events logged by the Fortined VPN server and associate traffic to users. @@ -16,6 +16,7 @@ Enabled by Default - requires the Syslog Producer configuration for Logs Demulti *Category: Cybersecurity* + **Host Log** ~~~~~~~~~~~~~~~~~~~~~~ @@ -25,6 +26,7 @@ Enabled by Default - requires the Syslog Producer configuration for Logs Demulti *Category: Cybersecurity* + **Kerberos/NXLog** ~~~~~~~~~~~~~~~~~~~~~~ @@ -101,6 +103,7 @@ Enabled by Default - requires the Syslog Producer configuration for Logs Demulti *Category: Cybersecurity* + **OpenVPN** ~~~~~~~~~~~~~~~~~~~~~~ @@ -110,6 +113,7 @@ Enabled by Default - requires the Syslog Producer configuration for Logs Demulti *Category: Cybersecurity* + **OPNsense** ~~~~~~~~~~~~~~~~~~~~~~ @@ -119,6 +123,7 @@ Enabled by Default - requires the Syslog Producer configuration for Logs Demulti *Category: Cybersecurity* + **SonicWALL** ~~~~~~~~~~~~~~~~~~~~~~ @@ -128,6 +133,7 @@ Enabled by Default - requires the Syslog Producer configuration for Logs Demulti *Category: Cybersecurity* + **Sophos** ~~~~~~~~~~~~~~~~~~~~~~ @@ -137,6 +143,7 @@ Enabled by Default - requires the Syslog Producer configuration for Logs Demulti *Category: Cybersecurity* + **Suricata** ~~~~~~~~~~~~~~~~~~~~~~ diff --git a/doc/src/alerts/system_checks.rst b/doc/src/alerts/system_checks.rst index 13cb5188ac..eceed2d36a 100644 --- a/doc/src/alerts/system_checks.rst +++ b/doc/src/alerts/system_checks.rst @@ -5,49 +5,9 @@ System checks are designed to spot ntopng problems and thus make sure the applic ____________________ -**Periodic Activity Not Executed** -~~~~~~~~~~~~~~~~~~~~~~ -Checks for periodic activity execution. -The system sends an alert when a periodic activity is queuing and is not getting executed. - -The alert is sent when the worker threads are busy. - -*Category: Internals* - -*Enabled by Default* - -____________________ - - -**Slow Periodic Activity** -~~~~~~~~~~~~~~~~~~~~~~ -Checks for slow periodic activity. - -A periodic activity is taking time to start the execution. - -The alert is sent to notify that a periodic activity takes too long. - -*Category: Internals* - -*Enabled by Default* - -____________________ - -**System Alerts Drops** -~~~~~~~~~~~~~~~~~~~~~~ -Checks for a system alerts drops. - -Too many alerts are generated in a short period of time, this may cause the system dropping the alerts. - -The alert is sent when there is no room in the internal alerts queue and the alerts are dropped. - -*Category: Internals* - -*Enabled by Default* - -**IDS Log** -~~~~~~~~~~~~~~~~~~~~~~ +**Intrusion Detection and Prevention Log** +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Checks for Intrusion Detection and Prevention logs. Ntopng notifies when a host has been added or removed from the jailed hosts pool. @@ -58,8 +18,48 @@ The Alert is sent when unusual logged events are detected. *Not Enabled by Default* + +**Periodic Activity Not Executed** +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Checks for periodic activity execution. + +The system sends an alert when a periodic activity is queuing and is not getting executed. + +The alert is sent when the worker threads are busy. + +*Category: Internals* + +*Enabled by Default* + + +**Slow Periodic Activity** +~~~~~~~~~~~~~~~~~~~~~~~~~~ +Checks for slow periodic activity. + +A periodic activity is taking time to start the execution. + +The alert is sent to notify that a periodic activity takes too long. + +*Category: Internals* + +*Enabled by Default* + + +**System Alerts Drops** +~~~~~~~~~~~~~~~~~~~~~~~ +Checks for a system alerts drops. + +Too many alerts are generated in a short period of time, this may cause the system dropping the alerts. + +The alert is sent when there is no room in the internal alerts queue and the alerts are dropped. + +*Category: Internals* + +*Enabled by Default* + + **Vulnerability Scan Changes** -~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Checks for Vulnerability scans. Ntopng notifies when a host, previosly scanned, has changes both on the number of open ports and on the CVEs found.