diff options
Diffstat (limited to 'system/ntopng/README')
-rw-r--r-- | system/ntopng/README | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/system/ntopng/README b/system/ntopng/README new file mode 100644 index 0000000000..90ce3d179d --- /dev/null +++ b/system/ntopng/README @@ -0,0 +1,99 @@ +ntopng is a network probe that shows network usage in a way similar to +what top does for processes. It acts as a Web +server, creating an HTML dump of the network status. + +It is a successor to ntop, which is discontinued. Main differences seem +to be: + +a. No terminal interface present. Only web. +b. No built-in flow collector, at least not for NetFlow or sFlow. + +When installing ntopng, pay attention to the following: + +1. UID/GID +ntopng needs to run under its own user/group. This has been assigned to +the following by SlackBuilds.org, but feel free to change it on your +system for consistency with local assignments. + User: ntopng UID: 212 GID: 212 + group: ntopng GID: 212 +You can change pass alternate values for the user and group using +NTOPUSER and NTOPGROUP variables when running the build script. + +The build script will suggest creating these groups if they are not +present. + +2. Log rotation. + +Logs are placed in /var/log/ntopng/ and will be rotated every week. The +log rotation will restart the ntopng server which will reset the ntopng +statistics. If you want to keep the statistics you have to edit or +delete the /etc/logrotate.d/ntopng file. + +3. Flow collection + +ntopng now uses a custom flow collection format, based on zeromq. To +convert a standard NetFlow or sFlow into this format, the developer +suggess bying their commercial tool called nProbe. + +However, there exists a free software flow collection (supporting only) +NetFlowV9, called netflow2ng. It is not available on SBo, but there is +an unfinished SlackBuild for it, which can be found on + +https://gitlab.com/Lockywolf/lwfslackbuilds/-/raw/master/\ +10_unfit-for-sbo-require-network/netflow2ng/\ +netflow2ng.SlackBuild?ref_type=heads + +4. Geoidentification and dynamic data + +ntopng depends on some dynamic data in order to display relevant +information about the flows. + +a. Geographical distribution of IP addresses. ntopng can use both + maxmind, and db-ip information, both free-low-quality, and + paid-high-quality. Maxmind data can be updated by running + geoipupdate from cron on a weekly basis. These data are usually + installed globally, into /var/lib/GeoIP/. For more information, + consult doc/README.geolocation.md, and keep in mind that ntopng-data + does not exist on Slackware, but geoipupdate does. +b. Various lists: +'Abuse.ch URLhaus' [https://urlhaus.abuse.ch/downloads/hostfile/] +'Emerging Threats' [https://rules.emergingthreats.net/fwrules/\ +emerging-Block-IPs.txt] +'NoCoin Filter List' [https://raw.githubusercontent.com/hoshsadiq/\ +adblock-nocoin-list/master/hosts.txt] +'SSLBL Botnet C2 IP Blacklist' [https://sslbl.abuse.ch/blacklist/\ +sslipblacklist.txt] +'Stratosphere Lab' [https://mcfp.felk.cvut.cz/publicDatasets/\ +CTU-AIPP-BlackList/Todays-Blacklists/\ +AIP_historical_blacklist_prioritized_by_newest_attackers.csv] +'ThreatFox' [https://threatfox.abuse.ch/downloads/hostfile/] +'dshield 7 days' [https://raw.githubusercontent.com/firehol/\ +blocklist-ipsets/master/dshield_7d.netset] + Those lists are updated automatically by ntopng, periodically. + There is a configuration option to disable these updates. + + +5. nDPI + +ntopng depends on nDPI, a Deep Packet Inspection library. SBo has a +SlackBuild for nDPI, however, in recent versions ntopng prefers to use +its own version of nDPI, linked-in statically. If you find that the +built-in version deviates in features from the standalone one, you are +welcome to report this. + +6. redis + +ntopng requires redis. The version on SBo is enough, but it needs to +be running before ntopng can be started. + +7. ntopng crashes when started as a daemon. I am not sure why. The +initscript at the moment just starts it in the background and disowns. +ntopng also does not terminate on sigterm normally, hence the rc script +kill-9's it. If you have better ideas, submit a patch to the slackbuild. +Due to all this stupidities, rc.ntopng is a .new script, so it will not +be overwritten on upgrade. We really need a better version. + +8. ntopng goes insane when it sees "virtual ethernets" that are usually +created to communicate between network namespaces. Do not be surprised +if weird effect appear, and possibly remove those virtual ethernets +from the listening list. |