head 1.2; access; symbols pkgsrc-2021Q2:1.1.0.10 pkgsrc-2021Q2-base:1.1 pkgsrc-2021Q1:1.1.0.8 pkgsrc-2021Q1-base:1.1 pkgsrc-2020Q4:1.1.0.6 pkgsrc-2020Q4-base:1.1 pkgsrc-2020Q3:1.1.0.4 pkgsrc-2020Q3-base:1.1 pkgsrc-2020Q2:1.1.0.2 pkgsrc-2020Q2-base:1.1; locks; strict; comment @// @; 1.2 date 2021.06.23.19.34.15; author adam; state dead; branches; next 1.1; commitid Uyw9FAsxRq1baiYC; 1.1 date 2020.05.25.20.26.51; author adam; state Exp; branches; next ; commitid oGJaGtLkQ2ir7F9C; desc @@ 1.2 log @ntopng: updated to 4.2 4.2 Stable Breakthroughs Flexible Alert Handling Added recipients and endpoints to send alerts to different recipients on different channels, including email, Discord, Slack and Elasticsearch Initial SCADA protocol support Many internal components of ntopng have been rewritten in order to improve the overall ntopng performance, reduce system load, and capable of processing more data while reducing memory usage with respect to 4.0. Cybersecurity extensions have been greatly enhanced by leveraging on the latest nDPI enhancements that enabled the creation of several user scripts able to supervise many security aspects of modern systems. Behavioral traffic analysis and lateral traffic movement detection for finding cybersecurity threats in traffic noise. Initial Scada support with native IEC 60870-5-104 support. We acknowledge switch.ch for having supported this development. Consolidation of Suricata and external alerts integration to further open ntopng to the integration of commercial security devices. SNMP support has been enhanced in terms of speed, SNMPv3 protocol support, and variety of supported devices. New REST API that enabled the integration of ntopng with third party applications such as CheckMK. New features Traffic Behavioral Analysis Periodic Traffic Lateral Movements TLS with self-signed certificates, issuerDN, subjectDN Support for Industrial IOT and Scada with modbus, DNP3 and IEC60870 Support for attack mitigation via SNMP Active monitoring Support for ICMP v4/v6, HTTP, HTTPS and Speedtest Ability to generate alerts upon unreachable or slow hosts or services Detection of unexpected servers DHCP, NTP, SMTP, DNS Services map nIndex direct to maximixe flows dump performance MacOS package Improvements Implements per-category indicator of compromise score Flexible configuration import/export/reset Ability to import/export/reset all the ntopng configurations or parts of it Increased nIndex dump throughput by a factor 10 Increased user scripts execution throughput Massive cleanup/simplifications of plugins to ease community contributions Improved cardinality estimation (e.g., number of contacted hosts, number of contacted ports) using Hyper-Log-Log Added DSCP information Reworked handling of dissected virtual hosts to improve speed and reduce memory nEdge Support for hardware bypass Fixes Fixed race conditions in view interfaces Fixed crash when restoring serialized hosts in memory Fixed conditions causing high CPU load Fixes CSRF vulnerabilities when POSTing JSON Fixes heap-use-after-free on HTTP dissected last_url @ text @$NetBSD: patch-src_Flow.cpp,v 1.1 2020/05/25 20:26:51 adam Exp $ Match NDPI 3.2 interface. --- src/Flow.cpp.orig 2020-05-25 09:50:19.000000000 +0000 +++ src/Flow.cpp @@@@ -3512,7 +3512,7 @@@@ void Flow::dissectNetBIOS(u_int8_t *payl if(((payload[2] & 0x80) /* NetBIOS Response */ || ((payload[2] & 0x78) == 0x28 /* NetBIOS Registration */)) && (payload_len >= 12) - && (ndpi_netbios_name_interpret((char*)&payload[12], payload_len - 12, name, sizeof(name)) > 0) + && (ndpi_netbios_name_interpret((char*)&payload[12], name, sizeof(name)) > 0) && (!strstr(name, "__MSBROWSE__")) ) { @ 1.1 log @ntopng: updated to 4.0 ntopng 4.0: Breakthroughs * Plugins engine to tap into flows, hosts and other network elements * Migration to Bootstrap 4 and Font Awesome 5 for a renewed ntopng look-and-feel with light and dark themes * Processes and containers monitoring thanks to the eBPF integration via libebpfflow https://github.com/ntop/libebpfflow * Active monitoring of hosts ICMP/ICMPv6/HTTP/HTTPS Round Trip Times (RTT) New features * X.509 client certificate authentication * ERSPAN transparent ethernet bridging * Webhook export module for exporting alarms * Identifications of the hosts in broadcast domain * Category Lists editor to manage ip/domain lists * Handling of PEN fields from nProbe * Added anomalous flows to the looking glass * Visibility of ICMP port-unreachable flows IPv4 * TCP states filtering (est., connecting, closed and rst) * Ability to serialize local hosts in the broadcast domain via MAC address * Japanese, portugese/brazilian localization * Added process memory, cpu load, InfluxDB, Redis status pages and charts * Implement ntopng Plugins, self contained modules to extend the ntopng functionalities * Implement ZMQ/Suricata companion interface * SSL traffic analysis and alerts via JA3 fingerprint, unsafe ciphers detection * SSH traffic analysis and alerts via HASSH fingerprint * Host traffic profile generation via the (MUD) Manufacturer Usage Descriptor * Experimental Prometheus timeseries export * Introduce the System interface to manage system wide settings and status * Read events from Suricata and generate alerts * SNMP network topology visualization * Automatic ntopng update check and upgrade * Calculate host anomaly score and trigger alerts when it exceeds a threshold * Add ability to extract timeseries data with a click * Initial Marketplace droplet using Fabric * Alerts on duplex status change on SNMP interface Improvements * View interfaces are now optimized for big networks and use less memory * Systemd macros are now used to start/restart the ntopng services * Handles n2disk traffic extractions from recording processes non managed by ntopng * Interface in/out now available also for non PF_RING interfaces (read from /proc) * Automatic InfluxDB rollup support * MDNS discovery improvements * Rework of the alerts engine and api for efficient engaged alerts triggering * Faster ZMQ communication to nProbe thanks to the implementation of a binary TLV format * Stats update for ZMQ interfaces is now based on the idle/active flows timeout * Timeseries export improvements via queues, detect if InfluxDB is down and stop the export * Implemented reusable Lua engine to reduce the overhead of periodic scripts * Improve Lua error handling * Exclude certain categories from Elephant/Long lived flows alerts nEdge * Ability to set up port forwarding * Support for Ubuntu 18.04 * Fix users and other prefs deleted during nEdge data reset * Japanese localization * Block unsupported L3 protocols (currently only ARP and IPv4 are supported) * DNS mapping port to avoid conflicts with system programs Fixes * Fixed export to mysql on shutdown in case of Pcap file in community mode * Fixed failing SYN-scan detection * Fixed ZMQ decompression errors with large templates * Fixed possible XSS in login.lua referer param and `runtime.lua` * Update geolocation due to changes in the library usage policy * Fixes to support browsers dark mode * Option `--zmq-encryption-key ` can be used with `-I ` to encrypt data hi hierarchical mode * Fixed nIndex missing data while performing some queries and throughput calculation @ text @d1 1 a1 1 $NetBSD$ @