How To: Integrate Suricata Events and Ntopng

What is Ntopng?

Ntopng is a network traffic probe that provides 360° Network visibility, with its ability to gather traffic information from traffic mirrors, NetFlow exporters, SNMP devices, Firewall logs, Intrusion Detection systems.

Ntopng is able to:

  • Passive monitor traffic by passively capturing network traffic
  • Collect network flows (NetFlow, sFlow and IPFIX)
  • Actively monitor selected network devices
  • Monitor a network infrastructure via SNMP

The main difference between ntopng and a traffic collector, is that ntopng not only reports traffic statistics but it also analizes the traffic, draws conclusions on observed traffic type and reports cybersecurity metrics.

Installing Ntopng

You can install ntopng on plenty of platforms including:

  • Linux
  • MacOS
  • Windows
  • FreeBSD
  • OPNsense
  • pfSense

Check out the documentation for the platform of your choice! The source code can be found on the official ntop/ntopng github repository. and the binaries are installable via apt/yum package managers.

Ntopng Suricata Integration

Ntopng integrates with Suricata for importing both flow metadata (Suricata acts as a sensor) and alerts. Alerts ingestion allows ntopng to complement the built-in traffic analysis engine with the flexible signature-based threats detection capabilities provided by Suricata.

ntopng implements flows and alerts ingestion from Suricata using the Eve JSON format through syslog.

Here is a link to the Ntop Documentation on configuring the Suricata integration.

Configuring Ntopng Suricata Integration

In our lab environment we are running Suricata on the same host that ntopng is running but it is possible to have external Suricata sensors feed logs to your ntopng installation.

After installing Ntopng navigate to /etc/ntopng

Make sure to make a copy of the default config in case you need to revert your changes.

Configure Syslog

Per documentation from Ntop you will need to create a syslog interface in your ntopng.conf. I placed this underneath the interface description in ntopng.conf. You should also specify which interfaces you want ntopng to monitor.

In our instance eth0 is the management interface and eth1 is the monitoring port. It’s important to keep these segregated otherwise you will see traffic to the webui/ssh console in the dashboard which can cause unnecessary noise.

When you’re finished with the conf file changes don’t forget to restart the ntopng service! Here is an example of how you can restart the service on a Debian based host.

Once the ntop service restarts you will see your syslog interface on the web interface in the interfaces dropdown.

Screenshot 2023-08-21 at 15.50.05

Install Suricata

Follow the instructions as part of the official Suricata documentation or use apt/yum.

On Debian based systems you can use systemctl to verify that Suricata is up and running

systemctl status suricata.service

Configure Suricata Event Syslog

Once Suricata has been installed, we are able to set up the forwarding of Eve (Extensible Event Format) event logs to ntop via syslog.

Navigate to /etc/suricata and create a backup copy of the Suricata config.

Open suricata.yaml in a text-editor and navigate to the eve-log section.

  1. Change the filetype to syslog
  2. Take note of the facility as this will be needed for your rsyslog configuration - you can change this to anything you like but the default is fine.

Configure Rsyslog

Now that Suricata is ready to send events via syslog we just have to configure the host’s rsyslog config to actually send the events.

Navigate to /etc and create a backup of your current rsyslog configuration.

Open /etc/rsyslog.conf and add the following lines; you can choose any port you’d like as long as it matches what you put in your ntopng.conf. The facility variable is obtained from the logging configuration section in /etc/suricata.yaml (See Screenshot above for example).

# send to ntop
<facility>.* @@<management IP address>:<port>

Here’s what our example config looks like.

Configure Suricata Rules

Now head back to /etc/suricata/suricata.yaml and head to the rule-files section. While you can add as many rules/rule files as you want, these can cause significant load on ntop so for this setup I found that manually copying rules into the default rule file was a good place to start.

*Note: Every time you make changes to rulefiles or the suricata.yaml file you will need to restart the Suricata process.

In /etc/suricata/rules you will see some default rules that Suricata provides which are helpful for evaluating the health of various traffic types on your network. Feel free to copy some of these to the /etc/suricata/rules/suricata.rules file and see what alerts you see and find useful!

Bind Suricata Alerts to Traffic

Because we configured two interfaces we need to instruct ntopng to bind alerts to traffic. You can do that by:

  1. Go to Interfaces(interface)Settings and select Mirrored Traffic.
  2. Go to Interfaces(interface)Settings and select the syslog interface in the Companion Interface dropdown.
  3. Save

Enable External Alerts In Behavioral Checks

The final step is to enable Suricata and External Alert Behaviorial Checks.

  1. Go to Interfaces(interface)Settings and select Behavioural Checks.
  2. Find External Alert and Suricata and make sure they are enabled.

Viewing Alerts

At this point if your Suricata signatures are alerting you should see them under the Alerts tab paired with other ntopng alerts!