The hosts map shows on the x-axis hosts identified as servers with alerts and in the y-axis host identified as clients. This view gives a fast overview of hosts with alerts. Now rather than checking out the flow warnings or errors, I navigate to the “Host Map” from the Maps menu and select “Alerted Flows” in the dropdown filter menu. Once logged in, you will see the interface overview, showing that the selected interface is a pcap dumb and the name of the pcap file:Ī quick look at the traffic summary icons reveal lots of work ahead, and many problems are being identified: or Ntopng will prompt for username and password and you will have to select a new admin password. Sudo ntopng -i -Qakbot-with-Cobalt-Strike-and-spambot-activity.pcap To start ntopng sudo is needed, followed by the -i for interface or pcap file: Ntopng per default is built for continuous network monitoring, but directing the interface to a pcap, it can read and process it. įor the analysis I setup a virtual machine with Ubuntu Server 20.04 LTS and installed the current ntopng nightly build, using the community license.
NTOPNG SUSPICIOUS ACTIVITY HOW TO
Further I used a tutorial how to examine Qakbot infections with Wireshark from Unit42.Cobalt Strike, a commercial penetration testing tool, unfortunately pirated versions of Cobalt Strike have been leaked.I decided to take a Qakbot infection with spambot activity. The website malware traffic analysis is a great source for malware captured in network traffic. I am using ntopng for network monitoring quite some time now and I was curios to see, what ntopng would alert when detecting malware. In this post Martin shows how he has used ntopng to detect Qakbot trojan.
0 kommentar(er)
