The ntopng alert function like Cisco ACL settings with WhiteList

[Yoshihiro-jp]

What would you like to add or change?: Add the alert and executing user own script function in the ntopng if some traffic not listed in the whitelist were detected like Cisco ACL.

【Support Protocol in the Whitelist】 1. ARP 2. ICMP 3. UDP

Note: No need to support TCP. the environment has no TCP traffic. They want to check only ARP, ICMP and UDP traffic.

【Whitelist format】 PROTOCOL:SRC_ADDR:DST_ADDR:DST_PORT

Note: the DST_PORT is mandatory when the Protocol was the UDP in the Whitelist.

【Whitelist examples】 Example Whitelist#1 ～ #layer2　 ARP:10.10.10.1:10.10.10.2　 #layer3 ICMP:10.10.10.1:10.10.10.2 #layer4 UDP:10.10.10.1:10.10.10.2:123 ～

If the above lines are all set in the whitelist it works like below.

1. If any ARP traffic other than FROM: 10.10.10.1 TO: 10.10.10.2 was detected, trigger an alert (execute shell script).
2. If any ICMP traffic other than FROM: 10.10.10.1 TO: 10.10.10.2 was detected, trigger an alert (execute shell script).
3. If any UDP traffic other than FROM: 10.10.10.1 TO: 10.10.10.2 and port number udp/123 was detected, trigger an alert (execute shell script).

Example Whitelist#2 ～ #layer2　 #layer3 #layer4 UDP:10.10.10.1:10.10.10.2:123 ～

1. If any UDP traffic other than FROM: 10.10.10.1 TO: 10.10.10.2 and port number udp/123 was detected, trigger an alert (execute shell script).
2. If any ARP traffic is detected, trigger an alert (execute shell script).
3. If any ICMP traffic is detected, trigger an alert (execute shell script).

Note: No alert would be triggered if traffic using other protocol aside from ICMP,UDP and ARP were detected.

Examples: No alert would be triggered if traffic with protocol number 132 (SCTP) found. No alert would be triggered if traffic with protocol number 47 (GRE) found.

Why do you and others need this?: Our client request