Custom Categories

As shown above, ntopng already assigns a default category to the known L7 protocols. Nevertheless, it’s also possible for the user to specify a list of additional hosts to be included into a particular category. ntopng provides 5 empty “custom categories” dedicated to this task, but users are also free to modify the other categories.

The custom category hosts can be specified via some host-based rules. The host-based rules will be used to perform substring matching on some of the flow information:

  • Client/Server IP

  • DNS query

  • Host SNI

  • HTTP Host

If a match is found, the flow category will be set to the corresponding matching category. These rules can be configured from the Categories tab.

By clicking “Edit Rules” it’s possible to define some rules to match hosts and associate them to the category.

Edit Category Hosts

The picture above shows some custom hosts defined for the Advertisement category. For example, the .ads. host rule will match any host containing .ads. . It is important to play with the dots to avoid excessive matching (e.g. a simple ads rule would also match mads.com).

Note: host matching based on IP addresses is currently limited to IPv4 flows.

ntopng also supports external lists to define custom categories, loaded from text file (local) or online services (e.g. emergingthreats for the Malware category). Since lists are also used to raise alerts (e.g. for hosts in the Malware or Mining category), you may need to add exceptions to those lists, whitelisting selected hosts. This is possible adding an host to the list, prepending “!” to the IP/hostname (e.g. !1.2.3.4).