Available AlertsΒΆ
ntopng alerts are evaluated with WebUIUserScripts. Checks are executed for hosts, interfaces, SNMP devices, and other network elements, and are configurable under Checks from the Settings left sidebar.
![Checks Configuration](../_images/alerts_checks_management.png)
Checks are desiged to verify specific conditions and when they are not met, trigger an alert. Below you can find the list of check families and available alerts
- Host Behavioural Checks
- Countries Contacts
- Dangerous Host
- DNS Flood
- DNS Server Contacts
- DNS Traffic
- Domain Name Contacts
- Flow Flood
- Flows Anomaly
- Host External Check (REST)
- Host User Check Script
- ICMP Flood
- NTP Server Contacts
- NTP Traffic
- P2P Traffic
- Packets Exceeded
- Score Anomaly
- SYN Flood Alert
- SYN Scan Alert
- Remote Connection
- Scan Detection Alert
- Score Threshold Exceeded
- Interface Behavioural Checks
- Alerts Drops
- DHCP Storm
- Ghost Networks
- Idle Hash Table Entries
- No Traffic Activity
- Packet Drops
- Periodic Activity Not Executed
- Slow Periodic Activity
- Throughput Exceeded
- Unexpected Application Behaviour
- Unexpected ASN Behaviour
- Unexpected Device Connected/Disconnected
- Unexpected Network Behaviour
- Unexpected Score Behaviour
- Unexpected Traffic Behaviour
- Local Networks Behavioural Checks
- SNMP Behavioural Checks
- Flow Behavioural Checks
- Anonymous Subscriber
- Binary Application Transfer
- Blacklisted Country
- Blacklisted Flow
- Broadcast Non-UDP Traffic
- Clear-Text Credentials
- Crawler/Bot
- Desktop/File Sharing
- DNS Data Exfiltration
- DNS Invalid Characters
- Elephant flow
- Error Code
- External Alert
- Flow User Check Script
- Fragmented DNS Message
- HTTP Obsolete Server
- HTTP Susp Content
- HTTP Susp Header
- HTTP Susp URL
- HTTP Susp User-Agent
- HTTP/TLS/QUIC Numeric Hostname/SNI
- ICMP Data Exfiltration
- IEC Invalid Command Transition
- IEC Invalid Transition
- IEC Unexpected TypeID
- Invalid DNS Query
- Known Proto on Non-Standard Port
- Large DNS Packet (512+ bytes)
- Lateral Movement Detection
- Long Lived
- Low Goodput
- Malformed packets
- Malicious JA3 Fingerp
- Malicious JA3 SHA1 Cert
- Minor Issues
- Missing SNI TLS Extn
- ModbusTCP Invalid Transition
- ModbusTCP Too Many Exceptions
- ModbusTCP Unexpected Function Code
- Not Purged
- Obsolete SSH Client Version or Cipher
- Obsolete SSH Server Version or Cipher
- Old TLS Version
- Periodic Flow
- Periodicity Changed
- Possible Exploit
- Possible RCE
- Possible SQL Inj
- Punicody IDN
- Rare Destination
- Remote Access
- Remote to Local Insecure Protocol
- Remote to Remote Flow
- Risky ASN
- Risky Domain
- SMB insecure
- Susp DGA Domain name
- Susp Entropy
- Susp Device Protocol
- Suspicious DNS traffic
- TCP connection Issues
- TCP connection refused
- TCP No Data Exchanged
- TCP Packets Issues
- TCP With No Answer
- TCP Zero Window
- TLS (probably) Not Carrying HTTPS
- TLS Cert About To Expire
- TLS Cert Expired
- TLS Cert Validity Too Long
- TLS Cert Issues
- TLS Cert Self-Signed
- TLS Fatal Alert
- TLS Susp ESNI Usage
- TLS Suspicious Extension
- TLS Uncommon ALPN
- TLS Unsafe Ciphers
- Unexpected DHCP
- Unexpected DNS
- Unexpected NTP
- Unexpected SMTP
- Unidirectional Flow
- Unsafe protocol
- VLAN Bidirectional Flow
- WEb Mining
- XSS Attack
- System Behavioural Checks
- Syslog Behavioural Checks
- Local Traffic Volume Rules