ContextQMD
Back to Ntopng

Traffic Rules

doc/src/user_interface/shared/policies/traffic_rules.rst

6.63.7 KB
Original Source

.. _TrafficRules:

Traffic Rules

ntopng can trigger customizable alerts, based on timeseries. This is useful to identify missbehaviors from devices, interfaces...

.. note::

This feature is available only from Enterprise M license or superior.

.. figure:: ../../../img/traffic_rules.png :align: center :alt: Configured Traffic Rules

Configured Traffic Rules

Here some example of rules:

  • The daily traffic of ens160 network interfce does not have to exceed 15 GB in total;
  • The daily traffic of 192.168.2.28 does not have to be less than 2 GB in total;
  • The NTP daily traffic of 192.168.1.1 does not have to exceed 2 GB in total;
  • The 1kxun traffic every 5 minutes of 1.1.1.1 does not have to exceed 15% from the precedent 5 minutes total traffic;
  • The traffic every 5 minutes of 1.1.1.1 does not have to exceed 1 Mbps;

Whenever a condition is met, ntopng is going to trigger an alert.

.. note:: To page is accessible from the Settings -> Traffic Rules

.. figure:: ../../../img/traffic_rules_entry.png :align: center :alt: Access Traffic Rules

Access Traffic Rules

Available Rules ^^^^^^^^^^^^^^^

The rules can be set for each timeseries currently available in ntopng. The rules can be configured for:

  • Flow Exporters;
  • Host Pools;
  • Interfaces;
  • Local Hosts;
  • Networks;
  • Traffic Profiles;
  • VLANs;

Configure Rules ^^^^^^^^^^^^^^^

To add a new rule, click the '+' symbol above the table

.. figure:: ../../../img/add_traffic_rule.png :align: center :alt: Add a Traffic Rule

Add a Traffic Rule

At this point, fill the fields with the correct informations:

  • Target: insert the subject (Local Host, Interface, Subnet, ...) to be analyzed or a * , meaning that everyone has to be analyzed (e.g. All Local Hosts);
  • Metric: select the metric to be analyzed (e.g. DNS -> the DNS traffic);
  • Frequency: select the frequency of the analysis (e.g. 5 Min -> analyzed every 5 minutes)
  • Threshold: select the type of threshold (Volume, Throughput or Percentage), lowerbound or upperbound, and the threshold that, if exceeded, is going to trigger an alert
  • Percentage Threshold: is calculcated beetwen the last two frequency checks (e.g. <1% with frequency 5 Min -> if the difference between precedent frequency and the last 5 minutes check is lower than 1% trigger and alert)

.. note:: The available metrics to be analyzed depend on the available timeseries; this means that if the Application Timeseries are not enabled from the preferences, it's not possible to configure/trigger a rule based on Applications

.. figure:: ../../../img/add_traffic_rule_modal.png :align: center :alt: Example of Traffic Rule, triggering an alert when BitTorrent traffic is seen

Example of Traffic Rule, triggering an alert when BitTorrent traffic is seen

From now on, a new entry with the configured fields is going to be added to the table and whenever the threshold is exceeded a new alert is going to be triggered.

Edit/Delete Rules ^^^^^^^^^^^^^^^^^

It is moreover possible to edit or delete an already created rule.

To do so, click on the action button of the rule that needs changes and select the desired action:

  • :code:Edit: It is possible to change the rule of an already existing one; the modal is the same as the one used to add a new rule, so please refer to the above section;
  • :code:Delete: It is possible to remove a rule; when removed the alert is not going to be triggered anymore;

.. figure:: ../../../img/delete_traffic_rule.png :align: center :alt: Remove a Traffic Rule

Remove a Traffic Rule

.. note::

Traffic rules are evaluated according to the rule frequency specified. For instance Daily rules are evaluated every midnight considering the traffic of the previous day.