# ELLIO: Feed for ntopng

# Introduction

You can get a visibility into your network traffic with ntopng. With ELLIO: Feed for ntopng, you can enrich your ntopng with the information about the threats that are hitting your network perimeter.

ntopng
https://www.ntop.org/products/traffic-analysis/ntop/

ELLIO: Feed for ntopng
https://ellio.tech/ntop-feed-trial

# Requirements

# ntopng

If you are on the dev branch of ntopng, you can use ELLIO: Feed out of the box - just insert your ELLIO: Feed link as shown in the setup section.

If you are on the stable branch of ntopng, first add ELLIO: Feed using instructions here first, and then go to the setup section.

Stable release of ntopng with ELLIO: Feed out of the box will be release in summer 2024.

# ELLIO: Feed

You will need ELLIO: Feed. Sign-up for ELLIO: Feed for ntopng trial - you will receive the link to your ELLIO: Feed in the email after the sign-up.

# Setup

In the ntopng web interface, go to the Settings tab and then to the Blacklists section.

In the Blacklists section, click on the Status dropdown and select Disabled.

Now, find the ELLIO: Feed for ntopng and click on the action button on the left side of the row. Select Edit from the dropdown.

In the Edit Category List window, select the default Request link here... text in the URL field.

Paste the link to your ELLIO: Feed in the URL field, make sure it is Enabled and finally click on Edit Category List button, which will save your changes.

Now, click on the Status dropdown and select Enabled.

You can now see the ELLIO: Feed for ntopng in the Blacklists section, with the status Enabled. Congratulations, you have successfully added ELLIO: Feed to your ntopng.

# Adding ELLIO: Feed on stable build of ntopng

Go to /usr/share/ntopng/httpdocs/misc/lists/custom and add the ellio_feed.list file with the following content:

{"name":"ELLIO: Feed for ntopng,"format":"ip","enabled":true,"update_interval":3600,"url":"$YOUR_ELLIO_FEED_URL","category":"malware"}

$YOUR_ELLIO_FEED_URL is the URL of your ELLIO: Feed. You should have received it in the email after the sign-up.

Once this part is done, go to the setup section.

Full documentation by ntop
https://www.ntop.org/guides/ntopng/advanced_features/category_lists.html#custom-blacklists

# Alerts

When ntopng triggers and alert for the flow based on the ELLIO: Feed, that means that actor observed by ELLIO doing malicious activities like opportunistic attacks, scans, mass exploitation or prey-and-spray attacks is trying to contact your network.

You can use that information to trigger an investigation, but it is advisable to use ELLIO: Feed filter out the traffic from the malicious actors by integrating the ELLIO: Feed with your firewall or router or inline mode nProbe™ Cento.

ELLIO: Feed is designed to be used for ingress traffic - that is the traffic that is coming into your network. The only exception is when you see your own IP addresses in the ELLIO: Feed - which means your infrastructure or your customers are engaging in malicious activities, and you can use that information to investigate and remediate the issue.

ntopng supports both scenarios.

If you need help with the best practices for alerting and investigation, threat hunting or ELLIO integration, please reach out to us at partners [at] ellio.tech or just set up a call with us here.

To see the alerts from ELLIO: Feed in ntopng, go to the Alerts tab in the ntopng web interface and click on the Explorer button.

In the Explorer window, select the Flow tab.

In the Flow tab, click on the + button to add a new filter.

In the Add Filter window, select the Alert type dropdown and choose Blacklisted Server Contact from the list, to get the list of alerts from ELLIO: Feed for contacted hosts that are in ELLIO: Feed. Alternatively, you can choose Blacklisted Client Contact to get the list of alerts with clients in ELLIO: Feed that were contacted .

# Getting Help

Join our Community Slack

If you need help with the best practices for alerting and investigation, threat hunting or ELLIO integration, please reach out to us at partners [at] ellio.tech or just set up a call with us here.