Anyone using ntopng on Security Onion 2.4?

[branchnetconsulting]

I've been using ntopng for years on top of Security Onion versions as recent as 2.3, and now I'm trying to sort out how to get it set up on ISO-installed Security Onion 2.4 (Oracle Linux 9.5). Has anyone else had success with this? I'm having fits with its pfring requirement. The most promising guide I've encountered so far is:
https://www.linuxhelp.com/how-to-install-ntopng-on-oracle-linux-9-3
but secure boot seems to be blocking the insertion of the dkms generated pfring module.
If anyone else had already gone down this road and has any insight to offer, I'd sure appreciate it.

[InfosecGoon]

Would you mind expanding on your use case a little bit? What data are you trying to get from ntopng?

[TotieBash]

Unsupported but you already knew that... The easiest way is to use docker. I use the docker container and sideload it on my SO standalone. I use docker-compose and I have a systemctl service to automatically start it during boot.

my docker compose important lines:
command -i ens224 -w 0.0.0.0:3000 -Z /ntopng --disable login 1 -- dns-mode 3 -- redis 127.0.0.1:379:redis-password-here
network_mode: host

-i # I want ntopng to only see the monitor interface.
-w #This is old and unnecessary anymore... SO used to have Grafana that uses the same 3000 port. So I change mine to 3001.
-Z #This so you can get to ntopng using "https://so-ip-here/ntopng"
--disable login # I use SO login creds through nginx.
--dns-mode # I like to see IP addresses instead of dns resolved names.
--redis # You need this. SO has its own redis that is password protected. The docker container has its own redis which will conflict. You need to make sure if you go the systemctl startup service that the so-redis starts up first before you start this ntopng container.

so-redis password
cat /opt/so/conf/redis/etc/redis.conf | grep requirepass

my SO nginx reverseproxy to ntopng
At this point make sure you permit the firewall to allow TCP 3000 to come in. You should reach ntopng using http://so-ip-here:3000/ntopng

I do this extra step because I want https and I want to leverage so-nginx single-sign-on. You need to edit nginx.conf using the SO salt method... If you are not familiar with salt then you don't have to do this extra steps. But when completed successfully I can access using https://so-ip-here/ntopng... In addition, this method you don't have to tweak the firewall to permit TCP 3000 because it is using nginx port 443 to get in to ntopng...

here is partial config:
/opt/so/saltstack/local/salt/nginx/etc/nginx.conf
#copy from influxdb lines but change only proxy_pass
location /ntopng/ {
proxy_pass http://{{ GLOBALS.manager}}:3000/;
}

Docker Hub link to the container:
https://hub.docker.com/r/ntop/ntopng

happy configuring....

[branchnetconsulting]

Thanks, that is golden! I had pretty much concluded my only hope was going to be to go the Docker route, but I'm glad to hear that approach has actually worked for someone else. And thanks for the extra insight about how to get ntopng behind the existing so-nginx. I love the idea of reverse proxying like that to get the extra benefits you mentioned.

[TotieBash]

no problem, let me know if you come across obstacles and I will check my notes... Also, I didn't want to confuse you with my config but I also send ntopng metadata to a separate Elastic Search using -F es;ntopng;ntopng-%Y.%m.%d;http://localhost:9202/_bulk;". I use a separate no password ES because I couldn't get it to work with so-elastic which has password. I sideloaded the ntopng-es container. Also, I have sideloaded Grafana container to visualize these historical data..... The reason I have this is because the Zeek conn logs does not have OSPF and QOS DSCP marking metadata that I am interested in visualizing... These are NMS features and not really NSM requirements...

[branchnetconsulting]

Thanks to your guidance, my first pass at this is working like a charm. I have not tried the elegant nginx reverse proxying part yet, but have a working port 3000 listener with ntopng on it. I wrote a HOWTO guide about it here:
https://docs.google.com/document/d/1N0EHY_Ms2-q0VQt1V1pPu0QUiaFpr4d73DvXcEVrs2o

Thanks again for the boost!
Kevin Branch

[branchnetconsulting]

TotieBash, could I ask you how you set up your systemctl service file for the ntopng container? I'd like to build one to start at boot as well, but I'm not sure how to make sure it does not start until after the so-redis container is up and running.

[TotieBash]

Sorry late on the reply... Here's a screenshot: