SECURE_CHANNEL_8192

CLEARANCE LEVEL: TOP SECRET

Commander ID

Encryption Key

Authorized personnel only. Unauthorized access attempts are monitored.

Migrations are whitelisted by the backend. No arbitrary SQL is accepted.

DB Browser

Read-only browsing of NetMon, auth and traffic SQLite stores. No raw SQL.

Database Table Rows Offset Search

Shared

DB Snapshot History

Server-side snapshots for the currently selected database/table. Click a snapshot to load it into the browser, or compare any two versions and keep the analysis alive beyond one browser session.

Left Right

Audit Trail

Operator actions, defense events, service changes and automatic enforcement. Filter by IP, action or path prefix.

Limit IP Action Path

Loading audit trail…

Time	Role	Action	Path	Status	Client IP	Details

Cases

Persistent case management per IP with owner, severity, tags, notes and workflow status.

Search Status Severity Phase Owner No cases selected.

No case query yet.

Shared

SLA worker pending

	IP	Status	Severity	Priority	Owner	Assigned	Due	Updated

Case detail

Select a case or search for an IP.

Case comments

No comments loaded.

No case selected.

Draco Copilot

Workspace-aware Draco control surface for triage, IOC reasoning, case handoff and posture briefing.

Persona

No session loaded.

Persona: Draco Prime.

Ready.

Draco operational dashboard

Network telemetry, detections and response state.

Live backend telemetry for traffic, flows, alerts, GeoIP enrichment, model state and defensive actions.

API on 127.0.0.1:8000

Reverse proxy via nginx

GeoIP lookup

Suricata feed

Model assets check

Detection

Inspection

Response

Window Shared

SOC Overview (last 5 min)

Now

Detection

Response

Hot items

Click an IP to open Incident.

Drill-down

Select a dashboard metric to inspect it here.

Overview snapshot history

Left Right

Threat Posture

Threat posture pending.

Defense Command

Contain fast, keep the evidence cleaner than the attacker’s OPSEC.

Focus the operator on live HTTP abuse, active bans, network pressure and the allowlist blast radius.

Operator guidance Allowlist only what you would trust during an outage at 03:00. Every defensive action should be traceable, reversible and boring to audit.

Page focus Hot IPs, current posture and next action. Use the offender table to jump straight into incident, ban or allowlist.

Botnet / Scan / DDoS

Live HTTP scoring from nginx access logs with direct containment actions for top offenders.

Analysis window Enforcement Fail2Ban jail

Loading HTTP defense metrics…

No data.

IP	Score	Req	4xx	Unique paths	Sensitive	Reasons	Action

Source: nginx access log via backend `/api/defense/http`. Thresholds tuneable via `NETMON_HTTP_*` env vars.

Allowlist

Trusted IPs bypass automatic containment. Keep the list small, named and reviewable.

IP Note Reason TTL

Loading allowlist…

IP	Reason	TTL	Created	Observed	Action

Allowlisted IPs are never auto-banned and cannot be banned via UI.

Network (L3/L4)

Socket pressure and TCP counters for spotting floods, teardown backlog and retransmit storms.

Loading network counters…

No data.

Source: backend `/api/defense/network` (ss + /proc). Use this to spot SYN floods, TIME-WAIT storms, retransmits.

Health

System

CPU, RAM and disk snapshot from the backend host.

Background work

Parallel policy engine, audit trail and auto-response queue.

Loading policy queue…

Last candidates

Last actions

Policy Center

Manual policy selection and execution. Choose a profile, inspect thresholds, then apply a manual action to a target IP.

Active profile

Select or activate the policy profile that should govern automatic response.

Profile

Manual action

Choose the action you want to apply explicitly, with bantime and notes.

IP Action Jail Bantime

Note Force

Select a profile or action to begin.

No manual action yet.

Policy Queue

Live view of the autonomous response queue: candidates, decisions, cooldowns and last error path.

Policy Builder

Edit thresholds and actions per profile without touching env files.

Preset

Profile Label Jail Mode

Summary Enabled Approval required

Thresholds

Rate limit Temp ban Long ban

Bantimes

Rate limit Temp ban Long ban

Actions

Rate limit Temp ban Long ban

Builder status

Loading policy builder…

Version history

Compare versions

No dry-run yet.

Decision path

Queue summary

Last candidates

Last actions

IOC Center

One place for IP / ASN / hostname / bans / alerts / trace / explainability. Click an IP anywhere to land here.

Enter an IP to populate the IOC view.

Actions

Select an IOC…

Intel

Explainability

Trace

Activity

Notes

Add tags or notes here to keep operational context alongside the IOC.

Traffic Center

Interface traffic, last hour

RXTX

Top ports

Monitoring Scope

Scope preset Target type Target value

Select a scope to focus the monitoring target picker and the flow view.

Active Monitoring

Auto discovery attiva sui target trovati da host e flow.

URL	Misurazione	Stato	Soglia	Storico	Ultima Misurazione	Origine

Network Watch

Callback locali ispirati ai controlli ntopng: device discovery, drops, throughput, ghost networks e attività interfacce.

Severità	Callback	Oggetto	Dettaglio	Metrica	Ultimo Check

Seleziona un callback

Clicca una riga per vedere il contesto completo.

Il pannello mostra host, interfacce e flow collegati al callback selezionato.

Select a callback…

Interfaces

Interface	State	RX/s	TX/s	Total RX	Total TX	Drops

LAN Hosts

IP	MAC	Interface	State	Connections	Ports	Processes

Live Flows

Scope	Local	Remote	Status	Process

Defensive Controls

EdgePrevent

Rate limit, burst control, temporary blocks, allowlists, reputation filters.

AppInspect

Method sanity, user-agent shape, header consistency, path fuzzing, admin endpoint abuse.

AnalysisScore

404/401/403 bursts, failed logins, scanning patterns, suspicious ASNs, error ratios.

ResponseAct

ban/unban, cooldown, Telegram alert, visibility updates, audit trail.

Practical thresholds

> N req/min per IP > N 4xx/5xx in a row > N paths in seconds > N admin attempts > N failed logins > N requests from risky ASN

Decision score

+1 suspicious UA +1 repeated 404 +1 burst on sensitive paths +1 login failures +1 risky ASN +1 scanning pattern

If the score crosses the threshold, NetMon raises an alert, highlights the node, and can hand the IP to fail2ban for defensive enforcement.

Resources

Open Live Security (checklist)

Secure communication Anonymous browsing Network anonymity Email & accounts Device security Anti-tracking Secure files Identity footprint

Comms

Signal • Matrix • Whonix

Browse

Tor Browser • Mullvad • LibreWolf

Email

Proton Mail • Tuta

Tracking

uBlock Origin • Privacy Badger

Tip: possiamo collegare questa checklist al tuo "posture" (target: workstation, browser, server) e tenere un audit delle scelte.

External intel providers (enrichment)

Provider	Configured	Use

To enable: set env vars in /etc/netmon/netmon.env (e.g. NETMON_INTEL_FULLHUNT_KEY=...) then restart netmon-api.service.

Integrations

Reporting

Shared

Exports: incident, audit, bans, top offenders and executive summary.

Workspaces

Loading workspace registry…

Ops Console

Click an error badge or load an IP. This page centralizes monitoring, blocking and network/system checks.

IP Shared

Filters

Error drilldown

Status	Local	Remote	Process	Last seen	Detail

Live tools

Select a tool or choose an IP.

Autonomous blacklist sweep

Feed: myip.ms blacklist

Loading blacklist sweep…

Scans

Security scanning dashboard with job history, live progress, and tool-specific presets. Use it for owned assets or explicitly authorized targets only.

Aggressive Filter Ready.

Tool catalog

Recent jobs

Selected scan

Select a scan to inspect its output.

Analysis

Draco personas

Ready.

Last run: n/d

No training started.

Ready.

Persona

No waitlist activity loaded.

Response

Jail View

Loading fail2ban status...

No action yet.

IP	Jail	Reverse	Owner	Why	When	Action

Persistent bans remain active until manual unban; history shows both automatic and manual actions.

Inspection

Ready.

Real-time Geo map

Animated IP paths

Use the buttons or wheel to zoom. Drag to pan. Click a node to inspect it. The map fits once and then stays stable.

0 active nodes

Loading map stats...

cyan = new node

green = known node

red = Suricata / alert

grey = local socket

violet = server origin

Flows

Tree focus Destination group

SearchPresetInterfaceLocal hostProcessServiceCountryPort

Loading...

PID	Local	Remote	Status	Process	Country

Flow Graph

Flow Tree

Loading tree...

Flow Timeline

Loading timeline...

Top Talkers

LAN

WAN

Live stream (headers)

idle

No live stream.

Admin-only • max 30s • payload requires NETMON_PCAP_INCLUDE_PAYLOAD=1 + checkbox.

Local sockets

By alerts

Aggregates

Top processes

Top countries

Anomalies

Loading...

IP	Remote	Status	Country

Suricata alerts

Loading...

Time	Source	Destination	Alert	Severity

Time series

Incident

Ready.

Talk graph

Click a node to open Intel. Center = target. Blue = inbound. Violet = outbound.

center target blue inbound violet outbound

Summary

Select an IP.

Packets (tcpdump)

Iface Preset Duration payload

Loading…

Ring buffer (headers-only)

No active capture focus.

Captures

Preview

Select a capture…

Admin-only. Presets only (no arbitrary BPF). Files are size/time-limited.