-
Notifications
You must be signed in to change notification settings - Fork 553
/
fastnetmon.conf
287 lines (212 loc) · 8.99 KB
/
fastnetmon.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
###
### Main configuration params
###
### Logging configuration
# enable this option if you want to send logs to local syslog facility
logging:local_syslog_logging = off
# enable this option if you want to send logs to a remote syslog server via UDP
logging:remote_syslog_logging = off
# specify a custom server and port for remote logging
logging:remote_syslog_server = 10.10.10.10
logging:remote_syslog_port = 514
# Enable/Disable any actions in case of attack
enable_ban = on
# disable processing for certain direction of traffic
process_incoming_traffic = on
process_outgoing_traffic = on
# How many packets will be collected from attack traffic
ban_details_records_count = 500
# How long (in seconds) we should keep an IP in blocked state
# If you set 0 here it completely disables unban capability
ban_time = 1900
# Check if the attack is still active, before triggering an unban callback with this option
# If the attack is still active, check each run of the unban watchdog
unban_only_if_attack_finished = on
# enable per subnet speed meters
# For each subnet, list track speed in bps and pps for both directions
enable_subnet_counters = off
# list of all your networks in CIDR format
networks_list_path = /etc/networks_list
# list networks in CIDR format which will be not monitored for attacks
white_list_path = /etc/networks_whitelist
# redraw period for client's screen
check_period = 1
# Connection tracking is very useful for attack detection because it provides huge amounts of information,
# but it's very CPU intensive and not recommended in big networks
enable_connection_tracking = off
# Different approaches to attack detection
ban_for_pps = on
ban_for_bandwidth = on
ban_for_flows = off
# Limits for Dos/DDoS attacks
threshold_pps = 20000
threshold_mbps = 1000
threshold_flows = 3500
# Per protocol attack thresholds
# We don't implement per protocol flow limits, sorry :(
# These limits should be smaller than global pps/mbps limits
threshold_tcp_mbps = 100000
threshold_udp_mbps = 100000
threshold_icmp_mbps = 100000
threshold_tcp_pps = 100000
threshold_udp_pps = 100000
threshold_icmp_pps = 100000
ban_for_tcp_bandwidth = off
ban_for_udp_bandwidth = off
ban_for_icmp_bandwidth = off
ban_for_tcp_pps = off
ban_for_udp_pps = off
ban_for_icmp_pps = off
###
### Traffic capture methods
###
# PF_RING traffic capture, fast enough but the wirespeed version needs a paid license
mirror = off
# Port mirroring sample rate
pfring_sampling_ratio = 1
# Netmap traffic capture (very fast but needs patched drivers)
mirror_netmap = off
# SnabbSwitch traffic capture
mirror_snabbswitch = off
# AF_PACKET capture engine
# Please use it only with modern Linux kernels (3.6 and more)
# And please install birq for irq ditribution over cores
mirror_afpacket = off
# use PCI-e addresses here instead of OS device names. You can find them in "lspci" output
interfaces_snabbswitch = 0000:04:00.0,0000:04:00.1,0000:03:00.0,0000:03:00.1
# Port mirroring sampling ratio
netmap_sampling_ratio = 1
# This option should be enabled if you are using Juniper with mirroring of the first X bytes of packet: maximum-packet-length 110;
netmap_read_packet_length_from_ip_header = off
# Pcap mode, very slow and thus not suitable for production
pcap = off
# Netflow capture method with v5, v9 and IPFIX support
netflow = on
# sFLOW capture suitable for switches
sflow = on
# PF_RING configuration
# If you have a license for PF_RING ZC, enable this mode and it might achieve wire speed for 10GE
enable_pf_ring_zc_mode = off
# Configuration for netmap, mirror, pcap modes
# For pcap and PF_RING we could specify "any"
# For netmap and PF_RING we could specify multiple interfaces separated by comma
interfaces = eth3,eth4
# We use average values for traffic speed to certain IP and we calculate average over this time slice
average_calculation_time = 5
# We use average values for traffic speed for subnet and we calculate average over this time slice
average_calculation_time_for_subnets = 20
# Netflow configuration
# it's possible to specify multiple ports here, using commas as delimiter
netflow_port = 2055
netflow_host = 0.0.0.0
# To bind to all interfaces for all protocols: not possible yet
# To bind to all interfaces for a specific protocol: :: or 0.0.0.0
# To bind to localhost for a specific protocol: ::1 or 127.0.0.1
# Netflow v9 and IPFIX agents use different and very complex approaches for notifying about sample ratio
# Here you could specify a sampling ratio for all this agents
# For NetFLOW v5 we extract sampling ratio from packets directely and this option not used
netflow_sampling_ratio = 1
# In some cases with NetFlow we could get huge bursts related to aggregated data nature
# We could try to get smoother data with this option, i.e. we will divide counters on collection interval time
netflow_divide_counters_on_interval_length = off
# Process each netflow packet with LUA
# This option is not default and you need build it additionally
# netflow_lua_hooks_path = /usr/src/fastnetmon/src/netflow_hooks.lua
# sFLOW configuration
# It's possible to specify multiple ports here, using commas as delimiter
sflow_port = 6343
# sflow_port = 6343,6344
sflow_host = 0.0.0.0
# process each sFLOW packet with LUA
# This option is not default and you need build it additionally
# sflow_lua_hooks_path = /usr/src/fastnetmon/src/sflow_hooks.lua
###
### Actions when attack detected
###
# This script executed for ban, unban and attack detail collection
notify_script_path = /usr/local/bin/notify_about_attack.sh
# pass attack details to notify_script via stdin
# Pass details only in case of "ban" call
# No details will be passed for "unban" call
notify_script_pass_details = on
# collect a full dump of the attack with full payload in pcap compatible format
collect_attack_pcap_dumps = off
# Execute Deep Packet Inspection on captured PCAP packets
process_pcap_attack_dumps_with_dpi = off
# Save attack details to Redis
redis_enabled = off
# Redis configuration
redis_port = 6379
redis_host = 127.0.0.1
# specify a custom prefix here
redis_prefix = mydc1
# We could store attack information to MongoDB
mongodb_enabled = off
mongodb_host = localhost
mongodb_port = 27017
mongodb_database_name = fastnetmon
# If you are using PF_RING non ZC version you could block traffic on host with hardware filters
# Please be aware! We can not remove blocks with this action plugin
pfring_hardware_filters_enabled = off
# announce blocked IPs with BGP protocol with ExaBGP
exabgp = off
exabgp_command_pipe = /var/run/exabgp.cmd
exabgp_community = 65001:666
# specify multiple communities with this syntax:
# exabgp_community = [65001:666 65001:777]
# specify different communities for host and subnet announces
# exabgp_community_subnet = 65001:667
# exabgp_community_host = 65001:668
exabgp_next_hop = 10.0.3.114
# In complex cases you could have both options enabled and announce host and subnet simultaneously
# Announce /32 host itself with BGP
exabgp_announce_host = on
# Announce origin subnet of IP address instead IP itself
exabgp_announce_whole_subnet = off
# Announce Flow Spec rules when we could detect certain attack type
# Please we aware! Flow Spec announce triggered when we collect some details about attack,
# i.e. when we call attack_details script
# Please disable exabgp_announce_host and exabgp_announce_whole_subnet if you want to use this feature
# Please use ExaBGP v4 only (Git version), for more details: https://github.com/pavel-odintsov/fastnetmon/blob/master/docs/BGP_FLOW_SPEC.md
exabgp_flow_spec_announces = off
# GoBGP intergation
gobgp = off
gobgp_next_hop = 0.0.0.0
gobgp_announce_host = on
gobgp_announce_whole_subnet = off
# Graphite monitoring
# InfluxDB is also supported, please check our reference:
# https://github.com/pavel-odintsov/fastnetmon/blob/master/docs/INFLUXDB_INTEGRATION.md
graphite = off
# Please use only IP because domain names are not allowed here
graphite_host = 127.0.0.1
graphite_port = 2003
# Default namespace for Graphite data
graphite_prefix = fastnetmon
# Add local IP addresses and aliases to monitoring list
# Works only for Linux
monitor_local_ip_addresses = on
# Create group of hosts with non-standard thresholds
# You should create this group before (in configuration file) specifying any limits
hostgroup = my_hosts:10.10.10.221/32,10.10.10.222/32
# Configure this group
my_hosts_enable_ban = off
my_hosts_ban_for_pps = off
my_hosts_ban_for_bandwidth = off
my_hosts_ban_for_flows = off
my_hosts_threshold_pps = 20000
my_hosts_threshold_mbps = 1000
my_hosts_threshold_flows = 3500
# Path to pid file for checking "if another copy of tool is running", it's useful when you run multiple instances of tool
pid_path = /var/run/fastnetmon.pid
# Path to file where we store information for fastnetmon_client
cli_stats_file_path = /tmp/fastnetmon.dat
# Enable gRPC api (required for fastnetmon_api_client tool)
enable_api = off
###
### Client configuration
###
# Field used for sorting in client, valid values are: packets, bytes or flows
sort_parameter = packets
# How much IPs will be listed for incoming and outgoing channel eaters
max_ips_in_list = 7