Example
constcast edited this page Feb 1, 2012
·
2 revisions
Here we present a complete example configuration for Vermont including multiple sensors and actors. Two sensors use the processor utilization as input source: The sensor with ID 1 is activated, when the processor utilization increases above 50% and sensor with ID 2 is activated, if the processor utilization falls below 30%. The first two actors change the filter's parameters and duplicate / half the sampling rate each time they are triggered. The succeeding actors pause and reactivate the module ipfixAggregator.
<ipfixConfig>
<sensors>
<sensor id="1">
<source>sum(/vermont/sensorData/processor/util)</source>
<threshold>50</threshold>
<activation>positive</activation>
</sensor>
<sensor id="2">
<source>sum(/vermont/sensorData/processor/util)</source>
<threshold>30</threshold>
<activation>negative</activation>
</sensor>
</sensors>
<actors>
<actor id="1">
<action>modifyvalue</action>
<code>v = int(v)*2<//code>
<trigger>always</trigger>
<target>/ipfixConfig/filter[@id=2]/countBased/interval</target>
</actor>
<actor id="2">
<action>modifyvalue</action>
<code>if int(v)>2: v = int(v)/2<//code>
<trigger>always</trigger>
<target>/ipfixConfig/filter[@id=2]/countBased/interval</target>
</actor>
<actor id="1">
<action>pausemodule</action>
<trigger>once</trigger>
<target>/ipfixConfig/ipfixAggregator[@id=7]</target>
</actor>
<actor id="2">
<action>resumemodule</action>
<trigger>once</trigger>
<target>/ipfixConfig/ipfixAggregator[@id=7]</target>
</actor>
</actors>
<sensorManager id="99">
<checkinterval>1</checkinterval>
</sensorManager>
<observer id="1">
<interface>eth1</interface>
<pcap_filter>ip</pcap_filter>
<next>2</next>
</observer>
<filter id="2">
<countBased>
<interval>2</interval>
<spacing>2</spacing>
</countBased>
<next>3</next>
</filter>
<packetQueue id="3">
<maxSize>1000</maxSize>
<next>4</next>
</packetQueue>
<packetAggregator id="4">
<rule>
<templateId>998</templateId>
<flowKey>
<ieName>sourceIPv4Address</ieName>
</flowKey>
<flowKey>
<ieName>destinationIPv4Address</ieName>
</flowKey>
<flowKey>
<ieName>protocolIdentifier</ieName>
</flowKey>
<flowKey>
<ieName>sourceTransportPort</ieName>
</flowKey>
<flowKey>
<ieName>destinationTransportPort</ieName>
</flowKey>
<nonFlowKey>
<ieName>flowStartMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>flowEndMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>octetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>packetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>tcpControlBits</ieName>
</nonFlowKey>
</rule>
<expiration>
<inactiveTimeout unit="sec">10</inactiveTimeout>
<activeTimeout unit="sec">60</activeTimeout>
</expiration>
<pollInterval unit="msec">10000</pollInterval>
<next>5</next>
<next>7</next>
</packetAggregator>
<ipfixQueue id="5">
<maxSize>100000</maxSize>
<next>6</next>
</ipfixQueue>
<ipfixExporter id="6">
<collector>
<ipAddressType>4</ipAddressType>
<ipAddress>10.1.1.1</ipAddress>
<transportProtocol>17</transportProtocol>
<port>3000</port>
</collector>
<maxRecordRate>10000</maxRecordRate>
</ipfixExporter>
<ipfixAggregator id="7">
<rule>
<templateId>999</templateId>
<biflowAggregation>1</biflowAggregation>
<flowKey>
<ieName>sourceIPv4Address</ieName>
</flowKey>
<flowKey>
<ieName>destinationIPv4Address</ieName>
</flowKey>
<flowKey>
<ieName>protocolIdentifier</ieName>
</flowKey>
<flowKey>
<ieName>sourceTransportPort</ieName>
</flowKey>
<flowKey>
<ieName>destinationTransportPort</ieName>
</flowKey>
<nonFlowKey>
<ieName>flowStartMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>flowEndMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>octetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>packetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>tcpControlBits</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revflowStartMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revflowEndMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revoctetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revpacketDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revtcpControlBits</ieName>
</nonFlowKey>
</rule>
<expiration>
<inactiveTimeout unit="sec">60</inactiveTimeout>
<activeTimeout unit="sec">120</activeTimeout>
</expiration>
<pollInterval unit="msec">10000</pollInterval>
<next>8</next>
</ipfixAggregator>
<trwPortscanDetector id="8">
<analyzerid>trwportscandetector</analyzerid>
<idmeftemplate>idmef/templates/trwportscan_template.xml</idmeftemplate>
<next>9</next>
</trwPortscanDetector>
<idmefExporter id="9">
<sendurl>http://localhost</sendurl>
</idmefExporter>
</ipfixConfig>