|
|
|
|
@ -0,0 +1,320 @@
|
|
|
|
|
{{ ansible_managed | comment }}
|
|
|
|
|
###
|
|
|
|
|
### Main configuration params
|
|
|
|
|
###
|
|
|
|
|
|
|
|
|
|
### Logging configuration
|
|
|
|
|
|
|
|
|
|
# enable this option if you want to send logs to local syslog facility
|
|
|
|
|
logging:local_syslog_logging = off
|
|
|
|
|
|
|
|
|
|
# enable this option if you want to send logs to a remote syslog server via UDP
|
|
|
|
|
logging:remote_syslog_logging = off
|
|
|
|
|
|
|
|
|
|
# specify a custom server and port for remote logging
|
|
|
|
|
logging:remote_syslog_server = 10.10.10.10
|
|
|
|
|
logging:remote_syslog_port = 514
|
|
|
|
|
|
|
|
|
|
# Enable/Disable any actions in case of attack
|
|
|
|
|
enable_ban = on
|
|
|
|
|
|
|
|
|
|
# Enable ban for IPv6
|
|
|
|
|
enable_ban_ipv6 = on
|
|
|
|
|
|
|
|
|
|
# disable processing for certain direction of traffic
|
|
|
|
|
process_incoming_traffic = on
|
|
|
|
|
process_outgoing_traffic = on
|
|
|
|
|
|
|
|
|
|
# How many packets will be collected from attack traffic
|
|
|
|
|
ban_details_records_count = 50
|
|
|
|
|
|
|
|
|
|
# How long (in seconds) we should keep an IP in blocked state
|
|
|
|
|
# If you set 0 here it completely disables unban capability
|
|
|
|
|
ban_time = {{ ban_time }}
|
|
|
|
|
|
|
|
|
|
# Check if the attack is still active, before triggering an unban callback with this option
|
|
|
|
|
# If the attack is still active, check each run of the unban watchdog
|
|
|
|
|
unban_only_if_attack_finished = on
|
|
|
|
|
|
|
|
|
|
# enable per subnet speed meters
|
|
|
|
|
# For each subnet, list track speed in bps and pps for both directions
|
|
|
|
|
enable_subnet_counters = off
|
|
|
|
|
|
|
|
|
|
# list of all your networks in CIDR format
|
|
|
|
|
networks_list_path = /etc/networks_list
|
|
|
|
|
|
|
|
|
|
# list networks in CIDR format which will be not monitored for attacks
|
|
|
|
|
white_list_path = /etc/networks_whitelist
|
|
|
|
|
|
|
|
|
|
# redraw period for client's screen
|
|
|
|
|
check_period = 1
|
|
|
|
|
|
|
|
|
|
# Connection tracking is very useful for attack detection because it provides huge amounts of information,
|
|
|
|
|
# but it's very CPU intensive and not recommended in big networks
|
|
|
|
|
enable_connection_tracking = on
|
|
|
|
|
|
|
|
|
|
# Different approaches to attack detection
|
|
|
|
|
ban_for_pps = {{ ban_for_pps }}
|
|
|
|
|
ban_for_bandwidth = {{ ban_for_bandwidth }}
|
|
|
|
|
ban_for_flows = {{ ban_for_flows }}
|
|
|
|
|
|
|
|
|
|
# Limits for Dos/DDoS attacks
|
|
|
|
|
threshold_pps = {{ threshold_pps }}
|
|
|
|
|
threshold_mbps = {{ threshold_mbps }}
|
|
|
|
|
threshold_flows = {{ threshold_flows }}
|
|
|
|
|
|
|
|
|
|
# Per protocol attack thresholds
|
|
|
|
|
# We don't implement per protocol flow limits
|
|
|
|
|
# These limits should be smaller than global pps/mbps limits
|
|
|
|
|
|
|
|
|
|
threshold_tcp_mbps = 100000
|
|
|
|
|
threshold_udp_mbps = 100000
|
|
|
|
|
threshold_icmp_mbps = 100000
|
|
|
|
|
|
|
|
|
|
threshold_tcp_pps = {{ threshold_tcp_pps }}
|
|
|
|
|
threshold_udp_pps = {{ threshold_udp_pps }}
|
|
|
|
|
threshold_icmp_pps = {{ threshold_icmp_pps }}
|
|
|
|
|
|
|
|
|
|
ban_for_tcp_bandwidth = off
|
|
|
|
|
ban_for_udp_bandwidth = off
|
|
|
|
|
ban_for_icmp_bandwidth = off
|
|
|
|
|
|
|
|
|
|
ban_for_tcp_pps = {{ ban_for_tcp_pps }}
|
|
|
|
|
ban_for_udp_pps = {{ ban_for_udp_pps }}
|
|
|
|
|
ban_for_icmp_pps = {{ ban_for_icmp_pps }}
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
|
### Traffic capture methods
|
|
|
|
|
###
|
|
|
|
|
|
|
|
|
|
# PF_RING traffic capture, fast enough but the wirespeed version needs a paid license
|
|
|
|
|
mirror = off
|
|
|
|
|
|
|
|
|
|
# Port mirroring sample rate
|
|
|
|
|
pfring_sampling_ratio = 1
|
|
|
|
|
|
|
|
|
|
# Netmap traffic capture (very fast but needs patched drivers)
|
|
|
|
|
mirror_netmap = off
|
|
|
|
|
|
|
|
|
|
# AF_PACKET capture engine
|
|
|
|
|
# Please use it only with modern Linux kernels (3.6 and more)
|
|
|
|
|
# And please install birq for irq ditribution over cores
|
|
|
|
|
mirror_afpacket = off
|
|
|
|
|
|
|
|
|
|
# You can use this option to multiply all incoming traffc by this value
|
|
|
|
|
# It may be useful for sampled mirror ports
|
|
|
|
|
mirror_af_packet_custom_sampling_rate = 1
|
|
|
|
|
|
|
|
|
|
# AF_PACKET fanout mode mode, http://man7.org/linux/man-pages/man7/packet.7.html
|
|
|
|
|
# Available modes: cpu, lb, hash, random, rollover, queue_mapping
|
|
|
|
|
mirror_af_packet_fanout_mode = cpu
|
|
|
|
|
|
|
|
|
|
# This option should be enabled if you are using Juniper with mirroring of the first X bytesof packet: maximum-packet-length 110;
|
|
|
|
|
af_packet_read_packet_length_from_ip_header = off
|
|
|
|
|
|
|
|
|
|
# Port mirroring sampling ratio
|
|
|
|
|
netmap_sampling_ratio = 1
|
|
|
|
|
|
|
|
|
|
# This option should be enabled if you are using Juniper with mirroring of the first X bytesof packet: maximum-packet-length 110;
|
|
|
|
|
netmap_read_packet_length_from_ip_header = off
|
|
|
|
|
|
|
|
|
|
# Pcap mode, very slow and thus not suitable for production
|
|
|
|
|
pcap = off
|
|
|
|
|
# Netflow capture method with v5, v9 and IPFIX support
|
|
|
|
|
netflow = {{ netflow_on }}
|
|
|
|
|
# sFLOW capture suitable for switches
|
|
|
|
|
sflow = off
|
|
|
|
|
|
|
|
|
|
# PF_RING configuration
|
|
|
|
|
# If you have a license for PF_RING ZC, enable this mode and it might achieve wire speed for10GE
|
|
|
|
|
enable_pf_ring_zc_mode = off
|
|
|
|
|
|
|
|
|
|
# Configuration for netmap, mirror, pcap modes
|
|
|
|
|
# For pcap and PF_RING we could specify "any"
|
|
|
|
|
# For netmap and PF_RING we could specify multiple interfaces separated by comma
|
|
|
|
|
interfaces = eth3,eth4
|
|
|
|
|
|
|
|
|
|
# We use average values for traffic speed to certain IP and we calculate average over this time slice
|
|
|
|
|
average_calculation_time = 5
|
|
|
|
|
|
|
|
|
|
# We use average values for traffic speed for subnet and we calculate average over this timeslice
|
|
|
|
|
average_calculation_time_for_subnets = 5
|
|
|
|
|
|
|
|
|
|
# Delay between traffic recalculation attempts
|
|
|
|
|
speed_calculation_delay = 1
|
|
|
|
|
|
|
|
|
|
# Netflow configuration
|
|
|
|
|
|
|
|
|
|
# it's possible to specify multiple ports here, using commas as delimiter
|
|
|
|
|
netflow_port = {{ netflow_port }}
|
|
|
|
|
netflow_host = 0.0.0.0
|
|
|
|
|
|
|
|
|
|
# To bind to all interfaces for all protocols: not possible yet
|
|
|
|
|
# To bind to all interfaces for a specific protocol: :: or 0.0.0.0
|
|
|
|
|
# To bind to localhost for a specific protocol: ::1 or 127.0.0.1
|
|
|
|
|
|
|
|
|
|
# Netflow v9 and IPFIX agents use different and very complex approaches for notifying about sample ratio
|
|
|
|
|
# Here you could specify a sampling ratio for all this agents
|
|
|
|
|
# For NetFLOW v5 we extract sampling ratio from packets directely and this option not used
|
|
|
|
|
netflow_sampling_ratio = 1
|
|
|
|
|
|
|
|
|
|
# sFlow configuration
|
|
|
|
|
|
|
|
|
|
# It's possible to specify multiple ports here, using commas as delimiter
|
|
|
|
|
sflow_port = 6343
|
|
|
|
|
# sflow_port = 6343,6344
|
|
|
|
|
sflow_host = 0.0.0.0
|
|
|
|
|
|
|
|
|
|
# Some vendors may lie about full packet length in sFlow packet. To avoid this issue we can switch to using IP packet length from parsed header
|
|
|
|
|
sflow_read_packet_length_from_ip_header = off
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
|
### Actions when attack detected
|
|
|
|
|
###
|
|
|
|
|
|
|
|
|
|
# This script executed for ban, unban and attack detail collection
|
|
|
|
|
notify_script_path = /usr/local/bin/notify_about_attack.sh
|
|
|
|
|
|
|
|
|
|
# pass attack details to notify_script via stdin
|
|
|
|
|
# Pass details only in case of "ban" call
|
|
|
|
|
# No details will be passed for "unban" call
|
|
|
|
|
notify_script_pass_details = on
|
|
|
|
|
|
|
|
|
|
# collect a full dump of the attack with full payload in pcap compatible format
|
|
|
|
|
collect_attack_pcap_dumps = on
|
|
|
|
|
|
|
|
|
|
# Execute Deep Packet Inspection on captured PCAP packets
|
|
|
|
|
process_pcap_attack_dumps_with_dpi = on
|
|
|
|
|
|
|
|
|
|
# Save attack details to Redis
|
|
|
|
|
redis_enabled = off
|
|
|
|
|
|
|
|
|
|
# Redis configuration
|
|
|
|
|
redis_port = 6379
|
|
|
|
|
redis_host = 127.0.0.1
|
|
|
|
|
|
|
|
|
|
# specify a custom prefix here
|
|
|
|
|
redis_prefix = mydc1
|
|
|
|
|
|
|
|
|
|
# We could store attack information to MongoDB
|
|
|
|
|
mongodb_enabled = off
|
|
|
|
|
mongodb_host = localhost
|
|
|
|
|
mongodb_port = 27017
|
|
|
|
|
mongodb_database_name = fastnetmon
|
|
|
|
|
|
|
|
|
|
# announce blocked IPs with BGP protocol with ExaBGP
|
|
|
|
|
exabgp = off
|
|
|
|
|
exabgp_command_pipe = /var/run/exabgp.cmd
|
|
|
|
|
exabgp_community = 65001:666
|
|
|
|
|
|
|
|
|
|
# specify multiple communities with this syntax:
|
|
|
|
|
# exabgp_community = [65001:666 65001:777]
|
|
|
|
|
|
|
|
|
|
# specify different communities for host and subnet announces
|
|
|
|
|
# exabgp_community_subnet = 65001:667
|
|
|
|
|
# exabgp_community_host = 65001:668
|
|
|
|
|
|
|
|
|
|
exabgp_next_hop = 10.0.3.114
|
|
|
|
|
|
|
|
|
|
# In complex cases you could have both options enabled and announce host and subnet simultaneously
|
|
|
|
|
|
|
|
|
|
# Announce /32 host itself with BGP
|
|
|
|
|
exabgp_announce_host = on
|
|
|
|
|
|
|
|
|
|
# Announce origin subnet of IP address instead IP itself
|
|
|
|
|
exabgp_announce_whole_subnet = off
|
|
|
|
|
|
|
|
|
|
# Announce Flow Spec rules when we could detect certain attack type
|
|
|
|
|
# Please we aware! Flow Spec announce triggered when we collect some details about attack,
|
|
|
|
|
# i.e. when we call attack_details script
|
|
|
|
|
# Please disable exabgp_announce_host and exabgp_announce_whole_subnet if you want to use this feature
|
|
|
|
|
# Please use ExaBGP v4 only (Git version), for more details: https://github.com/pavel-odintsov/fastnetmon/blob/master/docs/BGP_FLOW_SPEC.md
|
|
|
|
|
exabgp_flow_spec_announces = off
|
|
|
|
|
|
|
|
|
|
# GoBGP intergation
|
|
|
|
|
gobgp = on
|
|
|
|
|
|
|
|
|
|
# Configuration for IPv4 announces
|
|
|
|
|
gobgp_next_hop = 0.0.0.0
|
|
|
|
|
gobgp_announce_host = on
|
|
|
|
|
gobgp_announce_whole_subnet = off
|
|
|
|
|
|
|
|
|
|
gobgp_community_host = 65001:666
|
|
|
|
|
gobgp_community_subnet = 65001:777
|
|
|
|
|
|
|
|
|
|
# Configuration for IPv6 announces
|
|
|
|
|
gobgp_next_hop_ipv6 = 100::1
|
|
|
|
|
gobgp_announce_host_ipv6 = off
|
|
|
|
|
gobgp_announce_whole_subnet_ipv6 = off
|
|
|
|
|
|
|
|
|
|
gobgp_community_host_ipv6 = 65001:666
|
|
|
|
|
gobgp_community_subnet_ipv6 = 65001:777
|
|
|
|
|
|
|
|
|
|
# Graphite monitoring
|
|
|
|
|
# InfluxDB is also supported, please check our reference:
|
|
|
|
|
# https://github.com/pavel-odintsov/fastnetmon/blob/master/docs/INFLUXDB_INTEGRATION.md
|
|
|
|
|
graphite = off
|
|
|
|
|
# Please use only IP because domain names are not allowed here
|
|
|
|
|
graphite_host = 127.0.0.1
|
|
|
|
|
graphite_port = 2003
|
|
|
|
|
|
|
|
|
|
# Default namespace for Graphite data
|
|
|
|
|
graphite_prefix = fastnetmon
|
|
|
|
|
|
|
|
|
|
# Before using InfluxDB you need to create database using influx tool:
|
|
|
|
|
# create database fastnetmon
|
|
|
|
|
|
|
|
|
|
# InfluxDB
|
|
|
|
|
influxdb = off
|
|
|
|
|
influxdb_host = 127.0.0.1
|
|
|
|
|
influxdb_port = 8086
|
|
|
|
|
influxdb_database = fastnetmon
|
|
|
|
|
|
|
|
|
|
# InfluxDB auth
|
|
|
|
|
influxdb_auth = off
|
|
|
|
|
influxdb_user = fastnetmon
|
|
|
|
|
influxdb_password = secure
|
|
|
|
|
|
|
|
|
|
# Add local IP addresses and aliases to monitoring list
|
|
|
|
|
# Works only for Linux
|
|
|
|
|
monitor_local_ip_addresses = on
|
|
|
|
|
|
|
|
|
|
# Add IP addresses for OpenVZ / Virtuozzo VEs to network monitoring list
|
|
|
|
|
monitor_openvz_vps_ip_addresses = off
|
|
|
|
|
|
|
|
|
|
# Create group of hosts with non-standard thresholds
|
|
|
|
|
# You should create this group before (in configuration file) specifying any limits
|
|
|
|
|
# hostgroup = my_hosts:10.10.10.221/32,10.10.10.222/32
|
|
|
|
|
|
|
|
|
|
# Configure this group
|
|
|
|
|
my_hosts_enable_ban = off
|
|
|
|
|
|
|
|
|
|
my_hosts_ban_for_pps = off
|
|
|
|
|
my_hosts_ban_for_bandwidth = off
|
|
|
|
|
my_hosts_ban_for_flows = off
|
|
|
|
|
|
|
|
|
|
my_hosts_threshold_pps = 20000
|
|
|
|
|
my_hosts_threshold_mbps = 1000
|
|
|
|
|
my_hosts_threshold_flows = 3500
|
|
|
|
|
|
|
|
|
|
# Path to pid file for checking "if another copy of tool is running", it's useful when you run multiple instances of tool
|
|
|
|
|
pid_path = /var/run/fastnetmon.pid
|
|
|
|
|
|
|
|
|
|
# Path to file where we store IPv4 traffic information for fastnetmon_client
|
|
|
|
|
cli_stats_file_path = /tmp/fastnetmon.dat
|
|
|
|
|
|
|
|
|
|
# Path to file where we store IPv6 traffic information for fastnetmon_client
|
|
|
|
|
cli_stats_ipv6_file_path = /tmp/fastnetmon_ipv6.dat
|
|
|
|
|
|
|
|
|
|
# Enable gRPC api (required for fastnetmon_api_client tool)
|
|
|
|
|
enable_api = on
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
|
### Client configuration
|
|
|
|
|
###
|
|
|
|
|
|
|
|
|
|
# Field used for sorting in client, valid values are: packets, bytes or flows
|
|
|
|
|
sort_parameter = packets
|
|
|
|
|
# How much IPs will be listed for incoming and outgoing channel eaters
|
|
|
|
|
max_ips_in_list = 7
|
