2015-04-27 14:51:13 +02:00
###
### Main configuration params
###
2015-08-11 11:41:13 +02:00
### Logging configuration
2022-10-15 14:01:28 +02:00
# Logging level, can be info or debug
logging_level = info
2015-09-18 14:44:34 +02:00
# enable this option if you want to send logs to local syslog facility
2022-10-15 14:01:28 +02:00
logging_local_syslog_logging = off
2015-08-11 11:41:13 +02:00
2015-09-18 14:44:34 +02:00
# enable this option if you want to send logs to a remote syslog server via UDP
2022-10-15 14:01:28 +02:00
logging_remote_syslog_logging = off
2015-08-11 11:41:13 +02:00
2015-09-18 14:44:34 +02:00
# specify a custom server and port for remote logging
2022-10-15 14:01:28 +02:00
logging_remote_syslog_server = 10.10.10.10
logging_remote_syslog_port = 514
2015-08-11 11:41:13 +02:00
2022-10-12 20:39:49 +02:00
# To make FastNetMon better we need to know how you use it and what's your software and hardware platform.
# To accomplish this FastNetMon sends usage information every 1 hour to our statistics server https://community-stats.fastnetmon.com
# We keep high standards of data protection and you can find our privacy policy here: https://community-stats.fastnetmon.com
# You can find information which is being sent at GitHub: https://github.com/pavel-odintsov/fastnetmon/search?q=send_usage_data_to_reporting_server
# If you prefer to disable this capability you need to set following flag to on
disable_usage_report = off
2015-04-27 14:51:13 +02:00
# Enable/Disable any actions in case of attack
2014-12-05 10:46:01 +01:00
enable_ban = on
2015-04-27 14:51:13 +02:00
2022-03-24 02:23:56 +01:00
# Enable ban for IPv6
enable_ban_ipv6 = on
2015-09-18 14:44:34 +02:00
# disable processing for certain direction of traffic
2015-04-27 14:51:13 +02:00
process_incoming_traffic = on
process_outgoing_traffic = on
2023-01-25 18:37:48 +01:00
# dump all traffic to log file
dump_all_traffic = off
# dump other traffic to log, useful to detect missed prefixes
dump_other_traffic = off
2015-09-18 14:44:34 +02:00
# How many packets will be collected from attack traffic
2022-08-03 23:42:22 +02:00
ban_details_records_count = 20
2015-04-27 14:51:13 +02:00
2015-09-18 14:44:34 +02:00
# How long (in seconds) we should keep an IP in blocked state
2015-04-27 18:01:13 +02:00
# If you set 0 here it completely disables unban capability
2014-12-03 16:03:47 +01:00
ban_time = 1900
2015-04-27 14:51:13 +02:00
2015-09-18 14:44:34 +02:00
# Check if the attack is still active, before triggering an unban callback with this option
# If the attack is still active, check each run of the unban watchdog
2015-08-14 11:37:56 +02:00
unban_only_if_attack_finished = on
2015-09-18 14:44:34 +02:00
# list of all your networks in CIDR format
2015-04-27 18:21:13 +02:00
networks_list_path = /etc/networks_list
2015-09-18 14:44:34 +02:00
# list networks in CIDR format which will be not monitored for attacks
2015-04-27 18:21:13 +02:00
white_list_path = /etc/networks_whitelist
2015-09-18 14:44:34 +02:00
# redraw period for client's screen
2015-04-27 14:51:13 +02:00
check_period = 1
2015-09-18 14:44:34 +02:00
# Connection tracking is very useful for attack detection because it provides huge amounts of information,
# but it's very CPU intensive and not recommended in big networks
2023-07-12 13:08:53 +02:00
enable_connection_tracking = on
2015-04-27 14:51:13 +02:00
# Different approaches to attack detection
2014-12-02 16:07:33 +01:00
ban_for_pps = on
ban_for_bandwidth = on
ban_for_flows = off
2015-04-27 14:51:13 +02:00
# Limits for Dos/DDoS attacks
2014-06-09 11:06:59 +02:00
threshold_pps = 20000
2014-10-29 10:33:11 +01:00
threshold_mbps = 1000
2014-12-03 15:25:49 +01:00
threshold_flows = 3500
2015-04-27 14:51:13 +02:00
2015-09-11 17:08:09 +02:00
# Per protocol attack thresholds
2022-08-16 20:05:08 +02:00
# We do not implement per protocol flow limits due to flow calculation logic limitations
2015-09-18 14:44:34 +02:00
# These limits should be smaller than global pps/mbps limits
2015-09-11 17:08:09 +02:00
threshold_tcp_mbps = 100000
threshold_udp_mbps = 100000
threshold_icmp_mbps = 100000
threshold_tcp_pps = 100000
threshold_udp_pps = 100000
threshold_icmp_pps = 100000
ban_for_tcp_bandwidth = off
ban_for_udp_bandwidth = off
ban_for_icmp_bandwidth = off
2016-09-09 08:06:31 +02:00
ban_for_tcp_pps = off
2015-09-11 17:08:09 +02:00
ban_for_udp_pps = off
ban_for_icmp_pps = off
2015-04-27 14:51:13 +02:00
###
### Traffic capture methods
###
2022-08-16 20:05:08 +02:00
#
# Default option for port mirror capture on Linux
2015-09-10 15:40:54 +02:00
# AF_PACKET capture engine
2015-09-01 10:41:55 +02:00
mirror_afpacket = off
2022-10-02 20:50:10 +02:00
# High efficient XDP based traffic capture method
# XDP will detach network interface from Linux network stack completely and you may lose connectivity if your route management traffic over same interface
# You need to have separate network card for management interface
mirror_afxdp = off
# Activates poll based logic to check for new packets. Generally, it eliminates active polling and reduces CPU load
poll_mode_xdp = off
# Set interface into promisc mode automatically
xdp_set_promisc = on
# Explicitly enable zero copy mode, requires driver support
zero_copy_xdp = off
# Forces native XDP mode which requires support from network card
force_native_mode_xdp = off
# Switch to using IP length as packet length instead of data from capture engine. Must be enabled when traffic is cropped externally
xdp_read_packet_length_from_ip_header = off
# Path to XDP microcode programm for packet processing
2023-01-25 15:34:02 +01:00
microcode_xdp_path = /etc/xdp_kernel.o
2022-10-02 20:50:10 +02:00
2022-02-09 15:27:32 +01:00
# You can use this option to multiply all incoming traffc by this value
# It may be useful for sampled mirror ports
mirror_af_packet_custom_sampling_rate = 1
2022-02-09 15:27:32 +01:00
# AF_PACKET fanout mode mode, http://man7.org/linux/man-pages/man7/packet.7.html
# Available modes: cpu, lb, hash, random, rollover, queue_mapping
mirror_af_packet_fanout_mode = cpu
2022-03-25 14:40:29 +01:00
# This option should be enabled if you are using Juniper with mirroring of the first X bytes of packet: maximum-packet-length 110;
af_packet_read_packet_length_from_ip_header = off
2022-08-16 20:05:08 +02:00
# Netmap traffic capture, only for FreeBSD
mirror_netmap = off
# Netmap based mirroring sampling ratio
2015-06-24 00:46:17 +02:00
netmap_sampling_ratio = 1
2015-09-18 14:44:34 +02:00
# This option should be enabled if you are using Juniper with mirroring of the first X bytes of packet: maximum-packet-length 110;
2015-09-10 15:30:37 +02:00
netmap_read_packet_length_from_ip_header = off
2022-08-16 20:05:08 +02:00
# Pcap mode, very slow and not recommended for production use
2015-04-27 14:51:13 +02:00
pcap = off
2022-07-29 18:47:43 +02:00
2015-09-18 14:44:34 +02:00
# Netflow capture method with v5, v9 and IPFIX support
2019-07-11 21:03:04 +02:00
netflow = off
2022-07-29 18:47:43 +02:00
2015-04-27 14:51:13 +02:00
# sFLOW capture suitable for switches
2019-07-11 21:03:04 +02:00
sflow = off
2015-04-27 14:51:13 +02:00
2022-10-02 20:50:10 +02:00
# Configuration for Netmap, mirror, pcap, AF_XDP modes
2022-04-04 16:30:23 +02:00
# For pcap we could specify "any"
# For Netmap we could specify multiple interfaces separated by comma
2015-04-27 14:51:13 +02:00
interfaces = eth3,eth4
2022-08-16 20:05:08 +02:00
# We use average values for traffic speed to certain IP and we calculate average over this time periond (seconds)
2015-04-27 14:51:13 +02:00
average_calculation_time = 5
2022-02-20 01:19:29 +01:00
# Delay between traffic recalculation attempts
speed_calculation_delay = 1
2015-04-27 14:51:13 +02:00
# Netflow configuration
2015-07-01 16:09:51 +02:00
2015-09-18 14:44:34 +02:00
# it's possible to specify multiple ports here, using commas as delimiter
2015-03-12 19:56:55 +01:00
netflow_port = 2055
2015-04-27 14:51:13 +02:00
2023-02-14 21:33:01 +01:00
#
# Netflow collector host to listen on.
#
# To bind on all interfaces for IPv4 and IPv6 use ::
# To bind only on IPv4 use 0.0.0.0
#
# To bind on localhost for IPv4 and IPv6 use ::1
# To bind only on IPv4 use 127.0.0.1
#
netflow_host = 0.0.0.0
2015-05-06 13:46:00 +02:00
2015-09-18 14:44:34 +02:00
# Netflow v9 and IPFIX agents use different and very complex approaches for notifying about sample ratio
# Here you could specify a sampling ratio for all this agents
2022-07-29 18:47:43 +02:00
# For NetFlow v5 we extract sampling ratio from packets directely and this option not used
2015-05-06 00:27:25 +02:00
netflow_sampling_ratio = 1
2022-02-26 21:12:06 +01:00
# sFlow configuration
2015-07-01 16:00:48 +02:00
2015-09-18 14:44:34 +02:00
# It's possible to specify multiple ports here, using commas as delimiter
2015-07-01 16:01:47 +02:00
sflow_port = 6343
# sflow_port = 6343,6344
2015-03-24 08:30:36 +01:00
sflow_host = 0.0.0.0
2015-04-27 14:51:13 +02:00
2022-03-25 14:40:29 +01:00
# Some vendors may lie about full packet length in sFlow packet. To avoid this issue we can switch to using IP packet length from parsed header
sflow_read_packet_length_from_ip_header = off
2015-04-27 14:51:13 +02:00
###
### Actions when attack detected
###
2015-09-18 14:44:34 +02:00
# This script executed for ban, unban and attack detail collection
2015-04-27 14:51:13 +02:00
notify_script_path = /usr/local/bin/notify_about_attack.sh
2015-09-18 14:44:34 +02:00
# collect a full dump of the attack with full payload in pcap compatible format
2015-08-27 14:42:34 +02:00
collect_attack_pcap_dumps = off
2015-07-17 15:07:30 +02:00
2015-09-18 14:44:34 +02:00
# Save attack details to Redis
2015-08-27 14:42:34 +02:00
redis_enabled = off
2015-04-27 14:51:13 +02:00
2015-09-18 14:44:34 +02:00
# Redis configuration
2015-04-27 14:51:13 +02:00
redis_port = 6379
redis_host = 127.0.0.1
2015-08-17 23:14:32 +02:00
2015-09-18 14:44:34 +02:00
# specify a custom prefix here
2015-08-17 23:14:32 +02:00
redis_prefix = mydc1
2015-04-27 14:51:13 +02:00
2015-10-01 11:39:16 +02:00
# We could store attack information to MongoDB
mongodb_enabled = off
mongodb_host = localhost
mongodb_port = 27017
mongodb_database_name = fastnetmon
2015-09-30 16:54:57 +02:00
2022-08-16 20:05:08 +02:00
# Announce blocked IPs with BGP protocol with ExaBGP
2015-04-26 11:47:37 +02:00
exabgp = off
exabgp_command_pipe = /var/run/exabgp.cmd
exabgp_community = 65001:666
2015-06-22 21:47:55 +02:00
2015-09-18 14:44:34 +02:00
# specify multiple communities with this syntax:
2015-07-14 13:57:09 +02:00
# exabgp_community = [65001:666 65001:777]
2015-09-18 14:44:34 +02:00
# specify different communities for host and subnet announces
2015-09-10 15:40:54 +02:00
# exabgp_community_subnet = 65001:667
2015-06-22 21:47:55 +02:00
# exabgp_community_host = 65001:668
2015-04-26 14:35:01 +02:00
exabgp_next_hop = 10.0.3.114
2015-04-27 14:51:13 +02:00
2015-06-22 21:47:55 +02:00
# In complex cases you could have both options enabled and announce host and subnet simultaneously
# Announce /32 host itself with BGP
exabgp_announce_host = on
2015-05-18 13:07:55 +02:00
# Announce origin subnet of IP address instead IP itself
2015-08-27 14:42:34 +02:00
exabgp_announce_whole_subnet = off
2015-05-18 13:07:55 +02:00
2022-07-29 18:47:43 +02:00
# GoBGP integration
2015-10-05 12:48:48 +02:00
gobgp = off
2022-03-25 14:40:29 +01:00
# Configuration for IPv4 announces
2015-10-05 12:48:48 +02:00
gobgp_next_hop = 0.0.0.0
gobgp_announce_host = on
gobgp_announce_whole_subnet = off
2022-03-25 14:40:29 +01:00
2022-03-24 02:29:11 +01:00
gobgp_community_host = 65001:666
gobgp_community_subnet = 65001:777
2015-10-05 12:00:47 +02:00
2022-03-25 14:40:29 +01:00
# Configuration for IPv6 announces
gobgp_next_hop_ipv6 = 100::1
2023-03-13 14:12:09 +01:00
gobgp_announce_host_ipv6 = on
2022-03-25 14:40:29 +01:00
gobgp_announce_whole_subnet_ipv6 = off
gobgp_community_host_ipv6 = 65001:666
gobgp_community_subnet_ipv6 = 65001:777
2022-03-28 15:58:01 +02:00
# Before using InfluxDB you need to create database using influx tool:
# create database fastnetmon
2022-08-16 20:05:08 +02:00
# InfluxDB integration
# More details can be found here: https://fastnetmon.com/docs/influxdb_integration/
2022-03-28 15:58:01 +02:00
influxdb = off
influxdb_host = 127.0.0.1
influxdb_port = 8086
influxdb_database = fastnetmon
# InfluxDB auth
influxdb_auth = off
influxdb_user = fastnetmon
influxdb_password = secure
2022-04-02 02:39:06 +02:00
# How often we export metrics to InfluxDB
influxdb_push_period = 1
2022-08-16 20:05:08 +02:00
# Graphite monitoring
graphite = off
# Please use only IP because domain names are not allowed here
graphite_host = 127.0.0.1
graphite_port = 2003
# Default namespace for Graphite data
graphite_prefix = fastnetmon
# How often we export metrics to Graphite
graphite_push_period = 1
2015-09-18 14:44:34 +02:00
# Add local IP addresses and aliases to monitoring list
2015-09-10 15:40:54 +02:00
# Works only for Linux
2015-06-01 23:30:34 +02:00
monitor_local_ip_addresses = on
2022-02-10 14:38:13 +01:00
# Add IP addresses for OpenVZ / Virtuozzo VEs to network monitoring list
monitor_openvz_vps_ip_addresses = off
2015-09-18 14:44:34 +02:00
# Create group of hosts with non-standard thresholds
# You should create this group before (in configuration file) specifying any limits
2019-07-11 21:58:09 +02:00
# hostgroup = my_hosts:10.10.10.221/32,10.10.10.222/32
2015-07-07 18:47:39 +02:00
# Configure this group
2015-08-27 14:42:34 +02:00
my_hosts_enable_ban = off
2015-07-07 18:47:39 +02:00
2015-08-27 14:42:34 +02:00
my_hosts_ban_for_pps = off
my_hosts_ban_for_bandwidth = off
my_hosts_ban_for_flows = off
2015-07-07 18:47:39 +02:00
2023-03-01 15:23:34 +01:00
my_hosts_threshold_pps = 100000
2015-07-07 18:47:39 +02:00
my_hosts_threshold_mbps = 1000
my_hosts_threshold_flows = 3500
2015-07-05 00:38:18 +02:00
2015-09-24 01:23:38 +02:00
# Path to pid file for checking "if another copy of tool is running", it's useful when you run multiple instances of tool
pid_path = /var/run/fastnetmon.pid
2022-03-19 20:58:07 +01:00
# Path to file where we store IPv4 traffic information for fastnetmon_client
2015-09-28 17:26:00 +02:00
cli_stats_file_path = /tmp/fastnetmon.dat
2022-03-19 20:58:07 +01:00
# Path to file where we store IPv6 traffic information for fastnetmon_client
cli_stats_ipv6_file_path = /tmp/fastnetmon_ipv6.dat
2022-10-15 14:01:28 +02:00
# Enable gRPC API (required for fastnetmon_api_client tool)
2022-03-24 02:29:11 +01:00
enable_api = on
2015-10-16 00:24:03 +02:00
2023-02-05 18:54:40 +01:00
# Enables traffic export to Kafka
kafka_traffic_export = off
# Kafka traffic export topic name
kafka_traffic_export_topic = fastnetmon
2023-02-12 22:17:05 +01:00
# Kafka traffic export format: json or protobuf
2023-02-05 18:54:40 +01:00
kafka_traffic_export_format = json
# Kafka traffic export list of brokers separated by comma
kafka_traffic_export_brokers = 10.154.0.1:9092,10.154.0.2:9092
2023-02-11 19:08:48 +01:00
# Prometheus monitoring endpoint
prometheus = on
# Prometheus port
prometheus_port = 9209
# Prometheus host
prometheus_host = 127.0.0.1
2015-04-27 14:51:13 +02:00
###
### Client configuration
###
2015-09-18 14:44:34 +02:00
# Field used for sorting in client, valid values are: packets, bytes or flows
2015-04-27 14:51:13 +02:00
sort_parameter = packets
2022-10-15 14:01:28 +02:00
2015-09-18 14:44:34 +02:00
# How much IPs will be listed for incoming and outgoing channel eaters
2015-04-27 14:51:13 +02:00
max_ips_in_list = 7