fastnetmon-rewritten/src/fastnetmon.conf

###
### Main configuration params
###

# Enable/Disable any actions in case of attack
enable_ban = on

# We could disable processing for certain direction of traffic
process_incoming_traffic = on
process_outgoing_traffic = on

# How much packets we will collect from attack's traffic
ban_details_records_count = 500

# How long we should stay IP in blocked state 
# If you set 0 here it completely disables unban capability
ban_time = 1900

# In this file you should list all your networks in CIDR format
networks_list_path = /etc/networks_list

# In this file you could list networks in CIDR format which will be not monitored for attacks 
white_list_path = /etc/networks_whitelist

# How often we redraw client's screen
check_period = 1

# Connection tracking is very useful for attack detectiob because it provides huge amount of information
# But it's very CPU intensive and not recommended in big networks
enable_connection_tracking = off

# Different approaches to attack detection
ban_for_pps = on
ban_for_bandwidth = on
ban_for_flows = off

# Limits for Dos/DDoS attacks
threshold_pps = 20000
threshold_mbps = 1000
threshold_flows = 3500

###
### Traffic capture methods
###

# PF_RING traffic capture, enough fast but wire speed version need paid license
mirror = off

# Netmap traffic capture (very fast but need patched drivers)
mirror_netmap = off

# Pcap mode, very slow not suitable for production
pcap = off
# Netflow capture method with v5, v9 and IPFIX suppotr
netflow = on
# sFLOW capture suitable for switches
sflow = on

# PF_RING configuration
# If you have license for PF_RING ZC could could enable this mode and it could achieve wire speed for 10GE
enable_pf_ring_zc_mode = off

# Configuration for netmap, mirror, pcap modes
# For pcap and PF_RING we could specify "any"
# For netmap and PF_RING we could specify multiple interfaces separated by comma
interfaces = eth3,eth4

# We use average values for traffic speed to certain IP
average_calculation_time = 5

# Netflow configuration
netflow_port = 2055
netflow_host = 0.0.0.0

# For bind to all interfaces for all protocols:     not possible now
# For bind to all interfaces for specific protocol: ::  or 0.0.0.0 
# For bind to localhost for specific protocol:      ::1 or 127.0.0.1

# Netflow agents uses different and very complex approaches for notifying about sample ratio
# Here you could specify sampling ratio for all agents
netflow_sampling_ratio = 1

# sFLOW configuration
sflow_port = 6343
sflow_host = 0.0.0.0

###
### Actions when attack detected
###

# This script executed for ban, unban and atatck detailes collection 
notify_script_path = /usr/local/bin/notify_about_attack.sh

# We could put attack details to Redis
redis_enabled = no

# Reddis configuration
redis_port = 6379
redis_host = 127.0.0.1

# ExaBGP could announce blocked IPs with BGP protocol
exabgp = off
exabgp_command_pipe = /var/run/exabgp.cmd
exabgp_community = 65001:666
exabgp_next_hop = 10.0.3.114

# Graphite monitoring
graphite = off
graphite_host = 127.0.0.1
graphite_port = 2003

###
### Client configuration
###

# Field used for sorting in client, could be: packets, bytes or flows
sort_parameter = packets
# How much IP's we will list for incoming and outgoing channel eaters 
max_ips_in_list = 7
Full rewrite of example config file 2015-04-27 14:51:13 +02:00			`###`
			`### Main configuration params`
			`###`

			`# Enable/Disable any actions in case of attack`
Replace EVN variable with configuration param 2014-12-05 10:46:01 +01:00			`enable_ban = on`
Full rewrite of example config file 2015-04-27 14:51:13 +02:00
			`# We could disable processing for certain direction of traffic`
			`process_incoming_traffic = on`
			`process_outgoing_traffic = on`

			`# How much packets we will collect from attack's traffic`
			`ban_details_records_count = 500`

			`# How long we should stay IP in blocked state`
Close: #172. Fix bahaviour for unban 2015-04-27 18:01:13 +02:00			`# If you set 0 here it completely disables unban capability`
Move ban_time to configuration file 2014-12-03 16:03:47 +01:00			`ban_time = 1900`
Full rewrite of example config file 2015-04-27 14:51:13 +02:00
Since this commit we could configure path to networks list and whitelist; Closes: 164 2015-04-27 18:21:13 +02:00			`# In this file you should list all your networks in CIDR format`
			`networks_list_path = /etc/networks_list`

			`# In this file you could list networks in CIDR format which will be not monitored for attacks`
			`white_list_path = /etc/networks_whitelist`

Full rewrite of example config file 2015-04-27 14:51:13 +02:00			`# How often we redraw client's screen`
			`check_period = 1`

			`# Connection tracking is very useful for attack detectiob because it provides huge amount of information`
			`# But it's very CPU intensive and not recommended in big networks`
			`enable_connection_tracking = off`

			`# Different approaches to attack detection`
Introduce ability to enable/disable different types of attack detection algorithms 2014-12-02 16:07:33 +01:00			`ban_for_pps = on`
			`ban_for_bandwidth = on`
			`ban_for_flows = off`
Full rewrite of example config file 2015-04-27 14:51:13 +02:00
			`# Limits for Dos/DDoS attacks`
Add config example and fix notify script 2014-06-09 11:06:59 +02:00			`threshold_pps = 20000`
Fix in example config 2014-10-29 10:33:11 +01:00			`threshold_mbps = 1000`
Fix bug with parameter name ban_threshold_flows 2014-12-03 15:25:49 +01:00			`threshold_flows = 3500`
Full rewrite of example config file 2015-04-27 14:51:13 +02:00
			`###`
			`### Traffic capture methods`
			`###`

			`# PF_RING traffic capture, enough fast but wire speed version need paid license`
			`mirror = off`

			`# Netmap traffic capture (very fast but need patched drivers)`
			`mirror_netmap = off`

			`# Pcap mode, very slow not suitable for production`
			`pcap = off`
			`# Netflow capture method with v5, v9 and IPFIX suppotr`
Disable mirror plugin by default 2015-03-24 08:30:36 +01:00			`netflow = on`
Full rewrite of example config file 2015-04-27 14:51:13 +02:00			`# sFLOW capture suitable for switches`
			`sflow = on`

			`# PF_RING configuration`
			`# If you have license for PF_RING ZC could could enable this mode and it could achieve wire speed for 10GE`
			`enable_pf_ring_zc_mode = off`

			`# Configuration for netmap, mirror, pcap modes`
			`# For pcap and PF_RING we could specify "any"`
			`# For netmap and PF_RING we could specify multiple interfaces separated by comma`
			`interfaces = eth3,eth4`

			`# We use average values for traffic speed to certain IP`
			`average_calculation_time = 5`

			`# Netflow configuration`
Provide ability to change sflow/netflow collectors default ports; Close #101 2015-03-12 19:56:55 +01:00			`netflow_port = 2055`
Provide ability to specify certain host for netflow mode 2015-03-15 21:02:24 +01:00			`netflow_host = 0.0.0.0`
Full rewrite of example config file 2015-04-27 14:51:13 +02:00
Add avility to receive Netflow data over IPv6. First step in IPv6 support! 2015-05-06 13:46:00 +02:00			`# For bind to all interfaces for all protocols: not possible now`
			`# For bind to all interfaces for specific protocol: :: or 0.0.0.0`
			`# For bind to localhost for specific protocol: ::1 or 127.0.0.1`

Provide ability for specify netflow sampling rate manually 2015-05-06 00:27:25 +02:00			`# Netflow agents uses different and very complex approaches for notifying about sample ratio`
			`# Here you could specify sampling ratio for all agents`
			`netflow_sampling_ratio = 1`

Full rewrite of example config file 2015-04-27 14:51:13 +02:00			`# sFLOW configuration`
Provide ability to change sflow/netflow collectors default ports; Close #101 2015-03-12 19:56:55 +01:00			`sflow_port = 6343`
Disable mirror plugin by default 2015-03-24 08:30:36 +01:00			`sflow_host = 0.0.0.0`
Full rewrite of example config file 2015-04-27 14:51:13 +02:00
			`###`
			`### Actions when attack detected`
			`###`

			`# This script executed for ban, unban and atatck detailes collection`
			`notify_script_path = /usr/local/bin/notify_about_attack.sh`

			`# We could put attack details to Redis`
			`redis_enabled = no`

			`# Reddis configuration`
			`redis_port = 6379`
			`redis_host = 127.0.0.1`

			`# ExaBGP could announce blocked IPs with BGP protocol`
Add configuration params for ExaBGP 2015-04-26 11:47:37 +02:00			`exabgp = off`
			`exabgp_command_pipe = /var/run/exabgp.cmd`
			`exabgp_community = 65001:666`
Add function for ban/unban /32 prefixes with ExaBGP 2015-04-26 14:35:01 +02:00			`exabgp_next_hop = 10.0.3.114`
Full rewrite of example config file 2015-04-27 14:51:13 +02:00
Add Graphite integration 2015-05-10 20:42:49 +02:00			`# Graphite monitoring`
			`graphite = off`
			`graphite_host = 127.0.0.1`
			`graphite_port = 2003`

Full rewrite of example config file 2015-04-27 14:51:13 +02:00			`###`
			`### Client configuration`
			`###`

			`# Field used for sorting in client, could be: packets, bytes or flows`
			`sort_parameter = packets`
			`# How much IP's we will list for incoming and outgoing channel eaters`
			`max_ips_in_list = 7`