fastnetmon-rewritten/src/fastnetmon.conf

###
### Main configuration params
###

# Enable/Disable any actions in case of attack
enable_ban = on

# We could disable processing for certain direction of traffic
process_incoming_traffic = on
process_outgoing_traffic = on

# How much packets we will collect from attack's traffic
ban_details_records_count = 500

# How long (in seconds) we should keep IP in blocked state 
# If you set 0 here it completely disables unban capability
ban_time = 1900

# With this variable you could enable per subnet speed meters
# For each subnet from subnet list we will track speed in bps and pps for both directions
enable_subnet_counters = off

# In this file you should list all your networks in CIDR format
networks_list_path = /etc/networks_list

# In this file you could list networks in CIDR format which will be not monitored for attacks 
white_list_path = /etc/networks_whitelist

# How often we redraw client's screen
check_period = 1

# Connection tracking is very useful for attack detectiob because it provides huge amount of information
# But it's very CPU intensive and not recommended in big networks
enable_connection_tracking = off

# Different approaches to attack detection
ban_for_pps = on
ban_for_bandwidth = on
ban_for_flows = off

# Limits for Dos/DDoS attacks
threshold_pps = 20000
threshold_mbps = 1000
threshold_flows = 3500

###
### Traffic capture methods
###

# PF_RING traffic capture, enough fast but wire speed version need paid license
mirror = off

# Port mirroring could be sampled
pfring_sampling_ratio = 1

# Netmap traffic capture (very fast but need patched drivers)
mirror_netmap = off

# Port mirroring could be sampled
netmap_sampling_ratio = 1

# Pcap mode, very slow not suitable for production
pcap = off
# Netflow capture method with v5, v9 and IPFIX suppotr
netflow = on
# sFLOW capture suitable for switches
sflow = on

# PF_RING configuration
# If you have license for PF_RING ZC could could enable this mode and it could achieve wire speed for 10GE
enable_pf_ring_zc_mode = off

# Configuration for netmap, mirror, pcap modes
# For pcap and PF_RING we could specify "any"
# For netmap and PF_RING we could specify multiple interfaces separated by comma
interfaces = eth3,eth4

# We use average values for traffic speed to certain IP and we calculate average over this time slice
average_calculation_time = 5

# We use average values for traffic speed for subnet and we calculate average over this time slice
average_calculation_time_for_subnets = 20

# Netflow configuration

# You could specify multiple ports here, use comma as delimiter
netflow_port = 2055
netflow_host = 0.0.0.0

# For bind to all interfaces for all protocols:     not possible now
# For bind to all interfaces for specific protocol: ::  or 0.0.0.0 
# For bind to localhost for specific protocol:      ::1 or 127.0.0.1

# Netflow v9 and IPFIX agents uses different and very complex approaches for notifying about sample ratio
# Here you could specify sampling ratio for all this agents
# For NetFLOW v5 we extract sampling ration from packets directely and this option not used 
netflow_sampling_ratio = 1

# In some cases with NetFlow we could get huge bursts related to aggregated data nature
# We could try to get smoother data with this option, i.e. we will divide counters on collection interval time
netflow_divide_counters_on_interval_length = off

# With this option we could process each netflow packet with LUA
# This option is not default and you need build it additionally
netflow_lua_hooks_path = /usr/src/fastnetmon/src/netflow_hooks.lua

# sFLOW configuration

# You could specify multiple ports here, use comma as delimiter
sflow_port = 6343
# sflow_port = 6343,6344
sflow_host = 0.0.0.0

# With this option we could process each sFLOW packet with LUA
# This option is not default and you need build it additionally
sflow_lua_hooks_path = /usr/src/fastnetmon/src/sflow_hooks.lua

###
### Actions when attack detected
###

# This script executed for ban, unban and atatck detailes collection 
notify_script_path = /usr/local/bin/notify_about_attack.sh

# With this flag we will pass attack details to notify_script with stdin 
# We pass details only in case of "ban" call
# No details passed for "unban" call
notify_script_pass_details = on

# We could put attack details to Redis
redis_enabled = no

# Reddis configuration
redis_port = 6379
redis_host = 127.0.0.1

# ExaBGP could announce blocked IPs with BGP protocol
exabgp = off
exabgp_command_pipe = /var/run/exabgp.cmd
exabgp_community = 65001:666

# Also we could specify different communities for host and subnet announces
# exabgp_community_subnet = 65001:667 
# exabgp_community_host = 65001:668

exabgp_next_hop = 10.0.3.114

# In complex cases you could have both options enabled and announce host and subnet simultaneously

# Announce /32 host itself with BGP
exabgp_announce_host = on

# Announce origin subnet of IP address instead IP itself
exabgp_announce_whole_subnet = no

# Graphite monitoring
graphite = off
graphite_host = 127.0.0.1
graphite_port = 2003

# We can't store speed counters for all IP's in Graphite
# And we will select top graphite_number_of_ips IP's with biggest speed
graphite_number_of_ips = 20

# Default namespace for Graphite data
graphite_prefix = fastnetmon

# With this option enabled we could add local IP addresses and aliases to monitoring list
# Works only for Linux 
monitor_local_ip_addresses = on

# We could create group of hosts with non standard thresholds
# You should create this groups before (in configuration file) specifying any limits 
hostgroup = my_hosts:10.10.10.221/32,10.10.10.222/32

# Configure this group
my_hosts_enable_ban = no

my_hosts_ban_for_pps = no
my_hosts_ban_for_bandwidth = no
my_hosts_ban_for_flows = no

my_hosts_threshold_pps = 20000
my_hosts_threshold_mbps = 1000
my_hosts_threshold_flows = 3500

###
### Client configuration
###

# Field used for sorting in client, could be: packets, bytes or flows
sort_parameter = packets
# How much IP's we will list for incoming and outgoing channel eaters 
max_ips_in_list = 7