2015-04-27 14:51:13 +02:00
|
|
|
###
|
|
|
|
### Main configuration params
|
|
|
|
###
|
|
|
|
|
|
|
|
# Enable/Disable any actions in case of attack
|
2014-12-05 10:46:01 +01:00
|
|
|
enable_ban = on
|
2015-04-27 14:51:13 +02:00
|
|
|
|
|
|
|
# We could disable processing for certain direction of traffic
|
|
|
|
process_incoming_traffic = on
|
|
|
|
process_outgoing_traffic = on
|
|
|
|
|
|
|
|
# How much packets we will collect from attack's traffic
|
|
|
|
ban_details_records_count = 500
|
|
|
|
|
2015-06-05 14:11:00 +02:00
|
|
|
# How long (in seconds) we should keep IP in blocked state
|
2015-04-27 18:01:13 +02:00
|
|
|
# If you set 0 here it completely disables unban capability
|
2014-12-03 16:03:47 +01:00
|
|
|
ban_time = 1900
|
2015-04-27 14:51:13 +02:00
|
|
|
|
2015-05-21 17:56:43 +02:00
|
|
|
# With this variable you could enable per subnet speed meters
|
|
|
|
# For each subnet from subnet list we will track speed in bps and pps for both directions
|
|
|
|
enable_subnet_counters = off
|
|
|
|
|
2015-04-27 18:21:13 +02:00
|
|
|
# In this file you should list all your networks in CIDR format
|
|
|
|
networks_list_path = /etc/networks_list
|
|
|
|
|
|
|
|
# In this file you could list networks in CIDR format which will be not monitored for attacks
|
|
|
|
white_list_path = /etc/networks_whitelist
|
|
|
|
|
2015-04-27 14:51:13 +02:00
|
|
|
# How often we redraw client's screen
|
|
|
|
check_period = 1
|
|
|
|
|
|
|
|
# Connection tracking is very useful for attack detectiob because it provides huge amount of information
|
|
|
|
# But it's very CPU intensive and not recommended in big networks
|
|
|
|
enable_connection_tracking = off
|
|
|
|
|
|
|
|
# Different approaches to attack detection
|
2014-12-02 16:07:33 +01:00
|
|
|
ban_for_pps = on
|
|
|
|
ban_for_bandwidth = on
|
|
|
|
ban_for_flows = off
|
2015-04-27 14:51:13 +02:00
|
|
|
|
|
|
|
# Limits for Dos/DDoS attacks
|
2014-06-09 11:06:59 +02:00
|
|
|
threshold_pps = 20000
|
2014-10-29 10:33:11 +01:00
|
|
|
threshold_mbps = 1000
|
2014-12-03 15:25:49 +01:00
|
|
|
threshold_flows = 3500
|
2015-04-27 14:51:13 +02:00
|
|
|
|
|
|
|
###
|
|
|
|
### Traffic capture methods
|
|
|
|
###
|
|
|
|
|
|
|
|
# PF_RING traffic capture, enough fast but wire speed version need paid license
|
|
|
|
mirror = off
|
|
|
|
|
2015-06-24 00:51:04 +02:00
|
|
|
# Port mirroring could be sampled
|
|
|
|
pfring_sampling_ratio = 1
|
|
|
|
|
2015-04-27 14:51:13 +02:00
|
|
|
# Netmap traffic capture (very fast but need patched drivers)
|
|
|
|
mirror_netmap = off
|
|
|
|
|
2015-06-24 00:46:17 +02:00
|
|
|
# Port mirroring could be sampled
|
|
|
|
netmap_sampling_ratio = 1
|
|
|
|
|
2015-04-27 14:51:13 +02:00
|
|
|
# Pcap mode, very slow not suitable for production
|
|
|
|
pcap = off
|
|
|
|
# Netflow capture method with v5, v9 and IPFIX suppotr
|
2015-03-24 08:30:36 +01:00
|
|
|
netflow = on
|
2015-04-27 14:51:13 +02:00
|
|
|
# sFLOW capture suitable for switches
|
|
|
|
sflow = on
|
|
|
|
|
|
|
|
# PF_RING configuration
|
|
|
|
# If you have license for PF_RING ZC could could enable this mode and it could achieve wire speed for 10GE
|
|
|
|
enable_pf_ring_zc_mode = off
|
|
|
|
|
|
|
|
# Configuration for netmap, mirror, pcap modes
|
|
|
|
# For pcap and PF_RING we could specify "any"
|
|
|
|
# For netmap and PF_RING we could specify multiple interfaces separated by comma
|
|
|
|
interfaces = eth3,eth4
|
|
|
|
|
2015-05-21 21:25:42 +02:00
|
|
|
# We use average values for traffic speed to certain IP and we calculate average over this time slice
|
2015-04-27 14:51:13 +02:00
|
|
|
average_calculation_time = 5
|
|
|
|
|
2015-05-21 21:25:42 +02:00
|
|
|
# We use average values for traffic speed for subnet and we calculate average over this time slice
|
|
|
|
average_calculation_time_for_subnets = 20
|
|
|
|
|
2015-04-27 14:51:13 +02:00
|
|
|
# Netflow configuration
|
2015-07-01 16:09:51 +02:00
|
|
|
|
|
|
|
# You could specify multiple ports here, use comma as delimiter
|
2015-03-12 19:56:55 +01:00
|
|
|
netflow_port = 2055
|
2015-03-15 21:02:24 +01:00
|
|
|
netflow_host = 0.0.0.0
|
2015-04-27 14:51:13 +02:00
|
|
|
|
2015-05-06 13:46:00 +02:00
|
|
|
# For bind to all interfaces for all protocols: not possible now
|
|
|
|
# For bind to all interfaces for specific protocol: :: or 0.0.0.0
|
|
|
|
# For bind to localhost for specific protocol: ::1 or 127.0.0.1
|
|
|
|
|
2015-06-15 11:40:29 +02:00
|
|
|
# Netflow v9 and IPFIX agents uses different and very complex approaches for notifying about sample ratio
|
|
|
|
# Here you could specify sampling ratio for all this agents
|
|
|
|
# For NetFLOW v5 we extract sampling ration from packets directely and this option not used
|
2015-05-06 00:27:25 +02:00
|
|
|
netflow_sampling_ratio = 1
|
|
|
|
|
2015-06-17 11:40:09 +02:00
|
|
|
# In some cases with NetFlow we could get huge bursts related to aggregated data nature
|
|
|
|
# We could try to get smoother data with this option, i.e. we will divide counters on collection interval time
|
|
|
|
netflow_divide_counters_on_interval_length = off
|
|
|
|
|
2015-06-22 10:52:56 +02:00
|
|
|
# With this option we could process each netflow packet with LUA
|
|
|
|
# This option is not default and you need build it additionally
|
|
|
|
netflow_lua_hooks_path = /usr/src/fastnetmon/src/netflow_hooks.lua
|
|
|
|
|
2015-04-27 14:51:13 +02:00
|
|
|
# sFLOW configuration
|
2015-07-01 16:00:48 +02:00
|
|
|
|
|
|
|
# You could specify multiple ports here, use comma as delimiter
|
2015-07-01 16:01:47 +02:00
|
|
|
sflow_port = 6343
|
|
|
|
# sflow_port = 6343,6344
|
2015-03-24 08:30:36 +01:00
|
|
|
sflow_host = 0.0.0.0
|
2015-04-27 14:51:13 +02:00
|
|
|
|
2015-07-03 18:18:15 +02:00
|
|
|
# With this option we could process each sFLOW packet with LUA
|
|
|
|
# This option is not default and you need build it additionally
|
|
|
|
sflow_lua_hooks_path = /usr/src/fastnetmon/src/sflow_hooks.lua
|
|
|
|
|
2015-04-27 14:51:13 +02:00
|
|
|
###
|
|
|
|
### Actions when attack detected
|
|
|
|
###
|
|
|
|
|
|
|
|
# This script executed for ban, unban and atatck detailes collection
|
|
|
|
notify_script_path = /usr/local/bin/notify_about_attack.sh
|
|
|
|
|
2015-06-07 11:46:45 +02:00
|
|
|
# With this flag we will pass attack details to notify_script with stdin
|
|
|
|
# We pass details only in case of "ban" call
|
|
|
|
# No details passed for "unban" call
|
|
|
|
notify_script_pass_details = on
|
|
|
|
|
2015-04-27 14:51:13 +02:00
|
|
|
# We could put attack details to Redis
|
|
|
|
redis_enabled = no
|
|
|
|
|
|
|
|
# Reddis configuration
|
|
|
|
redis_port = 6379
|
|
|
|
redis_host = 127.0.0.1
|
|
|
|
|
|
|
|
# ExaBGP could announce blocked IPs with BGP protocol
|
2015-04-26 11:47:37 +02:00
|
|
|
exabgp = off
|
|
|
|
exabgp_command_pipe = /var/run/exabgp.cmd
|
|
|
|
exabgp_community = 65001:666
|
2015-06-22 21:47:55 +02:00
|
|
|
|
|
|
|
# Also we could specify different communities for host and subnet announces
|
|
|
|
# exabgp_community_subnet = 65001:667
|
|
|
|
# exabgp_community_host = 65001:668
|
|
|
|
|
2015-04-26 14:35:01 +02:00
|
|
|
exabgp_next_hop = 10.0.3.114
|
2015-04-27 14:51:13 +02:00
|
|
|
|
2015-06-22 21:47:55 +02:00
|
|
|
# In complex cases you could have both options enabled and announce host and subnet simultaneously
|
|
|
|
|
|
|
|
# Announce /32 host itself with BGP
|
|
|
|
exabgp_announce_host = on
|
|
|
|
|
2015-05-18 13:07:55 +02:00
|
|
|
# Announce origin subnet of IP address instead IP itself
|
|
|
|
exabgp_announce_whole_subnet = no
|
|
|
|
|
2015-05-10 20:42:49 +02:00
|
|
|
# Graphite monitoring
|
|
|
|
graphite = off
|
|
|
|
graphite_host = 127.0.0.1
|
|
|
|
graphite_port = 2003
|
|
|
|
|
2015-06-16 21:40:47 +02:00
|
|
|
# We can't store speed counters for all IP's in Graphite
|
|
|
|
# And we will select top graphite_number_of_ips IP's with biggest speed
|
|
|
|
graphite_number_of_ips = 20
|
|
|
|
|
2015-06-08 18:38:40 +02:00
|
|
|
# Default namespace for Graphite data
|
2015-06-12 13:58:06 +02:00
|
|
|
graphite_prefix = fastnetmon
|
2015-06-08 18:38:40 +02:00
|
|
|
|
2015-06-01 23:31:31 +02:00
|
|
|
# With this option enabled we could add local IP addresses and aliases to monitoring list
|
|
|
|
# Works only for Linux
|
2015-06-01 23:30:34 +02:00
|
|
|
monitor_local_ip_addresses = on
|
|
|
|
|
2015-07-05 00:38:18 +02:00
|
|
|
# We could create group of hosts with non standard thresholds
|
|
|
|
# You should create this groups before (in configuration file) specifying any limits
|
|
|
|
hostgroup = my_hosts:10.10.10.221/32,10.10.10.222/32
|
2015-07-07 18:47:39 +02:00
|
|
|
|
|
|
|
# Configure this group
|
|
|
|
my_hosts_enable_ban = no
|
|
|
|
|
|
|
|
my_hosts_ban_for_pps = no
|
|
|
|
my_hosts_ban_for_bandwidth = no
|
|
|
|
my_hosts_ban_for_flows = no
|
|
|
|
|
|
|
|
my_hosts_threshold_pps = 20000
|
|
|
|
my_hosts_threshold_mbps = 1000
|
|
|
|
my_hosts_threshold_flows = 3500
|
2015-07-05 00:38:18 +02:00
|
|
|
|
2015-04-27 14:51:13 +02:00
|
|
|
###
|
|
|
|
### Client configuration
|
|
|
|
###
|
|
|
|
|
|
|
|
# Field used for sorting in client, could be: packets, bytes or flows
|
|
|
|
sort_parameter = packets
|
|
|
|
# How much IP's we will list for incoming and outgoing channel eaters
|
|
|
|
max_ips_in_list = 7
|