mirror of
https://github.com/pavel-odintsov/fastnetmon
synced 2024-05-03 22:26:30 +02:00
361 lines
11 KiB
Plaintext
361 lines
11 KiB
Plaintext
###
|
|
### Main configuration params
|
|
###
|
|
|
|
### Logging configuration
|
|
|
|
# Logging level, can be info or debug
|
|
logging_level = info
|
|
|
|
# enable this option if you want to send logs to local syslog facility
|
|
logging_local_syslog_logging = off
|
|
|
|
# enable this option if you want to send logs to a remote syslog server via UDP
|
|
logging_remote_syslog_logging = off
|
|
|
|
# specify a custom server and port for remote logging
|
|
logging_remote_syslog_server = 10.10.10.10
|
|
logging_remote_syslog_port = 514
|
|
|
|
# To make FastNetMon better we need to know how you use it and what's your software and hardware platform.
|
|
# To accomplish this FastNetMon sends usage information every 1 hour to our statistics server https://community-stats.fastnetmon.com
|
|
# We keep high standards of data protection and you can find our privacy policy here: https://community-stats.fastnetmon.com
|
|
# You can find information which is being sent at GitHub: https://github.com/pavel-odintsov/fastnetmon/search?q=send_usage_data_to_reporting_server
|
|
# If you prefer to disable this capability you need to set following flag to on
|
|
disable_usage_report = off
|
|
|
|
# Enable/Disable any actions in case of attack
|
|
enable_ban = on
|
|
|
|
# Enable ban for IPv6
|
|
enable_ban_ipv6 = on
|
|
|
|
# disable processing for certain direction of traffic
|
|
process_incoming_traffic = on
|
|
process_outgoing_traffic = on
|
|
|
|
# dump all traffic to log file
|
|
dump_all_traffic = off
|
|
|
|
# dump other traffic to log, useful to detect missed prefixes
|
|
dump_other_traffic = off
|
|
|
|
# How many packets will be collected from attack traffic
|
|
ban_details_records_count = 20
|
|
|
|
# How long (in seconds) we should keep an IP in blocked state
|
|
# If you set 0 here it completely disables unban capability
|
|
ban_time = 1900
|
|
|
|
# Check if the attack is still active, before triggering an unban callback with this option
|
|
# If the attack is still active, check each run of the unban watchdog
|
|
unban_only_if_attack_finished = on
|
|
|
|
# list of all your networks in CIDR format
|
|
networks_list_path = /etc/networks_list
|
|
|
|
# list networks in CIDR format which will be not monitored for attacks
|
|
white_list_path = /etc/networks_whitelist
|
|
|
|
# redraw period for client's screen
|
|
check_period = 1
|
|
|
|
# Connection tracking is very useful for attack detection because it provides huge amounts of information,
|
|
# but it's very CPU intensive and not recommended in big networks
|
|
enable_connection_tracking = on
|
|
|
|
# Different approaches to attack detection
|
|
ban_for_pps = on
|
|
ban_for_bandwidth = on
|
|
ban_for_flows = off
|
|
|
|
# Limits for Dos/DDoS attacks
|
|
threshold_pps = 20000
|
|
threshold_mbps = 1000
|
|
threshold_flows = 3500
|
|
|
|
# Per protocol attack thresholds
|
|
# We do not implement per protocol flow limits due to flow calculation logic limitations
|
|
# These limits should be smaller than global pps/mbps limits
|
|
|
|
threshold_tcp_mbps = 100000
|
|
threshold_udp_mbps = 100000
|
|
threshold_icmp_mbps = 100000
|
|
|
|
threshold_tcp_pps = 100000
|
|
threshold_udp_pps = 100000
|
|
threshold_icmp_pps = 100000
|
|
|
|
ban_for_tcp_bandwidth = off
|
|
ban_for_udp_bandwidth = off
|
|
ban_for_icmp_bandwidth = off
|
|
|
|
ban_for_tcp_pps = off
|
|
ban_for_udp_pps = off
|
|
ban_for_icmp_pps = off
|
|
|
|
###
|
|
### Traffic capture methods
|
|
###
|
|
|
|
#
|
|
# Default option for port mirror capture on Linux
|
|
# AF_PACKET capture engine
|
|
mirror_afpacket = off
|
|
|
|
# High efficient XDP based traffic capture method
|
|
# XDP will detach network interface from Linux network stack completely and you may lose connectivity if your route management traffic over same interface
|
|
# You need to have separate network card for management interface
|
|
mirror_afxdp = off
|
|
|
|
# Activates poll based logic to check for new packets. Generally, it eliminates active polling and reduces CPU load
|
|
poll_mode_xdp = off
|
|
|
|
# Set interface into promisc mode automatically
|
|
xdp_set_promisc = on
|
|
|
|
# Explicitly enable zero copy mode, requires driver support
|
|
zero_copy_xdp = off
|
|
|
|
# Forces native XDP mode which requires support from network card
|
|
force_native_mode_xdp = off
|
|
|
|
# Switch to using IP length as packet length instead of data from capture engine. Must be enabled when traffic is cropped externally
|
|
xdp_read_packet_length_from_ip_header = off
|
|
|
|
# Path to XDP microcode programm for packet processing
|
|
microcode_xdp_path = /etc/xdp_kernel.o
|
|
|
|
# You can use this option to multiply all incoming traffc by this value
|
|
# It may be useful for sampled mirror ports
|
|
mirror_af_packet_custom_sampling_rate = 1
|
|
|
|
# AF_PACKET fanout mode mode, http://man7.org/linux/man-pages/man7/packet.7.html
|
|
# Available modes: cpu, lb, hash, random, rollover, queue_mapping
|
|
mirror_af_packet_fanout_mode = cpu
|
|
|
|
# This option should be enabled if you are using Juniper with mirroring of the first X bytes of packet: maximum-packet-length 110;
|
|
af_packet_read_packet_length_from_ip_header = off
|
|
|
|
# Netmap traffic capture, only for FreeBSD
|
|
mirror_netmap = off
|
|
|
|
# Netmap based mirroring sampling ratio
|
|
netmap_sampling_ratio = 1
|
|
|
|
# This option should be enabled if you are using Juniper with mirroring of the first X bytes of packet: maximum-packet-length 110;
|
|
netmap_read_packet_length_from_ip_header = off
|
|
|
|
# Pcap mode, very slow and not recommended for production use
|
|
pcap = off
|
|
|
|
# Netflow capture method with v5, v9 and IPFIX support
|
|
netflow = off
|
|
|
|
# sFLOW capture suitable for switches
|
|
sflow = off
|
|
|
|
# Configuration for Netmap, mirror, pcap, AF_XDP modes
|
|
# For pcap we could specify "any"
|
|
# For Netmap we could specify multiple interfaces separated by comma
|
|
interfaces = eth3,eth4
|
|
|
|
# We use average values for traffic speed to certain IP and we calculate average over this time periond (seconds)
|
|
average_calculation_time = 5
|
|
|
|
# Delay between traffic recalculation attempts
|
|
speed_calculation_delay = 1
|
|
|
|
# Netflow configuration
|
|
|
|
# it's possible to specify multiple ports here, using commas as delimiter
|
|
netflow_port = 2055
|
|
|
|
#
|
|
# Netflow collector host to listen on.
|
|
#
|
|
# To bind on all interfaces for IPv4 and IPv6 use ::
|
|
# To bind only on IPv4 use 0.0.0.0
|
|
#
|
|
# To bind on localhost for IPv4 and IPv6 use ::1
|
|
# To bind only on IPv4 use 127.0.0.1
|
|
#
|
|
netflow_host = 0.0.0.0
|
|
|
|
# Netflow v9 and IPFIX agents use different and very complex approaches for notifying about sample ratio
|
|
# Here you could specify a sampling ratio for all this agents
|
|
# For NetFlow v5 we extract sampling ratio from packets directely and this option not used
|
|
netflow_sampling_ratio = 1
|
|
|
|
# sFlow configuration
|
|
|
|
# It's possible to specify multiple ports here, using commas as delimiter
|
|
sflow_port = 6343
|
|
# sflow_port = 6343,6344
|
|
sflow_host = 0.0.0.0
|
|
|
|
# Some vendors may lie about full packet length in sFlow packet. To avoid this issue we can switch to using IP packet length from parsed header
|
|
sflow_read_packet_length_from_ip_header = off
|
|
|
|
###
|
|
### Actions when attack detected
|
|
###
|
|
|
|
# This script executed for ban, unban and attack detail collection
|
|
notify_script_path = /usr/local/bin/notify_about_attack.sh
|
|
|
|
# collect a full dump of the attack with full payload in pcap compatible format
|
|
collect_attack_pcap_dumps = off
|
|
|
|
# Save attack details to Redis
|
|
redis_enabled = off
|
|
|
|
# Redis configuration
|
|
redis_port = 6379
|
|
redis_host = 127.0.0.1
|
|
|
|
# specify a custom prefix here
|
|
redis_prefix = mydc1
|
|
|
|
# We could store attack information to MongoDB
|
|
mongodb_enabled = off
|
|
mongodb_host = localhost
|
|
mongodb_port = 27017
|
|
mongodb_database_name = fastnetmon
|
|
|
|
# Announce blocked IPs with BGP protocol with ExaBGP
|
|
exabgp = off
|
|
exabgp_command_pipe = /var/run/exabgp.cmd
|
|
exabgp_community = 65001:666
|
|
|
|
# specify multiple communities with this syntax:
|
|
# exabgp_community = [65001:666 65001:777]
|
|
|
|
# specify different communities for host and subnet announces
|
|
# exabgp_community_subnet = 65001:667
|
|
# exabgp_community_host = 65001:668
|
|
|
|
exabgp_next_hop = 10.0.3.114
|
|
|
|
# In complex cases you could have both options enabled and announce host and subnet simultaneously
|
|
|
|
# Announce /32 host itself with BGP
|
|
exabgp_announce_host = on
|
|
|
|
# Announce origin subnet of IP address instead IP itself
|
|
exabgp_announce_whole_subnet = off
|
|
|
|
# GoBGP integration
|
|
gobgp = off
|
|
|
|
# Configuration for IPv4 announces
|
|
gobgp_next_hop = 0.0.0.0
|
|
gobgp_announce_host = on
|
|
gobgp_announce_whole_subnet = off
|
|
|
|
gobgp_community_host = 65001:666
|
|
gobgp_community_subnet = 65001:777
|
|
|
|
# Configuration for IPv6 announces
|
|
gobgp_next_hop_ipv6 = 100::1
|
|
gobgp_announce_host_ipv6 = on
|
|
gobgp_announce_whole_subnet_ipv6 = off
|
|
|
|
gobgp_community_host_ipv6 = 65001:666
|
|
gobgp_community_subnet_ipv6 = 65001:777
|
|
|
|
# Before using InfluxDB you need to create database using influx tool:
|
|
# create database fastnetmon
|
|
|
|
# InfluxDB integration
|
|
# More details can be found here: https://fastnetmon.com/docs/influxdb_integration/
|
|
influxdb = off
|
|
influxdb_host = 127.0.0.1
|
|
influxdb_port = 8086
|
|
influxdb_database = fastnetmon
|
|
|
|
# InfluxDB auth
|
|
influxdb_auth = off
|
|
influxdb_user = fastnetmon
|
|
influxdb_password = secure
|
|
|
|
# How often we export metrics to InfluxDB
|
|
influxdb_push_period = 1
|
|
|
|
# Graphite monitoring
|
|
graphite = off
|
|
# Please use only IP because domain names are not allowed here
|
|
graphite_host = 127.0.0.1
|
|
graphite_port = 2003
|
|
|
|
# Default namespace for Graphite data
|
|
graphite_prefix = fastnetmon
|
|
|
|
# How often we export metrics to Graphite
|
|
graphite_push_period = 1
|
|
|
|
# Add local IP addresses and aliases to monitoring list
|
|
# Works only for Linux
|
|
monitor_local_ip_addresses = on
|
|
|
|
# Add IP addresses for OpenVZ / Virtuozzo VEs to network monitoring list
|
|
monitor_openvz_vps_ip_addresses = off
|
|
|
|
# Create group of hosts with non-standard thresholds
|
|
# You should create this group before (in configuration file) specifying any limits
|
|
# hostgroup = my_hosts:10.10.10.221/32,10.10.10.222/32
|
|
|
|
# Configure this group
|
|
my_hosts_enable_ban = off
|
|
|
|
my_hosts_ban_for_pps = off
|
|
my_hosts_ban_for_bandwidth = off
|
|
my_hosts_ban_for_flows = off
|
|
|
|
my_hosts_threshold_pps = 100000
|
|
my_hosts_threshold_mbps = 1000
|
|
my_hosts_threshold_flows = 3500
|
|
|
|
# Path to pid file for checking "if another copy of tool is running", it's useful when you run multiple instances of tool
|
|
pid_path = /var/run/fastnetmon.pid
|
|
|
|
# Path to file where we store IPv4 traffic information for fastnetmon_client
|
|
cli_stats_file_path = /tmp/fastnetmon.dat
|
|
|
|
# Path to file where we store IPv6 traffic information for fastnetmon_client
|
|
cli_stats_ipv6_file_path = /tmp/fastnetmon_ipv6.dat
|
|
|
|
# Enable gRPC API (required for fastnetmon_api_client tool)
|
|
enable_api = on
|
|
|
|
# Enables traffic export to Kafka
|
|
kafka_traffic_export = off
|
|
|
|
# Kafka traffic export topic name
|
|
kafka_traffic_export_topic = fastnetmon
|
|
|
|
# Kafka traffic export format: json or protobuf
|
|
kafka_traffic_export_format = json
|
|
|
|
# Kafka traffic export list of brokers separated by comma
|
|
kafka_traffic_export_brokers = 10.154.0.1:9092,10.154.0.2:9092
|
|
|
|
# Prometheus monitoring endpoint
|
|
prometheus = on
|
|
|
|
# Prometheus port
|
|
prometheus_port = 9209
|
|
|
|
# Prometheus host
|
|
prometheus_host = 127.0.0.1
|
|
|
|
###
|
|
### Client configuration
|
|
###
|
|
|
|
# Field used for sorting in client, valid values are: packets, bytes or flows
|
|
sort_parameter = packets
|
|
|
|
# How much IPs will be listed for incoming and outgoing channel eaters
|
|
max_ips_in_list = 7
|