Closed tonytan4ever closed 9 years ago
Howdy!
Could you share your /etc/fastnetmon.conf and /var/log/fastnetmon.log? You could send this data directly to me: pavel.odintsov@gmail.com
This is the content of /etc/fastnentmon.conf
###
### Main configuration params
###
# Enable/Disable any actions in case of attack
enable_ban = on
# We could disable processing for certain direction of traffic
process_incoming_traffic = on
process_outgoing_traffic = on
# How much packets we will collect from attack's traffic
ban_details_records_count = 500
# How long we should stay IP in blocked state
# If you set 0 here it completely disables unban capability
ban_time = 1900
# With this variable you could enable per subnet speed meters
# For each subnet from subnet list we will track speed in bps and pps for both directions
enable_subnet_counters = off
# In this file you should list all your networks in CIDR format
networks_list_path = /etc/networks_list
# In this file you could list networks in CIDR format which will be not monitored for attacks
white_list_path = /etc/networks_whitelist
# How often we redraw client's screen
check_period = 1
# Connection tracking is very useful for attack detectiob because it provides huge amount of information
# But it's very CPU intensive and not recommended in big networks
enable_connection_tracking = off
# Different approaches to attack detection
ban_for_pps = on
ban_for_bandwidth = on
ban_for_flows = off
# Limits for Dos/DDoS attacks
threshold_pps = 20000
threshold_mbps = 1000
threshold_flows = 3500
###
### Traffic capture methods
###
# PF_RING traffic capture, enough fast but wire speed version need paid license
mirror = off
# Netmap traffic capture (very fast but need patched drivers)
mirror_netmap = off
# Pcap mode, very slow not suitable for production
pcap = off
# Netflow capture method with v5, v9 and IPFIX suppotr
netflow = on
# sFLOW capture suitable for switches
sflow = on
# PF_RING configuration
# If you have license for PF_RING ZC could could enable this mode and it could achieve wire speed for 10GE
enable_pf_ring_zc_mode = on
# Configuration for netmap, mirror, pcap modes
# For pcap and PF_RING we could specify "any"
# For netmap and PF_RING we could specify multiple interfaces = docker0,eth0,eth1,vethc491
interfaces = docker0,eth0,eth1,vethc491
# We use average values for traffic speed to certain IP and we calculate average over this time slice
average_calculation_time = 5
# We use average values for traffic speed for subnet and we calculate average over this time slice
average_calculation_time_for_subnets = 20
# Netflow configuration
netflow_port = 2055
netflow_host = 0.0.0.0
# For bind to all interfaces = docker0,eth0,eth1,vethc491
# For bind to all interfaces = docker0,eth0,eth1,vethc491
# For bind to localhost for specific protocol: ::1 or 127.0.0.1
# Netflow agents uses different and very complex approaches for notifying about sample ratio
# Here you could specify sampling ratio for all agents
netflow_sampling_ratio = 1
# sFLOW configuration
sflow_port = 6343
sflow_host = 0.0.0.0
###
### Actions when attack detected
###
# This script executed for ban, unban and atatck detailes collection
notify_script_path = /usr/local/bin/notify_about_attack.sh
# We could put attack details to Redis
redis_enabled = no
# Reddis configuration
redis_port = 6379
redis_host = 127.0.0.1
# ExaBGP could announce blocked IPs with BGP protocol
exabgp = off
exabgp_command_pipe = /var/run/exabgp.cmd
exabgp_community = 65001:666
exabgp_next_hop = 10.0.3.114
# Announce origin subnet of IP address instead IP itself
exabgp_announce_whole_subnet = no
# Graphite monitoring
graphite = off
graphite_host = 127.0.0.1
graphite_port = 2003
# With this option enabled we could add local IP addresses and aliases to monitoring list
# Works only for Linux
monitor_local_ip_addresses = on
###
### Client configuration
###
# Field used for sorting in client, could be: packets, bytes or flows
sort_parameter = packets
# How much IP's we will list for incoming and outgoing channel eaters
max_ips_in_list = 7
And this is the /var/fastnetmon.log file: https://www.dropbox.com/s/a3l3jpi3fc66j6o/fastnetmon.log?dl=0
Thanks a lot!
Hello!
You have disabled capture from mirror:
# PF_RING traffic capture, enough fast but wire speed version need paid license
mirror = off
And you will have significant issues with PF_RING because it require kernel module and we can build it correctly with Docker.
You could try KVM VM or ESXi or run FastNetMon on bare metal
Hi: Thanks a lot for your reply. Now I have capture from mirror set to on, but I can't start fastnetmon. I got this from the log:
2015-07-30 15:19:52,988 [INFO] We selected interface:docker0,eth0,eth1,vethc491
2015-07-30 15:19:52,988 [INFO] Run banlist cleanup thread
2015-07-30 15:19:52,989 [INFO] We have: 1 logical cpus in this server
2015-07-30 15:19:52,989 [INFO] We will start 0 worker threads
2015-07-30 15:19:53,100 [INFO] We got max packet len from device: 1536
2015-07-30 15:19:53,101 [INFO] We will use total number of ZC buffers: 32776
2015-07-30 15:19:53,204 [INFO] pfring_zc_create_cluster error: No buffer space available Please check that pf_ring.ko is loaded and hugetlb fs is mounted
2015-07-30 15:19:53,205 [ERROR] PF_RING initilization failed, exit from programm
I have had the pf_ring.ko module loaded by:
$ sudo insmod <my_PF_RING_SRC_FOLDER>/kernel/pf_ring.ko transparent_mode=1 min_num_slots=1 enable_tx_capture=1 enable_ip_defrag=1 quick_mode=0
And hugetlb fs is mounted as well:
$ cat /proc/filesystems
nodev sysfs
nodev rootfs
nodev ramfs
nodev bdev
nodev proc
nodev cgroup
nodev cpuset
nodev tmpfs
nodev devtmpfs
nodev debugfs
nodev securityfs
nodev sockfs
nodev pipefs
nodev anon_inodefs
nodev devpts
ext3
ext2
ext4
nodev hugetlbfs
vfat
Any ideas ? Could this be because of my machine :
description: Computer width: 64 bits capabilities: ldt16 vsyscall32 -core description: Motherboard physical id: 0 -memory description: System memory physical id: 0 size: 989MiB *-cpu product: Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz vendor: Intel Corp. physical id: 1 bus info: cpu@0 width: 64 bits
Thanks.
Do you want PF_RING vanilla or PF_RING ZC (paid and need license) ?
PF_RING vanilla is fine for me. Any configuration I need to set ?
Just switch off this trigger:
enable_pf_ring_zc_mode = off
Hi: Thanks. I now get it working with PF_RING. But still the ip address eating incoming traffic is not showing up in client, how can I fix this:
Am I missing any configuration ?
Could you flood with hping? Ping generates is too small amount of traffic.
Tried with hping, packages are captured, but the ip is still not showing up, :/
Could you try to enable promisc mode for mirror interface?
On Thursday, July 30, 2015, Tony Tan notifications@github.com wrote:
Tried with hping, packages are captured, but the ip is still not showing up, :/ [image: screen shot 2015-07-30 at 3 48 25 pm 3] https://cloud.githubusercontent.com/assets/1202903/8993356/80f5301e-36d2-11e5-81d6-44b03faa1c11.png
— Reply to this email directly or view it on GitHub https://github.com/FastVPSEestiOu/fastnetmon/issues/344#issuecomment-126453425 .
Sincerely yours, Pavel Odintsov
Tried set it on and it does not work:
$ sudo ip link set docker0 promisc on
Hm... could you try to run full packets dump with flag:
DUMP_ALL_PACKETS=yes ./fastnetmon
And send new log file to me?
I caught this bug but there are some problems here. If we run with Docker we completely disable PF_RING compilation and you haven't this code.
Hello!
Please open downlaoded fastnetmon_install.pl and remove following lines:
if (-e "/.dockerinit") {
# On Docker we can't build kernel modules
$we_could_install_kernel_modules = 0;
}
And run it. It could work correctly.
Hi Thanks for your help. After I reinstalled and test with it, now it works:
I am closing this issue.
I am trying to set up Fastnetmon and a couple of Ubuntu docker containers to play with it, the fastnetmon (with PF_RING plugin) just doesn't capture any packet:
My network is:
And I added: 10.208.224.0/19 to my /etc/networks_list and tried: 172.17.42.0/16 Did not work either.
Any insights ? Thanks!