search

pavel-odintsov / fastnetmon

FastNetMon - very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
https://fastnetmon.com
GNU General Public License v2.0
3.44k stars 569 forks source link

Expose number of protocol instead of "unknown" in attack dumps #463

Open cmhungry opened 9 years ago

cmhungry commented 9 years ago

Attack protocol: tcp А в деталях потом protocol: unknown

Видимо, надо выставлять в заголовке Attack protocol: unknown, а в деталях очень хочется номер протокола, а не строчку unknown (по номеру хоть блочить можно) Или же в Attack protocol тоже писать номер протокола.

IP: 109.234.159.219 Attack type: unknown Initial attack power: 274442 packets per second Peak attack power: 274442 packets per second Attack direction: outgoing Attack protocol: tcp Total incoming traffic: 4 mbps Total outgoing traffic: 3136 mbps Total incoming pps: 1214 packets per second Total outgoing pps: 274442 packets per second Total incoming flows: 0 flows per second Total outgoing flows: 0 flows per second Average incoming traffic: 4 mbps Average outgoing traffic: 3136 mbps Average incoming pps: 1214 packets per second Average outgoing pps: 274442 packets per second Average incoming flows: 0 flows per second Average outgoing flows: 0 flows per second Incoming ip fragmented traffic: 0 mbps Outgoing ip fragmented traffic: 0 mbps Incoming ip fragmented pps: 0 packets per second Outgoing ip fragmented pps: 0 packets per second Incoming tcp traffic: 0 mbps Outgoing tcp traffic: 0 mbps Incoming tcp pps: 0 packets per second Outgoing tcp pps: 0 packets per second Incoming syn tcp traffic: 0 mbps Outgoing syn tcp traffic: 0 mbps Incoming syn tcp pps: 0 packets per second Outgoing syn tcp pps: 0 packets per second Incoming udp traffic: 0 mbps Outgoing udp traffic: 0 mbps Incoming udp pps: 0 packets per second Outgoing udp pps: 0 packets per second Incoming icmp traffic: 0 mbps Outgoing icmp traffic: 0 mbps Incoming icmp pps: 0 packets per second Outgoing icmp pps: 0 packets per second

Average packet size for incoming traffic: 539.2 bytes Average packet size for outgoing traffic: 1497.8 bytes

2015-11-30 09:59:22.298232 89.20.139.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:23.944737 77.236.251.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:24.519172 109.234.159.219:0 > 89.20.135.99:0 protocol: unknown frag: 0 packets: 1 size: 1438 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:24.971063 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 206 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:25.863320 109.206.132.78:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 190 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:26.555912 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 302 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:27.657017 89.20.139.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 1438 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:28.000356 109.206.132.78:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:32.709464 89.20.139.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:34.059405 194.190.93.17:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 190 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:34.275011 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 1502 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:35.610185 89.20.139.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:35.967817 109.234.159.219:0 > 194.190.93.17:0 protocol: unknown frag: 0 packets: 1 size: 1182 bytes ttl: 0 sample ratio: 16384
2015-11-30 09:59:37.018627 89.20.139.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 1438 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:37.159804 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 1502 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:38.415776 89.20.139.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:38.831522 89.20.139.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 1438 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:40.146902 89.20.139.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 1438 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:40.527032 109.234.159.219:0 > 89.20.135.99:0 protocol: unknown frag: 0 packets: 1 size: 1438 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:40.741601 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 1502 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:41.910956 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 1502 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:42.910188 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 302 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:44.291756 109.234.159.219:0 > 194.190.93.17:0 protocol: unknown frag: 0 packets: 1 size: 974 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:45.475053 109.234.159.219:0 > 194.190.93.17:0 protocol: unknown frag: 0 packets: 1 size: 702 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:47.145788 194.190.93.17:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:48.000604 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 1502 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:49.184900 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 830 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:49.677222 194.190.93.17:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:50.537016 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 782 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:51.784974 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 174 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:52.114891 109.234.159.219:0 > 94.126.30.226:0 protocol: unknown frag: 0 packets: 1 size: 1502 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:55.996406 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 1502 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:56.691888 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:57.825544 109.234.159.219:0 > 89.20.135.99:0 protocol: unknown frag: 0 packets: 1 size: 302 bytes ttl: 0 sample ratio: 8192
2015-11-30 09:59:58.547535 109.206.132.78:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 190 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:03.069321 109.234.159.219:0 > 194.190.93.17:0 protocol: unknown frag: 0 packets: 1 size: 1502 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:03.175826 109.206.132.78:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:04.015466 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 206 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:05.030997 194.190.93.17:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:05.734026 89.20.139.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:05.780176 109.234.159.219:0 > 89.20.135.99:0 protocol: unknown frag: 0 packets: 1 size: 222 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:06.573739 194.190.93.17:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 238 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:09.104601 89.20.139.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 1438 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:09.994431 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:10.171008 109.206.132.78:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:10.204822 109.234.159.219:4500 > 95.128.244.61:4500 protocol: udp frag: 0 packets: 1 size: 150 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:10.251313 89.20.139.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:10.251317 89.20.139.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:12.881611 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 1502 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:13.247669 109.234.159.219:4500 > 95.128.244.61:4500 protocol: udp frag: 0 packets: 1 size: 150 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:14.285425 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 1070 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:14.332841 109.234.159.219:0 > 94.126.30.226:0 protocol: unknown frag: 0 packets: 1 size: 174 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:14.928700 89.20.139.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:15.043949 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 302 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:16.356853 89.20.139.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:18.150108 89.20.139.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 142 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:18.835278 109.234.159.219:0 > 89.20.135.99:0 protocol: unknown frag: 0 packets: 1 size: 462 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:19.510726 89.20.139.74:0 > 109.234.159.219:0 protocol: unknown frag: 0 packets: 1 size: 1438 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:19.622811 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 286 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:20.993370 109.234.159.219:0 > 89.20.135.99:0 protocol: unknown frag: 0 packets: 1 size: 302 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:21.277501 109.234.159.219:0 > 194.190.93.17:0 protocol: unknown frag: 0 packets: 1 size: 1502 bytes ttl: 0 sample ratio: 8192
2015-11-30 10:00:21.918808 109.234.159.219:4500 > 95.128.244.61:4500 protocol: udp frag: 0 packets: 1 size: 166 bytes ttl: 0 sample ratio: 8192

pavel-odintsov commented 9 years ago

Привет

Тут речь именно про протокол атаки, а он - неизвестен, так как не было по шаблону четкого превалирования какого-либо трафика. То есть я не могу заменить его на цифровую метрику =(

cmhungry commented 9 years ago

2015-11-30 10:00:19.622811 109.234.159.219:0 > 79.135.229.246:0 protocol: unknown frag: 0 packets: 1 size: 286 bytes ttl: 0 sample ratio: 8192

ну вот тут-то число можно ставить?

pavel-odintsov commented 9 years ago

а, да, тут - легко. В следующей версии, кстати, для sflow будет собираться полноценный pcap дампик.