search

pavel-odintsov / fastnetmon

FastNetMon - very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
https://fastnetmon.com
GNU General Public License v2.0
3.43k stars 568 forks source link

No traffic detection #570

Closed ZhenyaSStoyanova closed 7 years ago

ZhenyaSStoyanova commented 8 years ago

Hi Pavel,

I have installed the FastNet on CentOs6.8 and I have flooded it with hping3 with 170kpps, but when running /opt/fastnetmon/fastnetmon_client it shows 0 pps/mbs .

Any Idea what is missing? Thanks in advance

David-yanp commented 8 years ago

I have the same problem when I update the FastNetmon to 1.1.3.

2016-09-22 10:05:24,851 [INFO] Logger initialized!
2016-09-22 10:05:24,851 [WARN] We add subnet 192.168.1.2/32 to host group my_hosts
2016-09-22 10:05:24,851 [INFO] We have created host group my_hosts with 1 subnets
2016-09-22 10:05:24,852 [INFO] We will read ban settings for my_hosts
2016-09-22 10:05:24,857 [INFO] Read configuration file
2016-09-22 10:05:24,857 [INFO] We are working on Linux and could use ip tool for detecting local IP's
2016-09-22 10:05:24,866 [INFO] We found 2 local IP addresses and will monitor they
2016-09-22 10:05:24,866 [INFO] We loaded 21 networks from networks file
2016-09-22 10:05:24,866 [INFO] Totally we have 23 IPv4 subnets
2016-09-22 10:05:24,866 [INFO] Totally we have 0 IPv6 subnets
2016-09-22 10:05:24,866 [INFO] Total number of monitored hosts (total size of all networks): 22050
2016-09-22 10:05:24,866 [INFO] We need 13 MB of memory for storing counters for your networks
2016-09-22 10:05:24,866 [INFO] I will allocate 256 records for subnet 8293181 cidr mask: 24
2016-09-22 10:05:24,866 [INFO] I will allocate 256 records for subnet 6331709 cidr mask: 24
2016-09-22 10:05:24,867 [INFO] I will allocate 256 records for subnet 2473021 cidr mask: 24
2016-09-22 10:05:24,867 [INFO] I will allocate 512 records for subnet 2538557 cidr mask: 23
2016-09-22 10:05:24,868 [INFO] I will allocate 1024 records for subnet 31606 cidr mask: 22
2016-09-22 10:05:24,869 [INFO] I will allocate 512 records for subnet 293750 cidr mask: 23
2016-09-22 10:05:24,870 [INFO] I will allocate 512 records for subnet 424822 cidr mask: 23
2016-09-22 10:05:24,870 [INFO] I will allocate 1024 records for subnet 555894 cidr mask: 22
2016-09-22 10:05:24,871 [INFO] I will allocate 128 records for subnet 818038 cidr mask: 25
2016-09-22 10:05:24,871 [INFO] I will allocate 32 records for subnet 2148301686 cidr mask: 27
2016-09-22 10:05:24,871 [INFO] I will allocate 256 records for subnet 883574 cidr mask: 24
2016-09-22 10:05:24,872 [INFO] I will allocate 512 records for subnet 949110 cidr mask: 23
2016-09-22 10:05:24,872 [INFO] I will allocate 2048 records for subnet 1080182 cidr mask: 21
2016-09-22 10:05:24,875 [INFO] I will allocate 2048 records for subnet 2638205 cidr mask: 21
2016-09-22 10:05:24,877 [INFO] I will allocate 1024 records for subnet 4997501 cidr mask: 22
2016-09-22 10:05:24,877 [INFO] I will allocate 1024 records for subnet 5259645 cidr mask: 22
2016-09-22 10:05:24,878 [INFO] I will allocate 1024 records for subnet 7094653 cidr mask: 22
2016-09-22 10:05:24,879 [INFO] I will allocate 1024 records for subnet 7356797 cidr mask: 22
2016-09-22 10:05:24,880 [INFO] I will allocate 1 records for subnet 4268900733 cidr mask: 32
2016-09-22 10:05:24,880 [INFO] I will allocate 1 records for subnet 33663168 cidr mask: 32
2016-09-22 10:05:24,880 [INFO] I will allocate 8192 records for subnet 14718419 cidr mask: 19
2016-09-22 10:05:24,886 [INFO] I will allocate 128 records for subnet 4171484 cidr mask: 25
2016-09-22 10:05:24,886 [INFO] I will allocate 256 records for subnet 4237020 cidr mask: 24
2016-09-22 10:05:24,887 [INFO] We start total zerofication of counters
2016-09-22 10:05:24,887 [INFO] We finished zerofication
2016-09-22 10:05:24,887 [INFO] We loaded 23 IPv4 subnets to our in-memory list of networks
2016-09-22 10:05:24,888 [INFO] Run banlist cleanup thread, we will awake every 60 seconds
2016-09-22 10:05:24,888 [INFO] netflow plugin started
2016-09-22 10:05:24,888 [INFO] Using custom sampling ratio for netflow: 100
2016-09-22 10:05:24,888 [INFO] netflow: We will listen on 1 ports
2016-09-22 10:05:24,889 [INFO] netflow plugin will listen on 192.168.1.2:2055 udp port
David-yanp commented 8 years ago 
logging:local_syslog_logging = off
logging:remote_syslog_logging = off
logging:remote_syslog_server = 10.10.10.10
logging:remote_syslog_port = 514
enable_ban = on
process_incoming_traffic = on
process_outgoing_traffic = on
ban_details_records_count = 100
ban_time = 1900
unban_only_if_attack_finished = on
enable_subnet_counters = off
networks_list_path = /etc/networks_list
white_list_path = /etc/networks_whitelist
check_period = 1
enable_connection_tracking = off
ban_for_pps = off
ban_for_bandwidth = off
ban_for_flows = off
threshold_pps = 20000
threshold_mbps = 1000
threshold_flows = 3500
threshold_tcp_mbps = 100000
threshold_udp_mbps = 100000
threshold_icmp_mbps = 100000
threshold_tcp_pps = 100000
threshold_udp_pps = 100000
threshold_icmp_pps = 100000
ban_for_tcp_bandwidth = off
ban_for_udp_bandwidth = off
ban_for_icmp_bandwidth = off
ban_for_tcp_pps = off
ban_for_udp_pps = off
ban_for_icmp_pps = off
mirror = off
pfring_sampling_ratio = 1
mirror_netmap = off
mirror_snabbswitch = off
mirror_afpacket = off
interfaces = em1
netmap_sampling_ratio = 1
netmap_read_packet_length_from_ip_header = off
pcap = off
netflow = on
sflow = off
enable_pf_ring_zc_mode = off
interfaces = em2
average_calculation_time = 5
average_calculation_time_for_subnets = 20
netflow_port = 2055
netflow_host = 192.168.1.2
netflow_sampling_ratio = 100
netflow_divide_counters_on_interval_length = off
sflow_port = 6343
sflow_host = 0.0.0.0
notify_script_path = /usr/local/bin/notify_about_attack.sh
notify_script_pass_details = on
collect_attack_pcap_dumps = off
process_pcap_attack_dumps_with_dpi = off
redis_enabled = off
redis_port = 6379
redis_host = 127.0.0.1
redis_prefix = mydc1
mongodb_enabled = off
mongodb_host = localhost
mongodb_port = 27017
mongodb_database_name = fastnetmon
pfring_hardware_filters_enabled = off
exabgp = off
exabgp_command_pipe = /var/run/exabgp.cmd
exabgp_community = 65001:666
exabgp_next_hop = 10.0.3.114
exabgp_announce_host = on
exabgp_announce_whole_subnet = off
exabgp_flow_spec_announces = off
gobgp = off
gobgp_next_hop = 0.0.0.0
gobgp_announce_host = on
gobgp_announce_whole_subnet = off
graphite = off
graphite_host = 127.0.0.1
graphite_port = 2003
graphite_prefix = fastnetmon
monitor_local_ip_addresses = on
hostgroup = my_hosts:192.168.1.2/32
my_hosts_enable_ban = off
my_hosts_ban_for_pps = off
my_hosts_ban_for_bandwidth = off
my_hosts_ban_for_flows = off
my_hosts_threshold_pps = 20000
my_hosts_threshold_mbps = 1000
my_hosts_threshold_flows = 3500
pid_path = /var/run/fastnetmon.pid
cli_stats_file_path = /tmp/fastnetmon.dat
enable_api = off
sort_parameter = packets
max_ips_in_list = 7
pavel-odintsov commented 8 years ago

Just switch option mirror to on: mirror = on.

On Thursday, 22 September 2016, itsjoke notifications@github.com wrote:

logging:local_syslog_logging = off logging:remote_syslog_logging = off logging:remote_syslog_server = 10.10.10.10 logging:remote_syslog_port = 514 enable_ban = on process_incoming_traffic = on process_outgoing_traffic = on ban_details_records_count = 100 ban_time = 1900 unban_only_if_attack_finished = on enable_subnet_counters = off networks_list_path = /etc/networks_list white_list_path = /etc/networks_whitelist check_period = 1 enable_connection_tracking = off ban_for_pps = off ban_for_bandwidth = off ban_for_flows = off threshold_pps = 20000 threshold_mbps = 1000 threshold_flows = 3500 threshold_tcp_mbps = 100000 threshold_udp_mbps = 100000 threshold_icmp_mbps = 100000 threshold_tcp_pps = 100000 threshold_udp_pps = 100000 threshold_icmp_pps = 100000 ban_for_tcp_bandwidth = off ban_for_udp_bandwidth = off ban_for_icmp_bandwidth = off ban_for_tcp_pps = off ban_for_udp_pps = off ban_for_icmp_pps = off mirror = off pfring_sampling_ratio = 1 mirror_netmap = off mirror_snabbswitch = off mirror_afpacket = off interfaces = em1 netmap_sampling_ratio = 1 netmap_read_packet_length_from_ip_header = off pcap = off netflow = on sflow = off enable_pf_ring_zc_mode = off interfaces = em2 average_calculation_time = 5 average_calculation_time_for_subnets = 20 netflow_port = 2055 netflow_host = 192.168.1.2 netflow_sampling_ratio = 100 netflow_divide_counters_on_interval_length = off sflow_port = 6343 sflow_host = 0.0.0.0 notify_script_path = /usr/local/bin/notify_about_attack.sh notify_script_pass_details = on collect_attack_pcap_dumps = off process_pcap_attack_dumps_with_dpi = off redis_enabled = off redis_port = 6379 redis_host = 127.0.0.1 redis_prefix = mydc1 mongodb_enabled = off mongodb_host = localhost mongodb_port = 27017 mongodb_database_name = fastnetmon pfring_hardware_filters_enabled = off exabgp = off exabgp_command_pipe = /var/run/exabgp.cmd exabgp_community = 65001:666 exabgp_next_hop = 10.0.3.114 exabgp_announce_host = on exabgp_announce_whole_subnet = off exabgp_flow_spec_announces = off gobgp = off gobgp_next_hop = 0.0.0.0 gobgp_announce_host = on gobgp_announce_whole_subnet = off graphite = off graphite_host = 127.0.0.1 graphite_port = 2003 graphite_prefix = fastnetmon monitor_local_ip_addresses = on hostgroup = my_hosts:192.168.1.2/32 my_hosts_enable_ban = off my_hosts_ban_for_pps = off my_hosts_ban_for_bandwidth = off my_hosts_ban_for_flows = off my_hosts_threshold_pps = 20000 my_hosts_threshold_mbps = 1000 my_hosts_threshold_flows = 3500 pid_path = /var/run/fastnetmon.pid cli_stats_file_path = /tmp/fastnetmon.dat enable_api = off sort_parameter = packets max_ips_in_list = 7

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/pavel-odintsov/fastnetmon/issues/570#issuecomment-248796807, or mute the thread https://github.com/notifications/unsubscribe-auth/ACnfZuUKRLaZwFG3sB7zplLiPDl_ME0Bks5qsevigaJpZM4KASla .

Sincerely yours, Pavel Odintsov

David-yanp commented 8 years ago

Hello Pavel, thank you for reply. It's not work When I switch option mirror to on. I want the FastNetmon use netflow to detect attack. Thanks again.

2016-09-23 10:09:01,395 [INFO] We finished zerofication
2016-09-23 10:09:01,395 [INFO] We loaded 23 IPv4 subnets to our in-memory list of networks
2016-09-23 10:09:01,396 [INFO] Run banlist cleanup thread, we will awake every 60 seconds
2016-09-23 10:09:01,396 [INFO] PF_RING plugin started
2016-09-23 10:09:01,396 [INFO] We selected interface:em2
2016-09-23 10:09:01,396 [INFO] netflow plugin started
2016-09-23 10:09:01,396 [INFO] Using custom sampling ratio for netflow: 100
2016-09-23 10:09:01,396 [INFO] netflow: We will listen on 1 ports
2016-09-23 10:09:01,396 [INFO] netflow plugin will listen on 192.168.1.2:2055 udp port
2016-09-23 10:09:01,412 [INFO] Successully binded to: em2
2016-09-23 10:09:01,412 [INFO] Device RX channels number: 5
2016-09-23 10:09:01,412 [INFO] Using PF_RING v.6.0.3

image

pavel-odintsov commented 8 years ago

What is you netflow configuration at the router side?

On Friday, 23 September 2016, itsjoke notifications@github.com wrote:

Hello Pavel, thank you for reply. It's not work When I switch option mirror to on. I want the FastNetmon use netflow to detect attack Thanks again.

2016-09-23 10:09:01,395 [INFO] We finished zerofication 2016-09-23 10:09:01,395 [INFO] We loaded 23 IPv4 subnets to our in-memory list of networks 2016-09-23 10:09:01,396 [INFO] Run banlist cleanup thread, we will awake every 60 seconds 2016-09-23 10:09:01,396 [INFO] PF_RING plugin started 2016-09-23 10:09:01,396 [INFO] We selected interface:em2 2016-09-23 10:09:01,396 [INFO] netflow plugin started 2016-09-23 10:09:01,396 [INFO] Using custom sampling ratio for netflow: 100 2016-09-23 10:09:01,396 [INFO] netflow: We will listen on 1 ports 2016-09-23 10:09:01,396 [INFO] netflow plugin will listen on 192.168.1.2:2055 udp port 2016-09-23 10:09:01,412 [INFO] Successully binded to: em2 2016-09-23 10:09:01,412 [INFO] Device RX channels number: 5 2016-09-23 10:09:01,412 [INFO] Using PF_RING v.6.0.3

[image: image] https://cloud.githubusercontent.com/assets/11266502/18772105/bb04d94a-8176-11e6-868c-16394ddb7b0a.png

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/pavel-odintsov/fastnetmon/issues/570#issuecomment-249085517, or mute the thread https://github.com/notifications/unsubscribe-auth/ACnfZsLTLjIdJ2Xf-7xHqvKwe4tNwByMks5qszftgaJpZM4KASla .

Sincerely yours, Pavel Odintsov

David-yanp commented 8 years ago

My network router vendor is Huawei,the Huawei netstream as similar as Cisco netflow . i did not change any configuration at router side when i update the fastnetmon version to 1.1.3

ip netstream export source 192.168.1.1
ip netstream export host 192.168.1.2 2055
 ip netstream timeout active 1 
 ip netstream timeout inactive 10 
 ip netstream tcp-flag enable

slot 1
GigabitEthernet1/1/1
 ip netstream inbound
 ip netstream outbound
 ip netstream sampler fix-packets 10 inbound
 ip netstream sampler fix-packets 10 outbound

slot 2
GigabitEthernet2/1/0
 ip netstream inbound
 ip netstream outbound
 ip netstream sampler fix-packets 10 inbound
 ip netstream sampler fix-packets 10 outbound
GigabitEthernet2/1/1
 ip netstream inbound
 ip netstream outbound
 ip netstream sampler fix-packets 10 inbound
 ip netstream sampler fix-packets 10 outbound
GigabitEthernet2/1/2
 ip netstream inbound
 ip netstream outbound
 ip netstream sampler fix-packets 10 inbound
 ip netstream sampler fix-packets 10 outbound

slot
 slot 1:ip netstream sampler to slot self
 slot 2:ip netstream sampler to slot self
pavel-odintsov commented 8 years ago

Actually I do not know. 1.1.3 does not have any significant changes and it should work.

David-yanp commented 8 years ago

@pavel-odintsov Could you give me some advice ?

pavel-odintsov commented 8 years ago

According to documents, Netstream is netflow v9 or IPFIX. They are known to work very well. Please be sure you have packets arriving to 2055 port on FastNetMon box. Also you could capture small number of packets and share they with me.

Also you have sampler configuration and FastNetMon do not have support for sampling.

David-yanp commented 8 years ago

I capture some packet and send it to your gmail.

shriharipandit commented 8 years ago

@itsjoke Can you share the working Huawei configuration?

David-yanp commented 8 years ago

@shriharipandit Yes, this is my configuration,it's work for me.

ip netstream export version 9
ip netstream export source 192.168.x.x
ip netstream export host 192.168.x.x 2055
ip netstream export template timeout-rate 1
ip netstream export template option timeout-rate 1
 ip netstream timeout active 1 
 ip netstream timeout inactive 5 
 ip netstream tcp-flag enable
ip netstream aggregation prefix
 template timeout-rate 2
 export version 9
Khappa commented 7 years ago

@itsjoke did you manage to solve your issues?

ZhenyaSStoyanova commented 7 years ago

Yes, thanks a lot. It as like...last year lol

Best Wishes Zhenya Lee-Johnson (Stoyanova)

On Mon, Feb 20, 2017 at 4:54 PM, Khappa notifications@github.com wrote:

@itsjoke https://github.com/itsjoke did you manage to solve your issues?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/pavel-odintsov/fastnetmon/issues/570#issuecomment-281130363, or mute the thread https://github.com/notifications/unsubscribe-auth/AVQlNJQT4Tenzw_FQBmmcmmkzD-FtQ9vks5recVQgaJpZM4KASla .

Khappa commented 7 years ago

@ZhenyaSStoyanova , can you give me a hint? I'm struggling with the same issue. I did everything as recommended in the several threads about this issue, but it's still not processing any flow.

ZhenyaSStoyanova commented 7 years ago

I ran it on CentOs 6

I had to turn the monitoring ON

cat /etc/fastnetmon.conf | grep mirror

mirror = on

Port mirroring sample rate

mirror_netmap = off

mirror_snabbswitch = off

mirror_afpacket = off

Port mirroring sampling ratio

This option should be enabled if you are using Juniper with mirroring of

the first X bytes of packet: maximum-packet-length 110;

Configuration for netmap, mirror, pcap modes

REBOOT

You need to start the process as well:

/usr/bin/killall fastnetmon /opt/fastnetmon/fastnetmon –daemonize

Best Wishes Zhenya Lee-Johnson (Stoyanova)

On Tue, Feb 21, 2017 at 9:26 AM, Khappa notifications@github.com wrote:

@ZhenyaSStoyanova https://github.com/ZhenyaSStoyanova , can you give me a hint? I'm struggling with the same issue. I did everything as recommended in the several threads about this issue, but it's still not processing any flow.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/pavel-odintsov/fastnetmon/issues/570#issuecomment-281289357, or mute the thread https://github.com/notifications/unsubscribe-auth/AVQlNDCFB6zONEIAjbyOkXMzDg8TR0RJks5req3PgaJpZM4KASla .

pavel-odintsov commented 7 years ago

The original issue was solved. For related issues please create a new ticket. For Huawei-related issues please check https://github.com/pavel-odintsov/fastnetmon/issues/649 also.