hornetsfan16
commented
7 years ago @pavel-odintsov would greatly appreciate confirmation about this
Closed hornetsfan16 closed 2 years ago
hornetsfan16
commented
7 years ago @pavel-odintsov would greatly appreciate confirmation about this
pavel-odintsov
commented
7 years ago No, I do not have plans for it. You could change 1 line in C++ code and recompile project.
jnorell
commented
5 years ago We're also interested in this capability, so I've been thinking a little on config syntax. I think for our use cases a single setting (well, one for global and one specific to each host group) would probably work to specify AND vs. OR logic. (Eg. use case: we just saw 3500 flows/sec from a SYN flood/port scan, but only 2mbps - certainly not legitimate traffic, but we don't want to trigger a ban unless we hit # flows AND mbps threshold.)
I'll propose a global setting match_condition (set to any or all), and the akin names for each hostgroup.
# set 'all' to require multiple limits to
match_condition = any`
# global rules match any, as current behavior
# this hostgroup matches 'any' by default
hostgroup = foo:10.0.0.0/24
foo_enable_ban = on
foo_ban_for_pps = on
foo_ban_for_bandwidth = on
foo_ban_for_flows = off
foo_threshold_pps = 20000
foo_threshold_mbps = 30
foo_threshold_flows = 3500
# same hostgroup, second set of limits (3500 flows and 10mbps)
hostgroup = foo_flows:10.0.0.0/24
foo_flows_enable_ban = on
foo_flows_match_condition = all
foo_flows_ban_for_pps = off
foo_flows_ban_for_bandwidth = on
foo_flows_ban_for_flows = on
foo_flows_threshold_mbps = 10
foo_flows_threshold_flows = 3500This assumes that having a larger number of hostgroups scales ok, which I don't know; if keeping the number of hostgroups smaller is better, you could define names of limit groups, eg.:
# set 'all' to require multiple limits to
match_condition = any`
# global rules match any, as current behavior
limitgroups = flows,packets,name3
# this hostgroup matches 'any' by default
hostgroup = foo:10.0.0.0/24
foo_enable_ban = on
foo_ban_for_pps = on
foo_ban_for_bandwidth = on
foo_ban_for_flows = off
foo_threshold_pps = 20000
foo_threshold_mbps = 30
foo_threshold_flows = 3500
# still 'foo' hostgroup, matching 'flows' limit group
foo_flows_match_condition = all
foo_flows_ban_for_pps = off
foo_flows_ban_for_bandwidth = on
foo_flows_ban_for_flows = on
foo_flows_threshold_mbps = 10
foo_flows_threshold_flows = 3500
# didn't use 'packets' limit group for 'foo' host group
# still 'foo' hostgroup, matching 'name3' limit group
foo_name3_match_condition = all
foo_name3_ban_for_pps = on
foo_name3_ban_for_bandwidth = on
foo_name3_ban_for_flows = on
foo_name3_threshold_pps = 10000
foo_name3_threshold_mbps = 10
foo_name3_threshold_flows = 500Hello!
Thank you for feedback!
I think it may be very complicated to encode it flexible way with all these logical conditions.
What do you think about using LUA code for it? It may be an option to switch all logic to LUA code and disable FastNetMon's logic completely. We already support LUA and you can call it easily.
You can put call here https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fastnetmon.cpp#L4379 and then pass all arguments to it.
We already do it for sflow/netflow hooks https://github.com/pavel-odintsov/fastnetmon/blob/master/src/sflow_plugin/sflow_collector.cpp#L786 and this code works fine.
Let me know if you need any help during implementation!
pavel-odintsov
commented
2 years ago We've decided to drop lua code due to literally zero requests in such facility. More complicated detection scenarios can be implemented in Advanced edition: https://fastnetmon.com/docs-fnm-advanced/flexible-thresholds/
Hi @pavel-odintsov, is there any way to set up the thresholds so that a minimum bps AND pps value must be met before it is considered an attack? i.e. it is currently looking at whether traffic exceeds a pps OR bps value