pavel-odintsov / fastnetmon

FastNetMon - very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
https://fastnetmon.com
GNU General Public License v2.0
3.43k stars 568 forks source link

Problem on notification #671

Closed vvserpent closed 6 years ago

vvserpent commented 7 years ago

I have Fastnetmon 1.1.3 running and it can detect the attack with the netflow data.

I found that there is no attack detail notification recently. I have checked the fastnetmon.log and found there were attack detected. The system have log message of ban/ unban for specific IP. But the system does't call the script for notification about attack details.

May I have your help to tell me what is the problem ? what is the condition to trigger the email notification ?

Here is the capture from the fastnetmon.log

2017-07-05 04:58:32,333 [INFO] We detected this attack by mbps limit 2017-07-05 04:58:32,344 [INFO] We have found host group for this host as: ABC-NET2 2017-07-05 04:58:32,354 [INFO] We run execute_ip_ban code with following params in_pps: 69542 out_pps: 0 in_bps: 104306641 out_bps: 0 and we decide it's incoming attack 2017-07-05 04:58:32,355 [INFO] Attack with direction: incoming IP: XXX.YYY.ZZZ.232 Power: 69542 2017-07-05 04:58:32,384 [INFO] Call script for ban client: XXX.YYY.ZZZ.232 2017-07-05 04:58:32,384 [INFO] Script for ban client is finished: XXX.YYY.ZZZ.232 2017-07-05 05:30:57,531 [INFO] We will unban banned IP: XXX.YYY.ZZZ.232 because it ban time 1900 seconds is ended 2017-07-05 05:30:57,531 [INFO] Call script for unban client: XXX.YYY.ZZZ.232 2017-07-05 05:30:57,531 [INFO] Script for unban client is finished: XXX.YYY.ZZZ.232

pavel-odintsov commented 7 years ago

Hello!

It's expected. If FNM could not collect enough packets about attack it will not send details at all. It's optional script call and for netflow it's normal.

rafish1 commented 5 years ago

Hello, I have similar problem, i can see fastnetmon_client but nothing trigger the alert

FastNetMon v1.0 FastVPS Eesti OU (c) VPS and dedicated: http://FastVPS.host IPs ordered by: packets Incoming traffic 138240 pps 815 mbps 0 flows x.x.x.150 29170 pps 76 mbps 0 flows x.x.x.9 15006 pps 27 mbps 0 flows x.x.247.10 16078 pps 40 mbps 0 flows x.x.149.161 925 pps 10 mbps 0 flows x.x.46.81 4353 pps 50 mbps 0 flows x.x.92.84 4164 pps 43 mbps 0 flows x..x92.82 5934 pps 62 mbps 0 flows x.x.162.5 3886 pps 44 mbps 0 flows x.x.43.181 2254 pps 9 mbps 0 flows x.x.114.97 2488 pps 29 mbps 0 flows

Outgoing traffic 591360 pps 1872 mbps 0 flows x.x.247.9 208533 pps 434 mbps 0 flows x.x.247.10 192897 pps 392 mbps 0 flows x.x.150 49113 pps 480 mbps 0 flows x.x.247.2 18243 pps 31 mbps 0 flows x.x.247.1 22241 pps 51 mbps 0 flows x.x.59.189 4149 pps 48 mbps 0 flows x.x.209.209 197 pps 0 mbps 0 flows x.x.88.26 733 pps 8 mbps 0 flows x.x.36.148 8036 pps 5 mbps 0 flows x.x.92.82 2830 pps 1 mbps 0 flows

Internal traffic 471040 pps 4734 mbps

Other traffic 10240 pps 118 mbps

from log:
2019-01-29 12:42:20,884 [INFO] sflow plugin will listen on x.x.1.113:6343 udp port
2019-01-29 12:48:40,000 [INFO] **Time from last run of speed_recalc is soooo big, we got ugly lags: 2**
2019-01-29 12:54:00,000 [INFO] Time from last run of speed_recalc is soooo big, we got ugly lags: 2

conf file
###
### Main configuration params
###

# Enable/Disable any actions in case of attack
enable_ban = on

# We could disable processing for certain direction of traffic
process_incoming_traffic = on
process_outgoing_traffic = on

# How much packets we will collect from attack's traffic
#ban_details_records_count = 500
ban_details_records_count = 500

# How long we should stay IP in blocked state
# If you set 0 here it completely disables unban capability
ban_time = 1900

# With this variable you could enable per subnet speed meters
# For each subnet from subnet list we will track speed in bps and pps for both directions
#enable_subnet_counters = off

# In this file you should list all your networks in CIDR format
networks_list_path = /etc/networks_list

# In this file you could list networks in CIDR format which will be not monitored for attacks
white_list_path = /etc/networks_whitelist

# How often we redraw client's screen
check_period = 1

# Connection tracking is very useful for attack detectiob because it provides huge amount of information
# But it's very CPU intensive and not recommended in big networks
#enable_connection_tracking = off
enable_connection_tracking = off

#This configuration is from github site
# Create group of hosts with non-standard thresholds
# You should create this group before (in configuration file) specifying any limits
hostgroup = my_hosts:x.x.1.113/32

# Configure this group
my_hosts_enable_ban = on

my_hosts_ban_for_pps = on
my_hosts_ban_for_bandwidth = on
my_hosts_ban_for_flows = off

my_hosts_threshold_pps = 20000
my_hosts_threshold_mbps = 2000
my_hosts_threshold_flows = 3

# End config from Github

# Different approaches to attack detection
  ban_for_pps = on
 ban_for_bandwidth = on
  ban_for_flows = off

# Limits for Dos/DDoS attacks
  threshold_pps = 200
  threshold_mbps = 85
  threshold_flows = 35

# Per protocol attack thresholds
# We don't implement per protocol flow limits, sorry :(
# These limits should be smaller than global pps/mbps limits

threshold_tcp_mbps = 10
threshold_udp_mbps = 10
threshold_icmp_mbps = 10

threshold_tcp_pps = 10
threshold_udp_pps = 10
threshold_icmp_pps = 10

ban_for_tcp_bandwidth = off
ban_for_udp_bandwidth = off
ban_for_icmp_bandwidth = off

ban_for_tcp_pps = on
ban_for_udp_pps = on
ban_for_icmp_pps = on

###
### Traffic capture methods
###

# PF_RING traffic capture, enough fast but wire speed version need paid license
mirror = off

# Netmap traffic capture (very fast but need patched drivers)
mirror_netmap = off

# Pcap mode, very slow not suitable for production
pcap = off
# Netflow capture method with v5, v9 and IPFIX suppotr
#netflow = on
netflow = off
# sFLOW capture suitable for switches
sflow = on

# PF_RING configuration
# If you have license for PF_RING ZC could could enable this mode and it could achieve wire speed for 10GE
enable_pf_ring_zc_mode = off

# Configuration for netmap, mirror, pcap modes
# For pcap and PF_RING we could specify "any"
# For netmap and PF_RING we could specify multiple interfaces = eth0
interfaces = eth0
# We use average values for traffic speed to certain IP and we calculate average over this time slice
#average_calculation_time = 5
average_calculation_time = 60
# We use average values for traffic speed for subnet and we calculate average over this time slice
#average_calculation_time_for_subnets = 20
average_calculation_time_for_subnets = 20

# Netflow configuration
#netflow_port = 2055
#netflow_host = x.x.7.6

# For bind to all interfaces = eth0
# For bind to all interfaces = eth0
# For bind to localhost for specific protocol:      ::1 or 127.0.0.1

# Netflow agents uses different and very complex approaches for notifying about sample ratio
# Here you could specify sampling ratio for all agents
netflow_sampling_ratio = 1

# sFLOW configuration
sflow_port = 6343
sflow_host = x.x.1.113

###
### Actions when attack detected
###

# This script executed for ban, unban and atatck detailes collection
notify_script_path = /usr/local/bin/notify_about_attack.sh

# We could put attack details to Redis
redis_enabled = no

# Reddis configuration
redis_port = 6379
redis_host = 127.0.0.1

# ExaBGP could announce blocked IPs with BGP protocol
exabgp = off
exabgp_command_pipe = /var/run/exabgp.cmd
exabgp_community = 65001:666
exabgp_next_hop = 10.0.3.114

# Announce origin subnet of IP address instead IP itself
exabgp_announce_whole_subnet = no

# Graphite monitoring
# graphite = on
# graphite_host = x.x.1.113
# graphite_port = 2003

# With this option enabled we could add local IP addresses and aliases to monitoring list
# Works only for Linux
monitor_local_ip_addresses = on

###
### Client configuration
###

# Field used for sorting in client, could be: packets, bytes or flows
sort_parameter = packets
# How much IP's we will list for incoming and outgoing channel eaters
max_ips_in_list = 10

Any idea ?

Regards Rafi

pavel-odintsov commented 5 years ago

Hello!

It looks correct! Can you show whole log file, please?

Thank you!

rafish1 commented 5 years ago

Hello,

I found the problem, it was Unnecessary space on conf file

Regards Rafi

pavel-odintsov commented 5 years ago

Hello!

Perfect! Thank you!

On Wed, 30 Jan 2019 at 05:28, rafish1 notifications@github.com wrote:

Hello,

I found the problem, it was Unnecessary space on conf file

Regards Rafi

— You are receiving this because you modified the open/close state.

Reply to this email directly, view it on GitHub https://github.com/pavel-odintsov/fastnetmon/issues/671#issuecomment-458817036, or mute the thread https://github.com/notifications/unsubscribe-auth/ACnfZst6HOyilHuIgU0BoRWHNNqx0EQeks5vIS2XgaJpZM4ONxnx .

-- Sincerely yours, Pavel Odintsov