Problem on notification

[vvserpent]

I have Fastnetmon 1.1.3 running and it can detect the attack with the netflow data.

I found that there is no attack detail notification recently. I have checked the fastnetmon.log and found there were attack detected. The system have log message of ban/ unban for specific IP. But the system does't call the script for notification about attack details.

May I have your help to tell me what is the problem ? what is the condition to trigger the email notification ?

Here is the capture from the fastnetmon.log

2017-07-05 04:58:32,333 [INFO] We detected this attack by mbps limit 2017-07-05 04:58:32,344 [INFO] We have found host group for this host as: ABC-NET2 2017-07-05 04:58:32,354 [INFO] We run execute_ip_ban code with following params in_pps: 69542 out_pps: 0 in_bps: 104306641 out_bps: 0 and we decide it's incoming attack 2017-07-05 04:58:32,355 [INFO] Attack with direction: incoming IP: XXX.YYY.ZZZ.232 Power: 69542 2017-07-05 04:58:32,384 [INFO] Call script for ban client: XXX.YYY.ZZZ.232 2017-07-05 04:58:32,384 [INFO] Script for ban client is finished: XXX.YYY.ZZZ.232 2017-07-05 05:30:57,531 [INFO] We will unban banned IP: XXX.YYY.ZZZ.232 because it ban time 1900 seconds is ended 2017-07-05 05:30:57,531 [INFO] Call script for unban client: XXX.YYY.ZZZ.232 2017-07-05 05:30:57,531 [INFO] Script for unban client is finished: XXX.YYY.ZZZ.232

[pavel-odintsov]

Hello!

It's expected. If FNM could not collect enough packets about attack it will not send details at all. It's optional script call and for netflow it's normal.

[rafish1]

Hello, I have similar problem, i can see fastnetmon_client but nothing trigger the alert

FastNetMon v1.0 FastVPS Eesti OU (c) VPS and dedicated: http://FastVPS.host IPs ordered by: packets Incoming traffic 138240 pps 815 mbps 0 flows x.x.x.150 29170 pps 76 mbps 0 flows x.x.x.9 15006 pps 27 mbps 0 flows x.x.247.10 16078 pps 40 mbps 0 flows x.x.149.161 925 pps 10 mbps 0 flows x.x.46.81 4353 pps 50 mbps 0 flows x.x.92.84 4164 pps 43 mbps 0 flows x..x92.82 5934 pps 62 mbps 0 flows x.x.162.5 3886 pps 44 mbps 0 flows x.x.43.181 2254 pps 9 mbps 0 flows x.x.114.97 2488 pps 29 mbps 0 flows

Outgoing traffic 591360 pps 1872 mbps 0 flows x.x.247.9 208533 pps 434 mbps 0 flows x.x.247.10 192897 pps 392 mbps 0 flows x.x.150 49113 pps 480 mbps 0 flows x.x.247.2 18243 pps 31 mbps 0 flows x.x.247.1 22241 pps 51 mbps 0 flows x.x.59.189 4149 pps 48 mbps 0 flows x.x.209.209 197 pps 0 mbps 0 flows x.x.88.26 733 pps 8 mbps 0 flows x.x.36.148 8036 pps 5 mbps 0 flows x.x.92.82 2830 pps 1 mbps 0 flows

Internal traffic 471040 pps 4734 mbps

Other traffic 10240 pps 118 mbps

from log:
2019-01-29 12:42:20,884 [INFO] sflow plugin will listen on x.x.1.113:6343 udp port
2019-01-29 12:48:40,000 [INFO] **Time from last run of speed_recalc is soooo big, we got ugly lags: 2**
2019-01-29 12:54:00,000 [INFO] Time from last run of speed_recalc is soooo big, we got ugly lags: 2

conf file
###
### Main configuration params
###

# Enable/Disable any actions in case of attack
enable_ban = on

# We could disable processing for certain direction of traffic
process_incoming_traffic = on
process_outgoing_traffic = on

# How much packets we will collect from attack's traffic
#ban_details_records_count = 500
ban_details_records_count = 500

# How long we should stay IP in blocked state
# If you set 0 here it completely disables unban capability
ban_time = 1900

# With this variable you could enable per subnet speed meters
# For each subnet from subnet list we will track speed in bps and pps for both directions
#enable_subnet_counters = off

# In this file you should list all your networks in CIDR format
networks_list_path = /etc/networks_list

# In this file you could list networks in CIDR format which will be not monitored for attacks
white_list_path = /etc/networks_whitelist

# How often we redraw client's screen
check_period = 1

# Connection tracking is very useful for attack detectiob because it provides huge amount of information
# But it's very CPU intensive and not recommended in big networks
#enable_connection_tracking = off
enable_connection_tracking = off

#This configuration is from github site
# Create group of hosts with non-standard thresholds
# You should create this group before (in configuration file) specifying any limits
hostgroup = my_hosts:x.x.1.113/32

# Configure this group
my_hosts_enable_ban = on

my_hosts_ban_for_pps = on
my_hosts_ban_for_bandwidth = on
my_hosts_ban_for_flows = off

my_hosts_threshold_pps = 20000
my_hosts_threshold_mbps = 2000
my_hosts_threshold_flows = 3

# End config from Github

# Different approaches to attack detection
  ban_for_pps = on
 ban_for_bandwidth = on
  ban_for_flows = off

# Limits for Dos/DDoS attacks
  threshold_pps = 200
  threshold_mbps = 85
  threshold_flows = 35

# Per protocol attack thresholds
# We don't implement per protocol flow limits, sorry :(
# These limits should be smaller than global pps/mbps limits

threshold_tcp_mbps = 10
threshold_udp_mbps = 10
threshold_icmp_mbps = 10

threshold_tcp_pps = 10
threshold_udp_pps = 10
threshold_icmp_pps = 10

ban_for_tcp_bandwidth = off
ban_for_udp_bandwidth = off
ban_for_icmp_bandwidth = off

ban_for_tcp_pps = on
ban_for_udp_pps = on
ban_for_icmp_pps = on

###
### Traffic capture methods
###

# PF_RING traffic capture, enough fast but wire speed version need paid license
mirror = off

# Netmap traffic capture (very fast but need patched drivers)
mirror_netmap = off

# Pcap mode, very slow not suitable for production
pcap = off
# Netflow capture method with v5, v9 and IPFIX suppotr
#netflow = on
netflow = off
# sFLOW capture suitable for switches
sflow = on

# PF_RING configuration
# If you have license for PF_RING ZC could could enable this mode and it could achieve wire speed for 10GE
enable_pf_ring_zc_mode = off

# Configuration for netmap, mirror, pcap modes
# For pcap and PF_RING we could specify "any"
# For netmap and PF_RING we could specify multiple interfaces = eth0
interfaces = eth0
# We use average values for traffic speed to certain IP and we calculate average over this time slice
#average_calculation_time = 5
average_calculation_time = 60
# We use average values for traffic speed for subnet and we calculate average over this time slice
#average_calculation_time_for_subnets = 20
average_calculation_time_for_subnets = 20

# Netflow configuration
#netflow_port = 2055
#netflow_host = x.x.7.6

# For bind to all interfaces = eth0
# For bind to all interfaces = eth0
# For bind to localhost for specific protocol:      ::1 or 127.0.0.1

# Netflow agents uses different and very complex approaches for notifying about sample ratio
# Here you could specify sampling ratio for all agents
netflow_sampling_ratio = 1

# sFLOW configuration
sflow_port = 6343
sflow_host = x.x.1.113

###
### Actions when attack detected
###

# This script executed for ban, unban and atatck detailes collection
notify_script_path = /usr/local/bin/notify_about_attack.sh

# We could put attack details to Redis
redis_enabled = no

# Reddis configuration
redis_port = 6379
redis_host = 127.0.0.1

# ExaBGP could announce blocked IPs with BGP protocol
exabgp = off
exabgp_command_pipe = /var/run/exabgp.cmd
exabgp_community = 65001:666
exabgp_next_hop = 10.0.3.114

# Announce origin subnet of IP address instead IP itself
exabgp_announce_whole_subnet = no

# Graphite monitoring
# graphite = on
# graphite_host = x.x.1.113
# graphite_port = 2003

# With this option enabled we could add local IP addresses and aliases to monitoring list
# Works only for Linux
monitor_local_ip_addresses = on

###
### Client configuration
###

# Field used for sorting in client, could be: packets, bytes or flows
sort_parameter = packets
# How much IP's we will list for incoming and outgoing channel eaters
max_ips_in_list = 10

Any idea ?

Regards Rafi

[pavel-odintsov]

Hello!

It looks correct! Can you show whole log file, please?

Thank you!

[rafish1]

Hello,

I found the problem, it was Unnecessary space on conf file

Regards Rafi

[pavel-odintsov]

Hello!

Perfect! Thank you!

On Wed, 30 Jan 2019 at 05:28, rafish1 notifications@github.com wrote:

Hello,

I found the problem, it was Unnecessary space on conf file

Regards Rafi

— You are receiving this because you modified the open/close state.

Reply to this email directly, view it on GitHub https://github.com/pavel-odintsov/fastnetmon/issues/671#issuecomment-458817036, or mute the thread https://github.com/notifications/unsubscribe-auth/ACnfZst6HOyilHuIgU0BoRWHNNqx0EQeks5vIS2XgaJpZM4ONxnx .

-- Sincerely yours, Pavel Odintsov