pavel-odintsov
commented
7 years ago Hello
You could grab it here: https://github.com/pavel-odintsov/fastnetmon/blob/master/src/notify_about_attack.sh
On Sat, 5 Aug 2017 at 23:54, Ismael OUEDRAOGO notifications@github.com wrote:
Iam getting this error on the logs [ERROR] We can't find notify script /usr/local/bin/notify_about_attack.sh
notify_about_attack.sh is missing, where can i get a sample of it to place it and customize it to fit my needs ? Because i followed the prescribed procedure to install but this file is definitely missing! I am running on Debian 8
*Here is /etc/fastnetmon.conf configuration file
Main configuration params
Logging configuration
enable this option if you want to send logs to local syslog facility
logging:local_syslog_logging = off
enable this option if you want to send logs to a remote syslog server via UDP
logging:remote_syslog_logging = off
specify a custom server and port for remote logging
logging:remote_syslog_server = 10.10.10.10 logging:remote_syslog_port = 514
Enable/Disable any actions in case of attack
enable_ban = on
disable processing for certain direction of traffic
process_incoming_traffic = on process_outgoing_traffic = on
How many packets will be collected from attack traffic
ban_details_records_count = 500
How long (in seconds) we should keep an IP in blocked state
If you set 0 here it completely disables unban capability
ban_time = 1900
Check if the attack is still active, before triggering an unban callback with this option
If the attack is still active, check each run of the unban watchdog
unban_only_if_attack_finished = on
enable per subnet speed meters
For each subnet, list track speed in bps and pps for both directions
enable_subnet_counters = off
list of all your networks in CIDR format
networks_list_path = /etc/networks_list
list networks in CIDR format which will be not monitored for attacks
white_list_path = /etc/networks_whitelist
redraw period for client's screen
check_period = 1
Connection tracking is very useful for attack detection because it provides huge amounts of information,
but it's very CPU intensive and not recommended in big networks
enable_connection_tracking = on
Different approaches to attack detection
ban_for_pps = on ban_for_bandwidth = on ban_for_flows = on
Limits for Dos/DDoS attacks
threshold_pps = 20000 threshold_mbps = 1000 threshold_flows = 3500
Per protocol attack thresholds
We don't implement per protocol flow limits, sorry :(
These limits should be smaller than global pps/mbps limits
threshold_tcp_mbps = 100000 threshold_udp_mbps = 100000 threshold_icmp_mbps = 100000
threshold_tcp_pps = 100000 threshold_udp_pps = 100000 threshold_icmp_pps = 100000
ban_for_tcp_bandwidth = off ban_for_udp_bandwidth = off ban_for_icmp_bandwidth = off
ban_for_tcp_pps = off ban_for_udp_pps = off ban_for_icmp_pps = off
Traffic capture methods
PF_RING traffic capture, fast enough but the wirespeed version needs a paid license
mirror = off
Port mirroring sample rate
pfring_sampling_ratio = 1
Netmap traffic capture (very fast but needs patched drivers)
mirror_netmap = off
SnabbSwitch traffic capture
mirror_snabbswitch = off
AF_PACKET capture engine
Please use it only with modern Linux kernels (3.6 and more)
And please install birq for irq ditribution over cores
mirror_afpacket = off
use PCI-e addresses here instead of OS device names. You can find them in "lspci" output
interfaces = eth0
Port mirroring sampling ratio
netmap_sampling_ratio = 1
This option should be enabled if you are using Juniper with mirroring of the first X bytes of packet: maximum-packet-length 110;
netmap_read_packet_length_from_ip_header = off
Pcap mode, very slow and thus not suitable for production
pcap = off
Netflow capture method with v5, v9 and IPFIX support
netflow = on
sFLOW capture suitable for switches
sflow = on
PF_RING configuration
If you have a license for PF_RING ZC, enable this mode and it might achieve wire speed for 10GE
enable_pf_ring_zc_mode = off
Configuration for netmap, mirror, pcap modes
For pcap and PF_RING we could specify "any"
For netmap and PF_RING we could specify multiple interfaces = eth0
interfaces = eth0
We use average values for traffic speed to certain IP and we calculate average over this time slice
average_calculation_time = 5
We use average values for traffic speed for subnet and we calculate average over this time slice
average_calculation_time_for_subnets = 20
Netflow configuration
it's possible to specify multiple ports here, using commas as delimiter
netflow_port = 2055 netflow_host = 0.0.0.0
To bind to all interfaces = eth0
To bind to all interfaces = eth0
To bind to localhost for a specific protocol: ::1 or 127.0.0.1
Netflow v9 and IPFIX agents use different and very complex approaches for notifying about sample ratio
Here you could specify a sampling ratio for all this agents
For NetFLOW v5 we extract sampling ratio from packets directely and this option not used
netflow_sampling_ratio = 1
In some cases with NetFlow we could get huge bursts related to aggregated data nature
We could try to get smoother data with this option, i.e. we will divide counters on collection interval time
netflow_divide_counters_on_interval_length = off
Process each netflow packet with LUA
This option is not default and you need build it additionally
netflow_lua_hooks_path = /usr/src/fastnetmon/src/netflow_hooks.lua
sFLOW configuration
It's possible to specify multiple ports here, using commas as delimiter
sflow_port = 6343
sflow_port = 6343,6344
sflow_host = 0.0.0.0
process each sFLOW packet with LUA
This option is not default and you need build it additionally
sflow_lua_hooks_path = /usr/src/fastnetmon/src/sflow_hooks.lua
Actions when attack detected
This script executed for ban, unban and attack detail collection
notify_script_path = /usr/local/bin/notify_about_attack.sh
pass attack details to notify_script via stdin
Pass details only in case of "ban" call
No details will be passed for "unban" call
notify_script_pass_details = on
collect a full dump of the attack with full payload in pcap compatible format
collect_attack_pcap_dumps = off
Execute Deep Packet Inspection on captured PCAP packets
process_pcap_attack_dumps_with_dpi = off
Save attack details to Redis
redis_enabled = off
Redis configuration
redis_port = 6379 redis_host = 127.0.0.1
specify a custom prefix here
redis_prefix = mydc1
We could store attack information to MongoDB
mongodb_enabled = on mongodb_host = 192.168.1.6 mongodb_port = 27017 mongodb_database_name = fastnetmon
If you are using PF_RING non ZC version you could block traffic on host with hardware filters
Please be aware! We can not remove blocks with this action plugin
pfring_hardware_filters_enabled = off
announce blocked IPs with BGP protocol with ExaBGP
exabgp = off exabgp_command_pipe = /var/run/exabgp.cmd exabgp_community = 65001:666
specify multiple communities with this syntax:
exabgp_community = [65001:666 65001:777]
specify different communities for host and subnet announces
exabgp_community_subnet = 65001:667
exabgp_community_host = 65001:668
exabgp_next_hop = 10.0.3.114
In complex cases you could have both options enabled and announce host and subnet simultaneously
Announce /32 host itself with BGP
exabgp_announce_host = on
Announce origin subnet of IP address instead IP itself
exabgp_announce_whole_subnet = off
Announce Flow Spec rules when we could detect certain attack type
Please we aware! Flow Spec announce triggered when we collect some details about attack,
i.e. when we call attack_details script
Please disable exabgp_announce_host and exabgp_announce_whole_subnet if you want to use this feature
Please use ExaBGP v4 only (Git version), for more details: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/BGP_FLOW_SPEC.md
exabgp_flow_spec_announces = off
GoBGP intergation
gobgp = off gobgp_next_hop = 0.0.0.0 gobgp_announce_host = on gobgp_announce_whole_subnet = off
Graphite monitoring
InfluxDB is also supported, please check our reference:
https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/INFLUXDB_INTEGRATION.md
graphite = off graphite_host = 127.0.0.1 graphite_port = 2003
Default namespace for Graphite data
graphite_prefix = fastnetmon
Add local IP addresses and aliases to monitoring list
Works only for Linux
monitor_local_ip_addresses = on
Create group of hosts with non-standard thresholds
You should create this group before (in configuration file) specifying any limits
hostgroup = my_hosts:10.10.10.221/32,10.10.10.222/32
Configure this group
my_hosts_enable_ban = off
my_hosts_ban_for_pps = off my_hosts_ban_for_bandwidth = off my_hosts_ban_for_flows = off
my_hosts_threshold_pps = 20000 my_hosts_threshold_mbps = 1000 my_hosts_threshold_flows = 3500
Path to pid file for checking "if another copy of tool is running", it's useful when you run multiple instances of tool
pid_path = /var/run/fastnetmon.pid
Path to file where we store information for fastnetmon_client
cli_stats_file_path = /tmp/fastnetmon.dat
Enable gRPC api (required for fastnetmon_api_client tool)
enable_api = off
Client configuration
Field used for sorting in client, valid values are: packets, bytes or flows
sort_parameter = packets
How much IPs will be listed for incoming and outgoing channel eaters
max_ips_in_list = 7
- Here is /var/log/fastnetmon.log
2017-08-04 11:14:45,183 [INFO] Logger initialized! 2017-08-04 11:14:45,183 [WARN] We add subnet 10.10.10.221/32 to host group my_hosts 2017-08-04 11:14:45,183 [WARN] We add subnet 10.10.10.222/32 to host group my_hosts 2017-08-04 11:14:45,183 [INFO] We have created host group my_hosts with 2 subnets 2017-08-04 11:14:45,183 [INFO] We will read ban settings for my_hosts 2017-08-04 11:14:45,183 [ERROR] We can't find notify script /usr/local/bin/notify_about_attack.sh 2017-08-04 11:14:45,187 [INFO] Read configuration file 2017-08-04 11:14:45,187 [INFO] We are working on Linux and could use ip tool for detecting local IP's 2017-08-04 11:14:45,192 [INFO] We found 1 local IP addresses and will monitor they 2017-08-04 11:14:45,193 [INFO] We loaded 2 networks from networks file 2017-08-04 11:14:45,193 [INFO] Totally we have 2 IPv4 subnets 2017-08-04 11:14:45,193 [INFO] Totally we have 0 IPv6 subnets 2017-08-04 11:14:45,193 [INFO] Total number of monitored hosts (total size of all networks): 257 2017-08-04 11:14:45,193 [INFO] We need 0 MB of memory for storing counters for your networks 2017-08-04 11:14:45,193 [INFO] I will allocate 256 records for subnet 108736 cidr mask: 24 2017-08-04 11:14:45,193 [INFO] I will allocate 1 records for subnet 184658112 cidr mask: 32 2017-08-04 11:14:45,193 [INFO] We start total zerofication of counters 2017-08-04 11:14:45,193 [INFO] We finished zerofication 2017-08-04 11:14:45,193 [INFO] We loaded 2 IPv4 subnets to our in-memory list of networks 2017-08-04 11:14:45,194 [INFO] Run banlist cleanup thread, we will awake every 60 seconds 2017-08-04 11:14:45,194 [INFO] sflow: plugin started 2017-08-04 11:14:45,194 [INFO] sflow: We will listen on 1 ports 2017-08-04 11:14:45,194 [INFO] netflow plugin started 2017-08-04 11:14:45,194 [INFO] Using custom sampling ratio for netflow: 1 2017-08-04 11:14:45,194 [INFO] netflow: We will listen on 1 ports 2017-08-04 11:14:45,194 [INFO] sflow: plugin will listen on 0.0.0.0:6343 udp port 2017-08-04 11:14:45,194 [INFO] netflow plugin will listen on 0.0.0.0:2055 udp port
- What capture engine are you using: netflow, sflow, miror? uh i dont know, how do i specify that ?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/pavel-odintsov/fastnetmon/issues/680, or mute the thread https://github.com/notifications/unsubscribe-auth/ACnfZomJAwbpNDTayZpOUpk_80RKXwvpks5sVPKWgaJpZM4OulfM .
-- Sincerely yours, Pavel Odintsov
Xsmael
Iam getting this error on the logs [ERROR] We can't find notify script /usr/local/bin/notify_about_attack.sh
notify_about_attack.sh is missing, where can i get a sample of it to place it and customize it to fit my needs ? Because i followed the prescribed procedure to install but this file is definitely missing! I am running on Debian 8
*Here is /etc/fastnetmon.conf configuration file