Here you could find examples for JSON documents used by FastNetMon.
We use them for web hooks and for JSON-enabled notify script
ban action:
{ "ip": "127.0.0.1", "action": "ban", "alert_scope": "host", "attack_details": { "attack_uuid": "041eb504-2b33-4ff7-a6b7-8235408d5062", "attack_severity": "middle", "attack_type": "unknown", "initial_attack_power": 282473, "peak_attack_power": 282473, "attack_direction": "outgoing", "attack_protocol": "tcp", "attack_detection_source": "automatic", "total_incoming_traffic": 15253500, "total_outgoing_traffic": 15253590, "total_incoming_pps": 282472, "total_outgoing_pps": 282473, "total_incoming_flows": 0, "total_outgoing_flows": 0, "average_incoming_traffic": 15253500, "average_outgoing_traffic": 15253590, "average_incoming_pps": 282472, "average_outgoing_pps": 282473, "average_incoming_flows": 0, "average_outgoing_flows": 0, "incoming_ip_fragmented_traffic": 0, "outgoing_ip_fragmented_traffic": 0, "incoming_ip_fragmented_pps": 0, "outgoing_ip_fragmented_pps": 0, "incoming_tcp_traffic": 15253547, "outgoing_tcp_traffic": 15253590, "incoming_tcp_pps": 282472, "outgoing_tcp_pps": 282473, "incoming_syn_tcp_traffic": 0, "outgoing_syn_tcp_traffic": 0, "incoming_syn_tcp_pps": 0, "outgoing_syn_tcp_pps": 0, "incoming_udp_traffic": 0, "outgoing_udp_traffic": 0, "incoming_udp_pps": 0, "outgoing_udp_pps": 0, "incoming_icmp_traffic": 0, "outgoing_icmp_traffic": 0, "incoming_icmp_pps": 0, "outgoing_icmp_pps": 0 } }
unban action:
{ "ip": "127.0.0.1", "action": "unban", "alert_scope": "host", "attack_details": { "attack_uuid": "041eb504-2b33-4ff7-a6b7-8235408d5062", "attack_severity": "middle", "attack_type": "unknown", "initial_attack_power": 282473, "peak_attack_power": 282473, "attack_direction": "outgoing", "attack_protocol": "tcp", "attack_detection_source": "automatic", "total_incoming_traffic": 15253500, "total_outgoing_traffic": 15253590, "total_incoming_pps": 282472, "total_outgoing_pps": 282473, "total_incoming_flows": 0, "total_outgoing_flows": 0, "average_incoming_traffic": 15253500, "average_outgoing_traffic": 15253590, "average_incoming_pps": 282472, "average_outgoing_pps": 282473, "average_incoming_flows": 0, "average_outgoing_flows": 0, "incoming_ip_fragmented_traffic": 0, "outgoing_ip_fragmented_traffic": 0, "incoming_ip_fragmented_pps": 0, "outgoing_ip_fragmented_pps": 0, "incoming_tcp_traffic": 15253547, "outgoing_tcp_traffic": 15253590, "incoming_tcp_pps": 282472, "outgoing_tcp_pps": 282473, "incoming_syn_tcp_traffic": 0, "outgoing_syn_tcp_traffic": 0, "incoming_syn_tcp_pps": 0, "outgoing_syn_tcp_pps": 0, "incoming_udp_traffic": 0, "outgoing_udp_traffic": 0, "incoming_udp_pps": 0, "outgoing_udp_pps": 0, "incoming_icmp_traffic": 0, "outgoing_icmp_traffic": 0, "incoming_icmp_pps": 0, "outgoing_icmp_pps": 0 } }
partial ban action (flow spec):
{ "ip": "127.0.0.1", "action": "partial_block", "attack_details": { "attack_uuid": "ac6f8000-1b17-43b8-9324-f8f7527bd948", "attack_severity": "middle", "attack_type": "unknown", "initial_attack_power": 266676, "peak_attack_power": 266676, "attack_direction": "incoming", "attack_protocol": "tcp", "attack_detection_source": "automatic", "total_incoming_traffic": 14400545, "total_outgoing_traffic": 14400485, "total_incoming_pps": 266676, "total_outgoing_pps": 266675, "total_incoming_flows": 0, "total_outgoing_flows": 0, "average_incoming_traffic": 14400545, "average_outgoing_traffic": 14400485, "average_incoming_pps": 266676, "average_outgoing_pps": 266675, "average_incoming_flows": 0, "average_outgoing_flows": 0, "incoming_ip_fragmented_traffic": 0, "outgoing_ip_fragmented_traffic": 0, "incoming_ip_fragmented_pps": 0, "outgoing_ip_fragmented_pps": 0, "incoming_tcp_traffic": 14400477, "outgoing_tcp_traffic": 14400485, "incoming_tcp_pps": 266675, "outgoing_tcp_pps": 266675, "incoming_syn_tcp_traffic": 0, "outgoing_syn_tcp_traffic": 0, "incoming_syn_tcp_pps": 0, "outgoing_syn_tcp_pps": 0, "incoming_udp_traffic": 0, "outgoing_udp_traffic": 0, "incoming_udp_pps": 0, "outgoing_udp_pps": 0, "incoming_icmp_traffic": 0, "outgoing_icmp_traffic": 0, "incoming_icmp_pps": 0, "outgoing_icmp_pps": 0 }, "flow_spec_rules": [ { "source_prefix": "127.11.0.3/32", "destination_prefix": "127.0.0.1/32", "destination_ports": [ 0 ], "packet_lengths": [ 40 ], "protocols": [ "tcp" ], "tcp_flags": [ "ack" ], "action_type": "discard", "action": {} } ] }
We have field “packet_dump” for ban/unban actions which includes packet dump in string format:
"packet_dump": [ "2018-12-15 19:16:39.376373 127.0.0.10:0 > 127.0.0.1:8842 protocol: tcp flags: rst,ack frag: 0 packets: 1 size: 54 bytes ip size: 40 bytes ttl: 64 sample ratio: 1 ", "2018-12-15 19:16:39.376394 127.0.0.10:0 > 127.0.0.1:8842 protocol: tcp flags: rst,ack frag: 0 packets: 1 size: 54 bytes ip size: 40 bytes ttl: 64 sample ratio: 1 ", "2018-12-15 19:16:39.376405 127.0.0.1:8843 > 127.0.0.10:0 protocol: tcp flags: - frag: 0 packets: 1 size: 54 bytes ip size: 40 bytes ttl: 64 sample ratio: 1 ", "2018-12-15 19:16:39.376414 127.0.0.1:8843 > 127.0.0.10:0 protocol: tcp flags: - frag: 0 packets: 1 size: 54 bytes ip size: 40 bytes ttl: 64 sample ratio: 1 " ]
We have per field detailed attack dump
"packet_dump_detailed": [ { "ip_version": "ipv4", "source_ip": "10.10.10.1", "destination_ip": "192.168.1.100", "source_port": 80, "destination_port": 55820, "tcp_flags": "ack", "fragmentation": false, "packets": 1, "length": 1506, "ip_length": 1492, "ttl": 56, "sample_ratio": 1, "protocol": "tcp" }, { "ip_version": "ipv4", "source_ip": "10.10.10.1", "destination_ip": "192.168.1.100", "source_port": 80, "destination_port": 55820, "tcp_flags": "ack", "fragmentation": false, "packets": 1, "length": 1506, "ip_length": 1492, "ttl": 56, "sample_ratio": 1, "protocol": "tcp" }, { "ip_version": "ipv4", "source_ip": "192.168.1.100", "destination_ip": "10.10.10.1", "source_port": 55820, "destination_port": 80, "tcp_flags": "ack", "fragmentation": false, "packets": 1, "length": 66, "ip_length": 52, "ttl": 64, "sample_ratio": 1, "protocol": "tcp" }, { "ip_version": "ipv4", "source_ip": "10.10.10.1", "destination_ip": "192.168.1.100", "source_port": 80, "destination_port": 55820, "tcp_flags": "ack", "fragmentation": false, "packets": 1, "length": 1506, "ip_length": 1492, "ttl": 56, "sample_ratio": 1, "protocol": "tcp" } ]
Per hostgroup block actions:
{ "hostgroup_name": "global_total", "action": "ban", "alert_scope": "hostgroup", "hostgroup_networks": [ "192.168.1.0/24", "10.10.1.2/16" ], "attack_details": { "attack_uuid": "800ed163-018a-4864-94d1-a63a48616cb0", "attack_severity": "middle", "attack_type": "unknown", "protocol_version": "IPv4", "initial_attack_power": 0, "peak_attack_power": 0, "attack_direction": "other", "attack_protocol": "unknown", "attack_detection_source": "automatic", "total_incoming_traffic": 0, "total_outgoing_traffic": 0, "total_incoming_pps": 0, "total_outgoing_pps": 0, "total_incoming_flows": 0, "total_outgoing_flows": 0, "average_incoming_traffic": 0, "average_outgoing_traffic": 0, "average_incoming_pps": 0, "average_outgoing_pps": 0, "average_incoming_flows": 0, "average_outgoing_flows": 0, "incoming_ip_fragmented_traffic": 0, "outgoing_ip_fragmented_traffic": 0, "incoming_ip_fragmented_pps": 0, "outgoing_ip_fragmented_pps": 0, "incoming_tcp_traffic": 0, "outgoing_tcp_traffic": 0, "incoming_tcp_pps": 0, "outgoing_tcp_pps": 0, "incoming_syn_tcp_traffic": 0, "outgoing_syn_tcp_traffic": 0, "incoming_syn_tcp_pps": 0, "outgoing_syn_tcp_pps": 0, "incoming_udp_traffic": 0, "outgoing_udp_traffic": 0, "incoming_udp_pps": 0, "outgoing_udp_pps": 0, "incoming_icmp_traffic": 0, "outgoing_icmp_traffic": 0, "incoming_icmp_pps": 0, "outgoing_icmp_pps": 0 } }
To create versatile callback script which works for both per host and per hostgroup actions you can use field “alert_scope” to distinguish them.