FastNetMon Advanced has capability to run scripts implemented in different programming languages when it detects attack against IP or hostgroup or identifies malicious pattern (BGP Flow Spec mode). In addition it can report information ongoing attacks using attack status capability
By default FastNetMon passes information about attack in JSON format to script's standard input (stdin). You can find detailed JSON formats here. Please note that your script MUST read all standard output passed by FastNetMon. Otherwise it may cause stability issues for FastNetMon daemon
Per host attack notifications
To pass information when particular IP is under attack (per host hostgroups) you can enable it this way:
sudo fcli set main notify_script_enabled enable sudo fcli set main notify_script_format json sudo fcli set main notify_script_path /usr/local/bin/notify_json.py sudo fcli commit
For backward compatibility reasons FastNetMon for per host bans FastNetMon passes following command line arguments to script:
- Action name: ban or unban
- IP address of host under attack
This capability is considered obsoleted on March 2026 and may be removed in future. We strongly recommend against using command line arguments as this data is available in JSON document.
For compatibility with legacy systems FastNetMon supports text based callback format (it can be enabled by setting notify_script_format to text) for per host alerts but on march of 2026 this capability is considered deprecated and strongly not recommended for usage. In this mode
Hostgroup blocks notifications
To enable this logic for per hostgroup attacks you need to use following syntax:
sudo fcli set main notify_script_hostgroup_enabled enable sudo fcli set main notify_script_hostgroup_path /usr/local/bin/notify_json.py sudo fcli commit
This capability works in JSON mode by default and notify_script_format is ignored.
We provide multiple examples of callback scripts implemented in different programming languages:
Attack status information
Starting from version 2.0.359, FastNetMon has the capability to call notify script for all blocked IPs (IPv4+IPv6) and pass attack details to it. This capability works only in JSON mode only (notify_script_format must be set to JSON). Please note that attack performance is not updated in this case; we plan to add this capability in future releases.
This capability can be enabled this way;
sudo fcli set main notify_script_attack_status_updates true sudo fcli commit
You can configure how often FastNetMon runs this logic in seconds in the following way:
sudo fcli set main ban_status_delay 20 sudo fcli commit