27.06.2019

Attack detection for per hostgroup thresholds

This guide requires completely working setup for total hostgroups.

When some hostgroup reaches specified total traffic value FastNetMon can call different actions.

To enable this feature, you have to enable ban actions this way:

Before enabling automatic way, you can block some hostgroup manually using following command:

You can list all active blocks this way:

Unblock example:

To automate attack detection, please set thresholds:

After that, please apply configuration using commit command and FastNetMon will start automate detection.

When attack comes FastNetMon can run different actions. Right now we support only callback script in JSON mode (we use “per hostgroup” schema from formats documentation), it can be enabled this way:

Example script:

This script is a little bit different from standard script for per host thresholds. It does not use any arguments for script. All information passed to stdin.