In this document, we could offer detailed description of all available configuration options in all configuration namespaces
af_packet
| Name |
Type |
Default value |
Description |
| mirror_afpacket |
bool |
false |
Enable capture from mirror port using AF_PACKET capture engine |
| interfaces |
string_list |
[ ] |
Interfaces list for traffic capture |
| af_packet_extract_tunnel_traffic |
bool |
false |
Enables for af_packet code which strips external level for GRE tunnels |
| mirror_af_packet_sampling |
bool |
true |
Enables sampling for mirror mode offloaded on kernel / driver level |
| mirror_af_external_packet_sampling |
bool |
false |
Enables external sampling for mirror mode when router or switch does sampling |
| mirror_af_packet_socket_stats |
bool |
true |
Enables capture socket performance statistics |
| mirror_af_packet_disable_multithreading |
bool |
true |
Disables multi thread processing and handles all traffic using single thread |
| mirror_af_packet_fanout_mode |
string |
"cpu" |
Fanout mode. Algorithm to spread load over threads |
| mirror_af_packet_sampling_rate |
positive_integer_with_zero |
100 |
Sampling rate for AF_PACKET |
| mirror_external_af_packet_sampling_rate |
positive_integer_with_zero |
100 |
External sampling rate for AF_PACKET |
| mirror_af_packet_workers_number_override |
bool |
false |
Enables logic to explicitly override number of worker processes |
| mirror_af_packet_workers_number |
positive_integer_with_zero |
1 |
Specifies how many worker processes we need for each interface |
| afpacket_strict_cpu_affinity |
bool |
false |
Enables strict CPU affinity and binds traffic capture threads to fixed logical CPUs |
| af_packet_read_packet_length_from_ip_header |
bool |
false |
By default, FastNetMon reads packet length from the wire. But it can use information from IP header when you enable this option |
ban_management
| Name |
Type |
Default value |
Description |
| enable_ban |
bool |
false |
Completely enable or disable all ban actions |
| enable_ban_hostgroup |
bool |
false |
Completely enable or disable all ban for total traffic per hostgroup |
| enable_ban_remote_outgoing |
bool |
false |
Enable blocking for remote hosts in outgoing direction |
| enable_ban_remote_incoming |
bool |
false |
Enable blocking for remote hosts in incoming direction |
| do_not_ban_incoming |
bool |
false |
Completely disables ban for incoming traffic |
| do_not_ban_outgoing |
bool |
false |
Completely disables ban for outgoing traffic |
| per_direction_hostgroup_thresholds |
bool |
true |
Changes hostgroup thresholds to be per direction. Default becomes incoming |
| flexible_thresholds |
bool |
false |
Enables flexible thresholds logic |
| flexible_thresholds_disable_multi_alerts |
bool |
false |
Enables compatibility mode for flexible threshold which triggers attack only using single threshold and only in single direction |
| keep_flow_spec_announces_during_restart |
bool |
false |
Saves list of flow spec announces on shutdown and restores it on startup |
| keep_blocked_hosts_during_restart |
bool |
false |
Saves list of blocked hosts on shutdown and restores it on startup |
| keep_blocked_hostgroups_during_restart |
bool |
false |
Saves list of blocked hostgroups on shutdown and restores it on startup |
| enable_ban_ipv6 |
bool |
false |
Completely enable or disable all ban actions for IPv6 traffic |
| unban_enabled |
bool |
true |
We will try to unban blocked IPs after this time expires |
| ban_status_updates |
bool |
false |
FastNetMon will report active attacks every X seconds |
| ban_status_delay |
positive_integer_with_zero |
20 |
How often FastNetMon will update external systems about active attacks |
| ban_time |
positive_integer_with_zero |
771 |
How long we should keep an IP in blocked state. Zero value is prohibited here. |
| unban_only_if_attack_finished |
bool |
true |
Check if the attack is still active, before triggering an unblock callback with this option. If the attack is still active, check each run of the unblock watchdog |
| gobgp_flow_spec_announces |
bool |
false |
Announce flow spec rules to block only malicious traffic. Use only if you have BGP Flowspec capable routers |
| gobgp_flow_spec_v6_announces |
bool |
false |
Announce flow spec IPv6 rules to block only malicious traffic. Use only if you have BGP Flowspec capable routers |
| flow_spec_unban_enabled |
bool |
true |
We will try to withdraw flow spec rule when blocking time expires |
| flow_spec_per_hostgroup_management |
bool |
false |
Enables logic which enables flow spec mitigations only when they explicitly enabled for hostgroup |
| flow_spec_ban_time |
positive_integer_with_zero |
1900 |
How long we should flow spec keep rule in announces. Zero value is prohibited here. |
| collect_attack_pcap_dumps |
bool |
false |
This option enables pcap collection for attack's traffic dump. Works only for mirror and sFlow modes |
| collect_simple_attack_dumps |
bool |
true |
Collect simple attack dumps which include information from attack's sample. Works for all capture engines |
| ban_details_records_count |
positive_integer_with_zero |
25 |
How many packets will be collected from attack's traffic. Please decrease this value if you are using sampled capture protocols |
| threshold_specific_ban_details |
bool |
false |
In this mode FastNetMon will collect only traffic relevant to direction and type of threshold |
| do_not_cap_ban_details_records_count |
bool |
false |
Disables logic which automatically reduces ban_details_records_count when it exceeds 100 for sFlow and Netflow |
| unban_total_hostgroup_enabled |
bool |
true |
We will try to unban blocked hostgroup after specified amount of time |
| ban_time_total_hostgroup |
positive_integer_with_zero |
675 |
How long we should keep hostgroup in blocked state. Zero value is prohibited here. |
| bucket_traffic_collection_timeout |
positive_integer_with_zero |
60 |
How long we should wait for bucket to collect traffic after threshold was crossed |
bgp
| Name |
Type |
Default value |
Description |
| gobgp |
bool |
false |
Enable BGP daemon integration |
| gobgp_api_host |
string |
"localhost" |
IP address or host to connect to GoBGP |
| gobgp_api_port |
numeric_ipv4_port |
50051 |
Port to connect to GoBGP |
| gobgp_bgp_listen_port |
numeric_ipv4_port |
179 |
BGP listen port |
| gobgp_router_id |
string |
"" |
Router ID to override default configuration |
| gobgp_next_hop |
numeric_ipv4_host |
"0.0.0.0" |
Next hop value for BGP unicast host and subnet IPv4 announces |
| gobgp_next_hop_host_ipv4 |
numeric_ipv4_host |
"0.0.0.0" |
Next hop value for BGP unicast IPv4 host announces |
| gobgp_next_hop_subnet_ipv4 |
numeric_ipv4_host |
"0.0.0.0" |
Next hop value for BGP unicast IPv4 subnet announces |
| gobgp_next_hop_remote_host |
numeric_ipv4_host |
"0.0.0.0" |
Next hop value for BGP unicast remote host IPv4 announces |
| gobgp_do_not_manage_daemon |
bool |
false |
Disables automatic start / restart operations for BGP daemon |
| gobgp_announce_host |
bool |
true |
Announce /32 host itself with BGP |
| gobgp_announce_whole_subnet |
bool |
false |
Announce origin subnet of IP address |
| gobgp_announce_whole_subnet_force_custom_prefix_length |
bool |
false |
Enables override for subnet announce |
| gobgp_announce_whole_subnet_custom_prefix_length |
positive_integer_with_zero |
24 |
Prefix length to override default one |
| gobgp_announce_whole_subnet_force_custom_ipv6_prefix_length |
bool |
false |
Enables override for IPv6 subnet announce |
| gobgp_announce_whole_subnet_custom_ipv6_prefix_length |
positive_integer_with_zero |
48 |
IPv6 prefix length to override default one |
| gobgp_announce_remote_host |
bool |
false |
Announce remote /32 host itself with BGP |
| gobgp_community_host |
string |
"65001:668" |
BGP community for outgoing host announces. Here you can add community string for the host announce. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_communities_host_ipv4 |
string_list |
[ ] |
BGP communities for outgoing host announces. Here you can add communities strings for the host announces. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_communities_host_ipv6 |
string_list |
[ ] |
BGP communities for outgoing host announces. Here you can add communities strings for the host announces. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_community_subnet |
string |
"65001:667" |
BGP community for outgoing subnet announces. Here you can add community string for the prefix subnet announce. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_communities_subnet_ipv4 |
string_list |
[ ] |
BGP communities for outgoing subnet announces. Here you can add communities strings for the prefix subnet announce. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_communities_subnet_ipv6 |
string_list |
[ ] |
BGP communities for outgoing subnet announces. Here you can add communities strings for the prefix subnet announce. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_community_remote_host |
string |
"65001:669" |
BGP community for outgoing remote host announces. Here you can add community string for the host announce. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_ipv6 |
bool |
false |
Enable BGP actions for IPv6 traffic |
| gobgp_next_hop_ipv6 |
string |
"100::1" |
Next hop value for BGP unicast IPv6 announces |
| gobgp_announce_host_ipv6 |
bool |
true |
Announce /128 host itself with BGP |
| gobgp_announce_whole_subnet_ipv6 |
bool |
false |
IPv6 prefix subnet, that will be announced |
| gobgp_community_host_ipv6 |
string |
"65001:668" |
BGP community for outgoing host announces for IPv6 protocol. Here you can add community string for the host announce. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_community_subnet_ipv6 |
string |
"65001:667" |
BGP community for outgoing subnet announces for IPv6 protocol. Here you can add community string for the prefix subnet announce. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_flow_spec_default_action |
string |
"discard" |
Default action for flow spec rules. You could specify accept, discard or rate-limit here |
| gobgp_flow_spec_next_hop_ipv4 |
string_list |
[ ] |
List of IPv4 next hops |
| gobgp_flow_spec_next_hop_ipv6 |
string_list |
[ ] |
List of IPv6 next hops |
| gobgp_flow_spec_v6_default_action |
string |
"discard" |
Default action for flow spec rules. You could specify accept, discard or rate-limit here |
| gobgp_flow_spec_v6_rate_limit_value |
positive_integer_with_zero |
1024 |
For rate-limit action you could specify rate |
| gobgp_flow_spec_rate_limit_value |
positive_integer_with_zero |
1024 |
For rate-limit action you could specify rate |
| flow_spec_tcp_options_use_match_bit |
bool |
false |
Enables force match bit in outgoing BGP Flow Spec announces about TCP flags |
| flow_spec_fragmentation_options_use_match_bit |
bool |
false |
Enables force match bit in outgoing BGP Flow Spec announces about fragmentation |
| flow_spec_do_not_process_length_field |
bool |
false |
Disables processing for length field completely. Use it if your device produces incorrect information about packet's length |
| flow_spec_do_not_process_tcp_flags_field |
bool |
false |
Disables processing for TCP flags field completely. You may need it if your router does not support all TCP flags in flow spec rules |
| flow_spec_do_not_process_ip_fragmentation_flags_field |
bool |
false |
Disables processing for IP fragmentation field completely. You may need it if your router does not support all IP fragmentations flags in flow spec rules |
| flow_spec_ignore_do_not_fragment_flag |
bool |
false |
Disables processing for do not fragment field completely. It's useful on Arista and Extreme |
| flow_spec_do_not_process_source_address_field |
bool |
false |
Disables processing for source address field completely. Use it if you experience attacks from big number of IP addresses |
| flow_spec_execute_validation |
bool |
true |
With this option we check that source and destination addresses in flow spec rule specified from fcli or web API belongs to our ranges |
| do_not_withdraw_unicast_announces_on_restart |
bool |
false |
Disables automatic withdrawal of BGP Unicast announces |
| do_not_withdraw_flow_spec_announces_on_restart |
bool |
false |
Disables automatic withdrawal of BGP Flow Spec announces |
| gobgp_announce_hostgroup_networks |
bool |
false |
Enable BGP announces for any network from specific hostgroup when per hostgroup aka total thresholds in use |
| gobgp_announce_hostgroup_networks_ipv4 |
bool |
false |
Enable BGP announces for all IPv4 networks from specific hostgroup when per hostgroup aka total thresholds in use |
| gobgp_announce_hostgroup_networks_ipv6 |
bool |
false |
Enable BGP announces for all IPv6 networks from specific hostgroup when per hostgroup aka total thresholds in use |
| gobgp_next_hop_hostgroup_networks_ipv4 |
string |
"0.0.0.0" |
Next hop for IPv4 per hostgroup network announces |
| gobgp_next_hop_hostgroup_networks_ipv6 |
string |
"100::1" |
Next hop for IPv6 per hostgroup network announces |
| gobgp_communities_hostgroup_networks_ipv4 |
string_list |
[ ] |
BGP communities for IPv4 hostgroup network announces. Here you can add communities strings for the host announces. Usage ASN:Community. ASN and community should be from 1 to 65535). |
| gobgp_communities_hostgroup_networks_ipv6 |
string_list |
[ ] |
BGP communities for IPv6 hostgroup network announces. Here you can add communities strings for the host announces. Usage ASN:Community. ASN and community should be from 1 to 65535). |
email_notification
| Name |
Type |
Default value |
Description |
| email_notifications_enabled |
bool |
false |
Enable email notifications |
| email_notifications_disable_certificate_checks |
bool |
false |
Disables TLS certificate validation completely |
| email_notifications_host |
string |
"smtp.gmail.com" |
Hostname of SMTP server |
| email_notifications_port |
numeric_ipv4_port |
587 |
Port of SMTP server used for email notifications |
| email_notifications_tls |
bool |
true |
Enable TLS for your SMTP server |
| email_notifications_auth |
bool |
true |
Enable auth for your SMTP server |
| email_notifications_auth_method |
string |
"" |
Auth method for SMTP authorization. Used only when auth enabled |
| email_notifications_username |
string |
"fastnetmon@yourdomain.com" |
Username for SMTP authorization |
| email_notifications_password |
string |
"super-secret-password" |
Password for SMTP authorization |
| email_notifications_from |
string |
"fastnetmon@yourdomain.com" |
Email address for FROM field |
| email_notifications_recipients |
string_list |
[ ] |
Email notification recipients |
| email_notifications_hide_flow_spec_rules |
bool |
false |
Hide flow spec rules from email |
| email_notifications_add_simple_packet_dump |
bool |
true |
Add simple packet dump to email |
| email_subject_blackhole_block |
string |
"FastNetMon blocked host {{ ip }}" |
Subject template for email notification about blocked host |
| email_subject_blackhole_unblock |
string |
"FastNetMon unblocked host {{ ip }}" |
Subject template for email notification about unblocked host |
| email_subject_partial_block |
string |
"FastNetMon partially blocked traffic for host {{ ip }}" |
Subject template for email notification about partially blocked host |
| email_subject_partial_unblock |
string |
"FastNetMon partially unblocked traffic for host {{ ip }}" |
Subject template for email notification about partially unblocked host |
| slack_notifications_add_simple_packet_dump |
bool |
true |
Add simple packet dump to Slack alerts |
influxdb
| Name |
Type |
Default value |
Description |
| influxdb_kafka |
bool |
false |
Enables traffic metrics export to Influxdb over Kafka |
| influxdb_kafka_brokers |
string_list |
[ ] |
Kafka brokers for InfluxDB export |
| influxdb_kafka_topic |
string |
"fastnetmon" |
Topic name for Kafka InfluxDB instance |
| influxdb_kafka_partitioner |
string |
"consistent" |
Partitioner between available partitions |
| influxdb |
bool |
false |
Enabled traffic metrics export to Influxdb |
| influxdb_database |
string |
"fastnetmon" |
Database for InfluxDB data |
| influxdb_host |
string |
"127.0.0.1" |
InfluxDB server address (IPv4, IPv6 address or domain name) |
| influxdb_port |
numeric_ipv4_port |
8086 |
InfluxDB server port |
| influxdb_custom_tags |
bool |
false |
Adds custom tag to InfluxDB export data |
| influxdb_tag_name |
string |
"node" |
Custom tag name |
| influxdb_tag_value |
string |
"master" |
Custom tag value |
| influxdb_tags_table |
string_string_map |
|
Custom tags in key / value format |
| influxdb_skip_host_counters |
bool |
false |
Skip export for host counters to reduce load on InfluxDB server |
| influxdb_push_host_ipv6_counters |
bool |
true |
Enable pushing per host IPv6 counters to InfluxDB |
| influxdb_push_host_ipv4_flexible_counters |
bool |
true |
Enables export of flexible per host IPv4 counters to InfluxDB |
| influxdb_push_host_ipv6_flexible_counters |
bool |
true |
Enables export of flexible per host IPv6 counters to InfluxDB |
| influxdb_user |
string |
"fastnetmon" |
Username for InfluxDB |
| influxdb_password |
string |
"fastnetmon" |
Password for InfluxDB |
| influxdb_auth |
bool |
false |
Enable authorization for InfluxDB |
| influxdb_attack_notification |
bool |
false |
Enables attack notifications in Grafana |
| influxdb_push_period |
positive_integer_with_zero |
1 |
Delay for run InfluxDB push thread |
netflow
| Name |
Type |
Default value |
Description |
| netflow |
bool |
false |
Enable Netflow capture. We support Netflow v5, v9 and IPFIX (10) |
| netflow_count_packets_per_device |
bool |
false |
Enable logic to count number of packets from each router |
| netflow_multi_thread_processing |
bool |
false |
Enables multi thread processing for each Netflow port |
| netflow_threads_per_port |
positive_integer_with_zero |
1 |
Number of threads per Netflow port |
| netflow_multi_thread_mode |
string |
"" |
Mode used to distribute traffic between threads |
| netflow_ports |
numeric_ipv4_port_list |
[ ] |
Netflow collector port. It's possible to specify multiple ports here |
| netflow_host |
string |
"0.0.0.0" |
Netflow collector host. To bind on all interfaces for IPv4 and IPv6 use ::. To bind only on IPv4 use 0.0.0.0. To bind on localhost for IPv4 and IPv6 use ::1. To bind only on IPv4 use 127.0.0.1 |
| netflow_socket_read_mode |
string |
"recvfrom" |
Switches logic used to read data from socket: recvfrom or recvmsg |
| netflow_rx_queue_overflow_monitoring |
bool |
false |
Switches on logic to monitor drops on socket |
| netflow_ignore_sampling_rate_from_device |
bool |
false |
Ignores sampling rate announces from device. For Netflow v9 and IPFIX only |
| netflow_ignore_long_duration_flow_enable |
bool |
false |
FastNetMon will ignore flows which exceed duration specified in configuration |
| netflow_long_duration_flow_limit |
positive_integer_with_zero |
1 |
FastNetMon will ignore flows which exceed duration specified in this option |
| netflow_v5_per_router_sampling_rate |
string_positive_integer_with_zero_map |
|
Custom Netflow v5 sampling rate on router basis |
| netflow_v9_per_router_sampling_rate |
string_positive_integer_with_zero_map |
|
Custom Netflow v9 sampling rate on router basis |
| netflow_v9_read_sampling_rate_in_data_section |
bool |
false |
Enables logic which can retrieve sampling rate when it was passed in data section. Mikrotik uses this approach |
| netflow_v9_extract_tunnel_traffic |
bool |
false |
Enables logic for Netflow v9 code which strips external level for GRE tunnels. It works only when packet header information is present |
| ipfix_per_router_sampling_rate |
string_positive_integer_with_zero_map |
|
Custom IPFIX sampling rate on router basis |
| ipfix_extract_tunnel_traffic |
bool |
false |
Enables logic for IPFIX code which strips external level for GRE tunnels. It works only when packet header information is present |
| netflow_sampling_ratio |
positive_integer_with_zero |
1 |
Netflow 9 or IPFIX sampling rate used at agent side. Netflow v9 and IPFIX agents use different and very complex approaches for notifying about sample ratio. Here you could specify a sampling ratio for all this agents. For Netflow v5 we extract sampling ratio from packets directly and this option not used. |
| netflow_v5_custom_sampling_ratio_enable |
bool |
false |
This option will override netflow v5 sampling rate from packets by specified value |
| netflow_v5_sampling_ratio |
positive_integer_with_zero |
1 |
It will be used when netflow_v5_custom_sampling_ratio_enable set to enable |
| netflow_templates_cache |
bool |
true |
Cache Netflow v9 or IPFIX data templates on disk |
| netflow_sampling_cache |
bool |
true |
Cache Netflow v9 and IPFIX sampling rates on disk |
| netflow_process_only_flows_with_dropped_packets |
bool |
false |
We will process only Netflow v9 or IPFIX with forwarding status set to dropped |
| netflow_mark_zero_next_hop_and_zero_output_as_dropped |
bool |
false |
With this option all traffic with zero IPv4 and IPv6 addresses in next hop and zero output interface will be marked as dropped |
traffic_calculation_management
| Name |
Type |
Default value |
Description |
| keep_traffic_counters_during_restart |
bool |
false |
Keep all speed counters during restarts |
| process_incoming_traffic |
bool |
true |
Enables or disables processing for incoming traffic |
| process_outgoing_traffic |
bool |
true |
Enables or disables processing for outgoing traffic |
| override_internal_traffic_as_incoming |
bool |
false |
Enables logic to process internal traffic as incoming |
| override_internal_traffic_as_outgoing |
bool |
false |
Enables logic to process internal traffic as outgoing |
| process_ipv6_traffic |
bool |
true |
Enables processing for IPv6 traffic |
| enable_connection_tracking |
bool |
true |
Enable traffic state tracking. If you interested in flow per second rates, please enable it. Be careful, it may increase CPU usage significantly |
| remote_host_tracking |
bool |
false |
Completely enable or disable bandwidth calculation for remote hosts |
| connection_tracking_skip_ports |
bool |
false |
Disables port processing for connection tracking |
| enable_total_hostgroup_counters |
bool |
true |
Enable traffic counters for total per hostgroups traffic |
| enable_interface_counters |
bool |
true |
Enable interface counters for per interface traffic |
| enable_asn_counters |
bool |
true |
Enable ASN counters for per ASN traffic |
| build_total_hostgroups_from_per_host_hostgroups |
bool |
false |
Allows using per-host hostgroups for building total hostgroups |
| dump_other_traffic |
bool |
false |
Dump all traffic which belongs to other class to log. Only for debugging reasons. It significantly degrades performance |
| dump_internal_traffic |
bool |
false |
Dump all traffic which belongs to internal class to log. Only for debugging reasons. It significantly degrades performance |
| dump_all_traffic |
bool |
false |
Dump all traffic to log. Only for debugging reasons. It significantly degrades performance |
| dump_all_traffic_json |
bool |
false |
Dump all traffic to log in JSON format. Only for debugging reasons. It significantly degrades performance |
| speed_calculation_delay |
positive_integer_with_zero |
1 |
This value control how often we run speed recalculation function. Please do not use this unless support suggested this to you |
| average_calculation_time |
positive_integer_with_zero |
5 |
We use average values for traffic speed to certain IP and calculates average over this time slice |
| flow_forwarder |
bool |
false |
Flow forwarder allows you to send traffic to remote FastNetMon |
| flow_forwarder_remote_addresses |
string_list |
[ ] |
Flow forwarder allows you to send traffic to remote FastNetMon: protocol://host:port as protocol you can use udp or tcp |
| flow_forwarder_sampling_rate |
positive_integer_with_zero |
512 |
Sampling rate for mirrored traffic for Flow Forwarder export |
| ipv6_automatic_data_cleanup |
bool |
true |
Enables logic which removes old entries from IPv6 data counters |
| ipv6_automatic_data_cleanup_threshold |
positive_integer_with_zero |
300 |
We will remove all entries which exceed this age in seconds |
| ipv6_automatic_data_cleanup_delay |
positive_integer_with_zero |
300 |
How often we will run cleanup logic |
| ipv4_automatic_data_cleanup |
bool |
true |
Enables logic which removes old entries from IPv4 data counters |
| ipv4_automatic_data_cleanup_threshold |
positive_integer_with_zero |
300 |
We will remove all entries which exceed this age in seconds |
| ipv4_automatic_data_cleanup_delay |
positive_integer_with_zero |
300 |
How often we will run cleanup logic |
| ipv4_remote_automatic_data_cleanup |
bool |
true |
Enables logic which removes old entries from IPv4 remote data counters |
| ipv4_remote_automatic_data_cleanup_threshold |
positive_integer_with_zero |
300 |
We will remove all remove IPv4 entries which exceed this age in seconds |
| ipv4_remote_automatic_data_cleanup_delay |
positive_integer_with_zero |
300 |
How often we will run cleanup logic for remote IPv4 records |
| traffic_buffer |
bool |
false |
Enables or disables traffic buffer which keeps some amount of previously processed packets |
| traffic_buffer_size |
positive_integer_with_zero |
100000 |
Specifies number of elements in traffic_buffer for 1 second of average calculation time |
| traffic_buffer_port_mirror |
bool |
false |
Enables or disables traffic buffer for port mirror modes. Do not enable unless sampling is enabled |
| generate_attack_traffic_samples |
bool |
false |
Enables logic to populate statistical reports about attacks traffic. Only for vendor integrations |
| generate_attack_traffic_samples_delay |
positive_integer_with_zero |
60 |
How often we're going to produce traffic reports about active attacks |
| generate_max_talkers_report |
bool |
false |
Enables logic to track max talkers and store them into MongoDB Only for vendor integrations |
| generate_max_talkers_report_delay |
positive_integer_with_zero |
300 |
How often we're going to produce reports about max talkers |
| generate_hostgroup_traffic_samples |
bool |
false |
Enables logic to populate statistical reports about hostgroup traffic. Only for vendor integrations |
| generate_hostgroup_traffic_samples_delay |
positive_integer_with_zero |
60 |
How often we're going to produce traffic reports for hostgroup traffic |
default
| Name |
Type |
Default value |
Description |
| name |
string |
"global" |
Name of host group |
| parent_name |
string |
"" |
Parent host group name |
| description |
string |
"This is default group for all hosts" |
Human-friendly name for this group |
| calculation_method |
string |
"per_host" |
Traffic calculation method for host group: total or per_host (or empty value) |
| networks |
cidr_networks_list |
[ ] |
List of networks which belong to this group |
| enable_ban |
bool |
false |
Enable ban actions for hosts in this group |
| ban_for_pps |
bool |
false |
Should we block host in this group if it exceeds packet per second threshold? |
| ban_for_bandwidth |
bool |
false |
Should we block host in this group if it exceeds bandwidth threshold? |
| ban_for_flows |
bool |
false |
Should we block host in this group if it exceeds flows threshold? |
| threshold_pps |
positive_integer_with_zero |
100000 |
Packet per second traffic to/from this host should exceed this value |
| threshold_mbps |
positive_integer_with_zero |
1000 |
Bandwidth to/from this host should exceed this value |
| threshold_flows |
positive_integer_with_zero |
3500 |
Flow per second speed to/from this host should exceed this value |
| ban_for_tcp_bandwidth |
bool |
false |
Block hosts in group for TCP bandwidth threshold? |
| ban_for_udp_bandwidth |
bool |
false |
Block hosts in group for UDP bandwidth threshold? |
| ban_for_icmp_bandwidth |
bool |
false |
Block hosts in group for ICMP bandwidth threshold? |
| ban_for_tcp_pps |
bool |
false |
Should we block host in this group if it exceeds packet per second threshold for TCP? |
| ban_for_udp_pps |
bool |
false |
Should we block host in this group if it exceeds packet per second threshold for UDP? |
| ban_for_icmp_pps |
bool |
false |
Should we block host in this group if it exceeds packet per second threshold for ICMP? |
| threshold_tcp_mbps |
positive_integer_with_zero |
1000 |
TCP bandwidth to/from this host should exceed this value |
| threshold_udp_mbps |
positive_integer_with_zero |
1000 |
UDP bandwidth to/from this host should exceed this value |
| threshold_icmp_mbps |
positive_integer_with_zero |
1000 |
ICMP bandwidth to/from this host should exceed this value |
| threshold_tcp_pps |
positive_integer_with_zero |
100000 |
TCP packet per second traffic to/from this host should exceed this value |
| threshold_udp_pps |
positive_integer_with_zero |
100000 |
UDP packet per second traffic to/from this host should exceed this value |
| threshold_icmp_pps |
positive_integer_with_zero |
100000 |
ICMP packet per second traffic to/from this host should exceed this value |
| ban_for_tcp_syn_pps |
bool |
false |
Block hosts in group for TCP SYN packets per second threshold |
| threshold_tcp_syn_pps |
positive_integer_with_zero |
1000 |
TCP SYN pps to/from this host should exceed this value |
| ban_for_tcp_syn_bandwidth |
bool |
false |
Block hosts in group for TCP SYN packets per second threshold |
| threshold_tcp_syn_mbps |
positive_integer_with_zero |
1000 |
TCP SYN bandwidth to/from this host should exceed this value |
| ban_for_ip_fragments_pps |
bool |
false |
Block hosts in group for fragmented IP packets per second threshold |
| threshold_ip_fragments_pps |
positive_integer_with_zero |
1000 |
Fragmented IP pps to/from this host should exceed this value |
| ban_for_ip_fragments_bandwidth |
bool |
false |
Block hosts in group for fragmented IP packets per second threshold |
| threshold_ip_fragments_mbps |
positive_integer_with_zero |
1000 |
fragmented IP bandwidth to/from this host should exceed this value |
| enable_ban_incoming |
bool |
false |
Enable ban actions for this group for incoming traffic |
| enable_ban_outgoing |
bool |
false |
Enable ban actions for this group for incooutgoingming traffic |
| enable_bgp_flow_spec |
bool |
false |
Enable BGP Flow Spec for this hostgroup |
| ban_for_pps_outgoing |
bool |
false |
Should we block host in this group if it exceeds packet per second threshold? |
| ban_for_bandwidth_outgoing |
bool |
false |
Should we block host in this group if it exceeds bandwidth threshold? |
| ban_for_flows_outgoing |
bool |
false |
Should we block host in this group if it exceeds flows threshold? |
| threshold_pps_outgoing |
positive_integer_with_zero |
100000 |
Packet per second traffic to/from this host should exceed this value |
| threshold_mbps_outgoing |
positive_integer_with_zero |
1000 |
Bandwidth to/from this host should exceed this value |
| threshold_flows_outgoing |
positive_integer_with_zero |
3500 |
Flow per second speed to/from this host should exceed this value |
| ban_for_tcp_bandwidth_outgoing |
bool |
false |
Block hosts in group for TCP bandwidth threshold? |
| ban_for_udp_bandwidth_outgoing |
bool |
false |
Block hosts in group for UDP bandwidth threshold? |
| ban_for_icmp_bandwidth_outgoing |
bool |
false |
Block hosts in group for ICMP bandwidth threshold? |
| ban_for_tcp_pps_outgoing |
bool |
false |
Should we block host in this group if it exceeds packet per second threshold for TCP? |
| ban_for_udp_pps_outgoing |
bool |
false |
Should we block host in this group if it exceeds packet per second threshold for UDP? |
| ban_for_icmp_pps_outgoing |
bool |
false |
Should we block host in this group if it exceeds packet per second threshold for ICMP? |
| threshold_tcp_mbps_outgoing |
positive_integer_with_zero |
1000 |
TCP bandwidth to/from this host should exceed this value |
| threshold_udp_mbps_outgoing |
positive_integer_with_zero |
1000 |
UDP bandwidth to/from this host should exceed this value |
| threshold_icmp_mbps_outgoing |
positive_integer_with_zero |
1000 |
ICMP bandwidth to/from this host should exceed this value |
| threshold_tcp_pps_outgoing |
positive_integer_with_zero |
100000 |
TCP packet per second traffic to/from this host should exceed this value |
| threshold_udp_pps_outgoing |
positive_integer_with_zero |
100000 |
UDP packet per second traffic to/from this host should exceed this value |
| threshold_icmp_pps_outgoing |
positive_integer_with_zero |
100000 |
ICMP packet per second traffic to/from this host should exceed this value |
| ban_for_tcp_syn_pps_outgoing |
bool |
false |
Block hosts in group for TCP SYN packets per second threshold |
| threshold_tcp_syn_pps_outgoing |
positive_integer_with_zero |
1000 |
TCP SYN pps to/from this host should exceed this value |
| ban_for_tcp_syn_bandwidth_outgoing |
bool |
false |
Block hosts in group for TCP SYN packets per second threshold |
| threshold_tcp_syn_mbps_outgoing |
positive_integer_with_zero |
1000 |
TCP SYN bandwidth to/from this host should exceed this value |
| ban_for_ip_fragments_pps_outgoing |
bool |
false |
Block hosts in group for fragmented IP packets per second threshold |
| threshold_ip_fragments_pps_outgoing |
positive_integer_with_zero |
1000 |
Fragmented IP pps to/from this host should exceed this value |
| ban_for_ip_fragments_bandwidth_outgoing |
bool |
false |
Block hosts in group for fragmented IP packets per second threshold |
| threshold_ip_fragments_mbps_outgoing |
positive_integer_with_zero |
1000 |
fragmented IP bandwidth to/from this host should exceed this value |
| flexible_thresholds |
flexible_thresholds |
"{}" |
Flexible thresholds |
