This guide will provide details information about attack detection logic for different cases.
FastNetMon checks all hosts against specified in hostgroup configuration threshold every second. When any your host crosses threshold, FastNetMon creates “traffic capture request”.
After capture request creation, FastNetMon will collect all traffic to specified host. By default, FastNetMon captures 500 (for mirror/SPAN mode) or 20 (for sFlow v5, Netflow, IPFIX) packets.
Also, you can change this value this way:
sudo fcli set main ban_details_records_count 5 sudo fcli commit
If it cannot capture this amount of packets for 120 second (you cannot change this value) it removes “traffic capture request” as orphaned and removes it completely.
You can find such cases in log file /var/log/fastnetmon/fastnetmon.log:
[WARN] We've found orphaned bucket for IP: 10.251.23.1 [WARN] It has 3 parsed packets [WARN] And 3 raw packets [WARN] We will remove it
In this case, FastNetMon declares attack as false positive and does not apply any actions.
If you use sampled Netflow/IPFIX/sFlow v5 you can reduce this value to 2-3 packets or even set it to single packet. In this case, FastNetMon will block host almost immediately after receiving initial alert.