13.12.2017

FastNetMon JSON formats

Here you could find examples for JSON documents used by FastNetMon.

We use them for web hooks and for JSON-enabled notify script

ban action:

{
  "ip": "127.0.0.1",
  "action": "ban",
  "attack_details": {
    "attack_uuid": "041eb504-2b33-4ff7-a6b7-8235408d5062",
    "attack_severity": "middle",
    "attack_type": "unknown",
    "initial_attack_power": 282473,
    "peak_attack_power": 282473,
    "attack_direction": "outgoing",
    "attack_protocol": "tcp",
    "attack_detection_source": "automatic",
    "total_incoming_traffic": 15253500,
    "total_outgoing_traffic": 15253590,
    "total_incoming_pps": 282472,
    "total_outgoing_pps": 282473,
    "total_incoming_flows": 0,
    "total_outgoing_flows": 0,
    "average_incoming_traffic": 15253500,
    "average_outgoing_traffic": 15253590,
    "average_incoming_pps": 282472,
    "average_outgoing_pps": 282473,
    "average_incoming_flows": 0,
    "average_outgoing_flows": 0,
    "incoming_ip_fragmented_traffic": 0,
    "outgoing_ip_fragmented_traffic": 0,
    "incoming_ip_fragmented_pps": 0,
    "outgoing_ip_fragmented_pps": 0,
    "incoming_tcp_traffic": 15253547,
    "outgoing_tcp_traffic": 15253590,
    "incoming_tcp_pps": 282472,
    "outgoing_tcp_pps": 282473,
    "incoming_syn_tcp_traffic": 0,
    "outgoing_syn_tcp_traffic": 0,
    "incoming_syn_tcp_pps": 0,
    "outgoing_syn_tcp_pps": 0,
    "incoming_udp_traffic": 0,
    "outgoing_udp_traffic": 0,
    "incoming_udp_pps": 0,
    "outgoing_udp_pps": 0,
    "incoming_icmp_traffic": 0,
    "outgoing_icmp_traffic": 0,
    "incoming_icmp_pps": 0,
    "outgoing_icmp_pps": 0
  }
}

unban action:

{
  "ip": "127.0.0.1",
  "action": "unban",
  "attack_details": {
    "attack_uuid": "041eb504-2b33-4ff7-a6b7-8235408d5062",
    "attack_severity": "middle",
    "attack_type": "unknown",
    "initial_attack_power": 282473,
    "peak_attack_power": 282473,
    "attack_direction": "outgoing",
    "attack_protocol": "tcp",
    "attack_detection_source": "automatic",
    "total_incoming_traffic": 15253500,
    "total_outgoing_traffic": 15253590,
    "total_incoming_pps": 282472,
    "total_outgoing_pps": 282473,
    "total_incoming_flows": 0,
    "total_outgoing_flows": 0,
    "average_incoming_traffic": 15253500,
    "average_outgoing_traffic": 15253590,
    "average_incoming_pps": 282472,
    "average_outgoing_pps": 282473,
    "average_incoming_flows": 0,
    "average_outgoing_flows": 0,
    "incoming_ip_fragmented_traffic": 0,
    "outgoing_ip_fragmented_traffic": 0,
    "incoming_ip_fragmented_pps": 0,
    "outgoing_ip_fragmented_pps": 0,
    "incoming_tcp_traffic": 15253547,
    "outgoing_tcp_traffic": 15253590,
    "incoming_tcp_pps": 282472,
    "outgoing_tcp_pps": 282473,
    "incoming_syn_tcp_traffic": 0,
    "outgoing_syn_tcp_traffic": 0,
    "incoming_syn_tcp_pps": 0,
    "outgoing_syn_tcp_pps": 0,
    "incoming_udp_traffic": 0,
    "outgoing_udp_traffic": 0,
    "incoming_udp_pps": 0,
    "outgoing_udp_pps": 0,
    "incoming_icmp_traffic": 0,
    "outgoing_icmp_traffic": 0,
    "incoming_icmp_pps": 0,
    "outgoing_icmp_pps": 0
  }
}

partial ban action  (flow spec):

{
  "ip": "127.0.0.1",
  "action": "partial_block",
  "attack_details": {
    "attack_uuid": "ac6f8000-1b17-43b8-9324-f8f7527bd948",
    "attack_severity": "middle",
    "attack_type": "unknown",
    "initial_attack_power": 266676,
    "peak_attack_power": 266676,
    "attack_direction": "incoming",
    "attack_protocol": "tcp",
    "attack_detection_source": "automatic",
    "total_incoming_traffic": 14400545,
    "total_outgoing_traffic": 14400485,
    "total_incoming_pps": 266676,
    "total_outgoing_pps": 266675,
    "total_incoming_flows": 0,
    "total_outgoing_flows": 0,
    "average_incoming_traffic": 14400545,
    "average_outgoing_traffic": 14400485,
    "average_incoming_pps": 266676,
    "average_outgoing_pps": 266675,
    "average_incoming_flows": 0,
    "average_outgoing_flows": 0,
    "incoming_ip_fragmented_traffic": 0,
    "outgoing_ip_fragmented_traffic": 0,
    "incoming_ip_fragmented_pps": 0,
    "outgoing_ip_fragmented_pps": 0,
    "incoming_tcp_traffic": 14400477,
    "outgoing_tcp_traffic": 14400485,
    "incoming_tcp_pps": 266675,
    "outgoing_tcp_pps": 266675,
    "incoming_syn_tcp_traffic": 0,
    "outgoing_syn_tcp_traffic": 0,
    "incoming_syn_tcp_pps": 0,
    "outgoing_syn_tcp_pps": 0,
    "incoming_udp_traffic": 0,
    "outgoing_udp_traffic": 0,
    "incoming_udp_pps": 0,
    "outgoing_udp_pps": 0,
    "incoming_icmp_traffic": 0,
    "outgoing_icmp_traffic": 0,
    "incoming_icmp_pps": 0,
    "outgoing_icmp_pps": 0
  },
  "flow_spec_rules": [
    {
      "source_prefix": "127.11.0.3/32",
      "destination_prefix": "127.0.0.1/32",
      "destination_ports": [
        0
      ],
      "packet_lengths": [
        40
      ],
      "protocols": [
        "tcp"
      ],
      "tcp_flags": [
        "ack"
      ],
      "action_type": "discard",
      "action": {}
    }
  ]
}

In version 2.0.120 we added new field “packet_dump” for ban/unban actions which includes packet dump in string format:

  "packet_dump": [
    "2018-12-15 19:16:39.376373 127.0.0.10:0 > 127.0.0.1:8842 protocol: tcp flags: rst,ack frag: 0  packets: 1 size: 54 bytes ip size: 40 bytes ttl: 64 sample ratio: 1 ",
    "2018-12-15 19:16:39.376394 127.0.0.10:0 > 127.0.0.1:8842 protocol: tcp flags: rst,ack frag: 0  packets: 1 size: 54 bytes ip size: 40 bytes ttl: 64 sample ratio: 1 ",
    "2018-12-15 19:16:39.376405 127.0.0.1:8843 > 127.0.0.10:0 protocol: tcp flags: - frag: 0  packets: 1 size: 54 bytes ip size: 40 bytes ttl: 64 sample ratio: 1 ",
    "2018-12-15 19:16:39.376414 127.0.0.1:8843 > 127.0.0.10:0 protocol: tcp flags: - frag: 0  packets: 1 size: 54 bytes ip size: 40 bytes ttl: 64 sample ratio: 1 "
  ]

In FastNetMon 2.0.134 we added per field detailed attack dump

  "packet_dump_detailed": [
    {
      "ip_version": "ipv4",
      "source_ip": "10.10.10.1",
      "destination_ip": "192.168.1.100",
      "source_port": 80,
      "destination_port": 55820,
      "tcp_flags": "ack",
      "fragmentation": false,
      "packets": 1,
      "length": 1506,
      "ip_length": 1492,
      "ttl": 56,
      "sample_ratio": 1,
      "protocol": "tcp"
    },
    {
      "ip_version": "ipv4",
      "source_ip": "10.10.10.1",
      "destination_ip": "192.168.1.100",
      "source_port": 80,
      "destination_port": 55820,
      "tcp_flags": "ack",
      "fragmentation": false,
      "packets": 1,
      "length": 1506,
      "ip_length": 1492,
      "ttl": 56,
      "sample_ratio": 1,
      "protocol": "tcp"
    },
    {
      "ip_version": "ipv4",
      "source_ip": "192.168.1.100",
      "destination_ip": "10.10.10.1",
      "source_port": 55820,
      "destination_port": 80,
      "tcp_flags": "ack",
      "fragmentation": false,
      "packets": 1,
      "length": 66,
      "ip_length": 52,
      "ttl": 64,
      "sample_ratio": 1,
      "protocol": "tcp"
    },
    {
      "ip_version": "ipv4",
      "source_ip": "10.10.10.1",
      "destination_ip": "192.168.1.100",
      "source_port": 80,
      "destination_port": 55820,
      "tcp_flags": "ack",
      "fragmentation": false,
      "packets": 1,
      "length": 1506,
      "ip_length": 1492,
      "ttl": 56,
      "sample_ratio": 1,
      "protocol": "tcp"
    }
  ]

Per hostgroup block actions:

{
  "hostgroup_name": "global_total",
  "action": "ban",

  "attack_details": {
    "attack_uuid": "800ed163-018a-4864-94d1-a63a48616cb0",
    "attack_severity": "middle",
    "attack_type": "unknown",
    "protocol_version": "IPv4",
    "initial_attack_power": 0,
    "peak_attack_power": 0,
    "attack_direction": "other",
    "attack_protocol": "unknown",
    "attack_detection_source": "automatic",
    "total_incoming_traffic": 0,
    "total_outgoing_traffic": 0,
    "total_incoming_pps": 0,
    "total_outgoing_pps": 0,
    "total_incoming_flows": 0,
    "total_outgoing_flows": 0,
    "average_incoming_traffic": 0,
    "average_outgoing_traffic": 0,
    "average_incoming_pps": 0,
    "average_outgoing_pps": 0,
    "average_incoming_flows": 0,
    "average_outgoing_flows": 0,
    "incoming_ip_fragmented_traffic": 0,         
     "outgoing_ip_fragmented_traffic": 0,
    "incoming_ip_fragmented_pps": 0,
    "outgoing_ip_fragmented_pps": 0,
    "incoming_tcp_traffic": 0,
    "outgoing_tcp_traffic": 0,
    "incoming_tcp_pps": 0,
    "outgoing_tcp_pps": 0,
    "incoming_syn_tcp_traffic": 0,
    "outgoing_syn_tcp_traffic": 0,
    "incoming_syn_tcp_pps": 0,
    "outgoing_syn_tcp_pps": 0,
    "incoming_udp_traffic": 0,
    "outgoing_udp_traffic": 0,
    "incoming_udp_pps": 0,
    "outgoing_udp_pps": 0, 
    "incoming_icmp_traffic": 0, 
    "outgoing_icmp_traffic": 0, 
    "incoming_icmp_pps": 0,
    "outgoing_icmp_pps": 0 
} }