Here you could find examples for JSON documents used by FastNetMon.
We use them for web hooks and for JSON-enabled notify script
ban action:
{
"ip": "127.0.0.1",
"action": "ban",
"alert_scope": "host",
"attack_details": {
"attack_uuid": "041eb504-2b33-4ff7-a6b7-8235408d5062",
"attack_severity": "middle",
"attack_type": "unknown",
"initial_attack_power": 282473,
"peak_attack_power": 282473,
"attack_direction": "outgoing",
"attack_protocol": "tcp",
"attack_detection_source": "automatic",
"total_incoming_traffic": 15253500,
"total_outgoing_traffic": 15253590,
"total_incoming_pps": 282472,
"total_outgoing_pps": 282473,
"total_incoming_flows": 0,
"total_outgoing_flows": 0,
"average_incoming_traffic": 15253500,
"average_outgoing_traffic": 15253590,
"average_incoming_pps": 282472,
"average_outgoing_pps": 282473,
"average_incoming_flows": 0,
"average_outgoing_flows": 0,
"incoming_ip_fragmented_traffic": 0,
"outgoing_ip_fragmented_traffic": 0,
"incoming_ip_fragmented_pps": 0,
"outgoing_ip_fragmented_pps": 0,
"incoming_tcp_traffic": 15253547,
"outgoing_tcp_traffic": 15253590,
"incoming_tcp_pps": 282472,
"outgoing_tcp_pps": 282473,
"incoming_syn_tcp_traffic": 0,
"outgoing_syn_tcp_traffic": 0,
"incoming_syn_tcp_pps": 0,
"outgoing_syn_tcp_pps": 0,
"incoming_udp_traffic": 0,
"outgoing_udp_traffic": 0,
"incoming_udp_pps": 0,
"outgoing_udp_pps": 0,
"incoming_icmp_traffic": 0,
"outgoing_icmp_traffic": 0,
"incoming_icmp_pps": 0,
"outgoing_icmp_pps": 0
}
}
unban action:
{
"ip": "127.0.0.1",
"action": "unban",
"alert_scope": "host",
"attack_details": {
"attack_uuid": "041eb504-2b33-4ff7-a6b7-8235408d5062",
"attack_severity": "middle",
"attack_type": "unknown",
"initial_attack_power": 282473,
"peak_attack_power": 282473,
"attack_direction": "outgoing",
"attack_protocol": "tcp",
"attack_detection_source": "automatic",
"total_incoming_traffic": 15253500,
"total_outgoing_traffic": 15253590,
"total_incoming_pps": 282472,
"total_outgoing_pps": 282473,
"total_incoming_flows": 0,
"total_outgoing_flows": 0,
"average_incoming_traffic": 15253500,
"average_outgoing_traffic": 15253590,
"average_incoming_pps": 282472,
"average_outgoing_pps": 282473,
"average_incoming_flows": 0,
"average_outgoing_flows": 0,
"incoming_ip_fragmented_traffic": 0,
"outgoing_ip_fragmented_traffic": 0,
"incoming_ip_fragmented_pps": 0,
"outgoing_ip_fragmented_pps": 0,
"incoming_tcp_traffic": 15253547,
"outgoing_tcp_traffic": 15253590,
"incoming_tcp_pps": 282472,
"outgoing_tcp_pps": 282473,
"incoming_syn_tcp_traffic": 0,
"outgoing_syn_tcp_traffic": 0,
"incoming_syn_tcp_pps": 0,
"outgoing_syn_tcp_pps": 0,
"incoming_udp_traffic": 0,
"outgoing_udp_traffic": 0,
"incoming_udp_pps": 0,
"outgoing_udp_pps": 0,
"incoming_icmp_traffic": 0,
"outgoing_icmp_traffic": 0,
"incoming_icmp_pps": 0,
"outgoing_icmp_pps": 0
}
}
partial ban action (flow spec):
{
"ip": "127.0.0.1",
"action": "partial_block",
"attack_details": {
"attack_uuid": "ac6f8000-1b17-43b8-9324-f8f7527bd948",
"attack_severity": "middle",
"attack_type": "unknown",
"initial_attack_power": 266676,
"peak_attack_power": 266676,
"attack_direction": "incoming",
"attack_protocol": "tcp",
"attack_detection_source": "automatic",
"total_incoming_traffic": 14400545,
"total_outgoing_traffic": 14400485,
"total_incoming_pps": 266676,
"total_outgoing_pps": 266675,
"total_incoming_flows": 0,
"total_outgoing_flows": 0,
"average_incoming_traffic": 14400545,
"average_outgoing_traffic": 14400485,
"average_incoming_pps": 266676,
"average_outgoing_pps": 266675,
"average_incoming_flows": 0,
"average_outgoing_flows": 0,
"incoming_ip_fragmented_traffic": 0,
"outgoing_ip_fragmented_traffic": 0,
"incoming_ip_fragmented_pps": 0,
"outgoing_ip_fragmented_pps": 0,
"incoming_tcp_traffic": 14400477,
"outgoing_tcp_traffic": 14400485,
"incoming_tcp_pps": 266675,
"outgoing_tcp_pps": 266675,
"incoming_syn_tcp_traffic": 0,
"outgoing_syn_tcp_traffic": 0,
"incoming_syn_tcp_pps": 0,
"outgoing_syn_tcp_pps": 0,
"incoming_udp_traffic": 0,
"outgoing_udp_traffic": 0,
"incoming_udp_pps": 0,
"outgoing_udp_pps": 0,
"incoming_icmp_traffic": 0,
"outgoing_icmp_traffic": 0,
"incoming_icmp_pps": 0,
"outgoing_icmp_pps": 0
},
"flow_spec_rules": [
{
"source_prefix": "127.11.0.3/32",
"destination_prefix": "127.0.0.1/32",
"destination_ports": [
0
],
"packet_lengths": [
40
],
"protocols": [
"tcp"
],
"tcp_flags": [
"ack"
],
"action_type": "discard",
"action": {}
}
]
}
We have field “packet_dump” for ban/unban actions which includes packet dump in string format:
"packet_dump": [
"2018-12-15 19:16:39.376373 127.0.0.10:0 > 127.0.0.1:8842 protocol: tcp flags: rst,ack frag: 0 packets: 1 size: 54 bytes ip size: 40 bytes ttl: 64 sample ratio: 1 ",
"2018-12-15 19:16:39.376394 127.0.0.10:0 > 127.0.0.1:8842 protocol: tcp flags: rst,ack frag: 0 packets: 1 size: 54 bytes ip size: 40 bytes ttl: 64 sample ratio: 1 ",
"2018-12-15 19:16:39.376405 127.0.0.1:8843 > 127.0.0.10:0 protocol: tcp flags: - frag: 0 packets: 1 size: 54 bytes ip size: 40 bytes ttl: 64 sample ratio: 1 ",
"2018-12-15 19:16:39.376414 127.0.0.1:8843 > 127.0.0.10:0 protocol: tcp flags: - frag: 0 packets: 1 size: 54 bytes ip size: 40 bytes ttl: 64 sample ratio: 1 "
]
We have per field detailed attack dump
"packet_dump_detailed": [
{
"ip_version": "ipv4",
"source_ip": "10.10.10.1",
"destination_ip": "192.168.1.100",
"source_port": 80,
"destination_port": 55820,
"tcp_flags": "ack",
"fragmentation": false,
"packets": 1,
"length": 1506,
"ip_length": 1492,
"ttl": 56,
"sample_ratio": 1,
"protocol": "tcp"
},
{
"ip_version": "ipv4",
"source_ip": "10.10.10.1",
"destination_ip": "192.168.1.100",
"source_port": 80,
"destination_port": 55820,
"tcp_flags": "ack",
"fragmentation": false,
"packets": 1,
"length": 1506,
"ip_length": 1492,
"ttl": 56,
"sample_ratio": 1,
"protocol": "tcp"
},
{
"ip_version": "ipv4",
"source_ip": "192.168.1.100",
"destination_ip": "10.10.10.1",
"source_port": 55820,
"destination_port": 80,
"tcp_flags": "ack",
"fragmentation": false,
"packets": 1,
"length": 66,
"ip_length": 52,
"ttl": 64,
"sample_ratio": 1,
"protocol": "tcp"
},
{
"ip_version": "ipv4",
"source_ip": "10.10.10.1",
"destination_ip": "192.168.1.100",
"source_port": 80,
"destination_port": 55820,
"tcp_flags": "ack",
"fragmentation": false,
"packets": 1,
"length": 1506,
"ip_length": 1492,
"ttl": 56,
"sample_ratio": 1,
"protocol": "tcp"
}
]
Per hostgroup block actions:
{
"hostgroup_name": "global_total",
"action": "ban",
"alert_scope": "hostgroup",
"hostgroup_networks": [ "192.168.1.0/24", "10.10.1.2/16" ],
"attack_details": {
"attack_uuid": "800ed163-018a-4864-94d1-a63a48616cb0",
"attack_severity": "middle",
"attack_type": "unknown",
"protocol_version": "IPv4",
"initial_attack_power": 0,
"peak_attack_power": 0,
"attack_direction": "other",
"attack_protocol": "unknown",
"attack_detection_source": "automatic",
"total_incoming_traffic": 0,
"total_outgoing_traffic": 0,
"total_incoming_pps": 0,
"total_outgoing_pps": 0,
"total_incoming_flows": 0,
"total_outgoing_flows": 0,
"average_incoming_traffic": 0,
"average_outgoing_traffic": 0,
"average_incoming_pps": 0,
"average_outgoing_pps": 0,
"average_incoming_flows": 0,
"average_outgoing_flows": 0,
"incoming_ip_fragmented_traffic": 0,
"outgoing_ip_fragmented_traffic": 0,
"incoming_ip_fragmented_pps": 0,
"outgoing_ip_fragmented_pps": 0,
"incoming_tcp_traffic": 0,
"outgoing_tcp_traffic": 0,
"incoming_tcp_pps": 0,
"outgoing_tcp_pps": 0,
"incoming_syn_tcp_traffic": 0,
"outgoing_syn_tcp_traffic": 0,
"incoming_syn_tcp_pps": 0,
"outgoing_syn_tcp_pps": 0,
"incoming_udp_traffic": 0,
"outgoing_udp_traffic": 0,
"incoming_udp_pps": 0,
"outgoing_udp_pps": 0,
"incoming_icmp_traffic": 0,
"outgoing_icmp_traffic": 0,
"incoming_icmp_pps": 0,
"outgoing_icmp_pps": 0
} }
To create versatile callback script which works for both per host and per hostgroup actions you can use field “alert_scope” to distinguish them.