In addition to a wide range of static thresholds, FastNetMon offers the capability to create completely custom thresholds using almost all fields available in L3 and L4 OSI model layers. Flexible dashboards can be used for both per_host and total hostgroups.
To enable this logic, you will need to set the following flag:
sudo fcli set main flexible_thresholds true
After this, you will need to create up to 16 traffic rules using the following fields:
- name - name of traffic rule, will be used as prefix for all metrics related to the same rule. This must be in lowercase, Latin letters, digits or the _ symbol.
- active - flag which enables the rule, when set to false, FastNetMon will ignore it. Useful to temporarily deactivate a rule without removing it.
- description - description, can be any
- source_ports - allows a positive integer from 0 to 65535. This field may be empty, which means "any source port". May have multiple ports (up to 10), and all ports will be evaluated using "OR" for packet matching
- destination_ports - allows positive integers from 0 to 65535. This field may be empty, which means "any destination port". May have multiple ports (up to 10) and all ports will be evaluated using "OR" for packet matching
- packet_lengths - allows positive integers from 0 to 65535 (we allow such large values to accommodate jumbo datagrams and long flows). This field may be empty, which means "any length". May have multiple lengths (up to 10) and all ports will be evaluated using "OR" for packet matching.
- protocols - may carry protocol name (lowercase, IANA compliant) or protocol number (0..255). This field may be empty, which means "any protocol". May have multiple protocols (up to 10), and all ports will be evaluated using "OR" for packet matching. We've attached a list of well-known protocol names as we use them. The intention is to allow using well-known protocol names, such as tcp, udp, and gre, but have an option to encode any protocol with a number.
- fragmentation_flags - can be set to dont-fragment, is-fragment, first-fragment, last-fragment, not-a-fragment or can be empty. We do not recommend using this field as IPFIX / Netflow does not allow fragmentation encoding.
- tcp_flags - can be empty or syn / ack / fin / urgent / push / rst. We do support only exact matches when a single flag is set; there is no support for multi-matching (i.e. syn + ack).
- ttls - it can be empty or have list of TTLs, each TTL must be in range between 0 and 255. Please note that not all traffic telemetry protocols can provide information about TTL value. This option is available starting from 2.0.374
Create a new traffic rule:
sudo fcli set traffic_rule new_rule
You may find an example configuration below:
sudo fcli set traffic_rule dns protocols udp sudo fcli set traffic_rule dns active true sudo fcli set traffic_rule dns source_ports 53 sudo fcli commit
To list all available traffic rules, you can use the following command:
sudo fcli show traffic_rule
If you configured everything correctly, you will be able to see byte and packet counters from fcli:
sudo fcli show single_host_counters 1.2.3.4 dns_in_bytes 0 dns_in_packets 0 dns_out_bytes 0 dns_out_packets 0
In addition to the command line, you can use the following pre-defined dashboards for InfluxDB:
- Flexible Traffic Counters for specific host: dashboard
- Flexible Traffic Counters for specific hostgroup: dashboard
To use these dashboards, you will need to enable the following metrics:
sudo fcli set main influxdb_push_host_ipv4_flexible_counters true sudo fcli set main influxdb_push_host_ipv6_flexible_counters true
Please note that flexible metrics export to Clickhouse is not supported yet. You can fill a feature request for it.
To enable flexible thresholds for a specific hostgroup you need to assign it to a specific hostgroup in the following:
sudo fcli set hostgroup flex flexible_thresholds dns
After that, you need to set threshold values (please adjust the value to be relevant for your specific network) for the traffic rule with the same name:
sudo fcli set hostgroup flex flexible_thresholds dns active true sudo fcli set hostgroup flex flexible_thresholds dns incoming_mbits_enable false sudo fcli set hostgroup flex flexible_thresholds dns incoming_mbits_value 100000 sudo fcli set hostgroup flex flexible_thresholds dns incoming_packets_enable false sudo fcli set hostgroup flex flexible_thresholds dns incoming_packets_value 100000 sudo fcli set hostgroup flex flexible_thresholds dns outgoing_mbits_enable false sudo fcli set hostgroup flex flexible_thresholds dns outgoing_mbits_value 100000 sudo fcli set hostgroup flex flexible_thresholds dns outgoing_packets_enable false sudo fcli set hostgroup flex flexible_thresholds dns outgoing_packets_value 100000 sudo fcli commit
Flexible thresholds may work with both per_direction_hostgroup_thresholds enabled or disabled, but you must explicitly set enable_ban_incoming or enable_ban_outgoing on hostgroup basis to enable flexible thresholds for them.
This can be done in the following way:
sudo fcli set hostgroup <hostgroup_name> enable_ban_incoming true sudo fcli set hostgroup <hostgroup_name> enable_ban_outgoing true sudo fcli commit
After FastNetMon detects an attack using any of these thresholds, it will trigger standard actions exactly as for static thresholds (email alert, BGP, Grafana notification). In the callback script, you will see additional information which explains which threshold was triggered.
For all attacks triggered via flexible thresholds, FastNetMon will add current values of all flexible counters for the affected host during the attack time to email reports:
Incoming tcp_ack traffic: 27 mbps Outgoing tcp_ack traffic: 0 mbps Incoming tcp_ack pps: 2283 packets per second Outgoing tcp_ack pps: 1087 packets per second