In addition to wide range of static thresholds FastNetMon offers capability to create completely custom thresholds using almost all fields available in L3 and L4 OSI model layers. Flexible dashboards can be used for both per_host and total hostgroups.

To enable this logic you will need to set following flag:

sudo fcli set main flexible_thresholds true

Then you will need to create up to 16 traffic rules using following fields:

  • name – name of traffic rule, will be used as prefix for all metrics related with the same rule, must be lowercase: latin letters, digits or _ symbol.
  • active – flag which enables rule, when set to false FastNetMon will ignore it. Useful to temporarily deactivate rule without removing it
  • description – description, can be any
  • source_ports – allows positive integer from 0 to 65535, this field may be empty which means “any source port”. May have multiple ports (up to 10) and all ports will be evaluated using “OR” for packet matching
  • destination_ports – allows positive integers from 0 to 65535, this field may be empty which means “any destination port”. May have multiple ports (up to 10) and all ports will be evaluated using “OR” for packet matching
  • packet_lengths – allows positive integers from 0 to 65535 (we allow such large values to accomodate jumbo datagrams and long flows), this field may be empty which means “any length”. May have multiple lengths (up to 10) and all ports will be evaluated using “OR” for packet matching
  • protocols – may carry protocol name (lowercase, IANA compliant) or protocol number (0..255). This field may be empty which means “any protocol”. May have multiple protocols (up to 10) and all ports will be evaluated using “OR” for packet matching. I’ve attached a list of well known protocol names as we use them. Our idea was to allow using well known protocol names such as tcp, udp, gre but have an option to encode any protocol with a number.
  • fragmentation_flags – can be set dont-fragment, is-fragment, first-fragment, last-fragment, not-a-fragment or can be empty. We do not recommend using this field as IPFIX / Netflow do not allow fragmentation encoding.
  • tcp_flags – can be empty or syn / ack / fin / urgent / push / rst. We do support only exact matches when a single flag is set, there is no support for multi matching (i.e. syn + ack).

Create new traffic rule:

sudo fcli set traffic_rule new_rule

You may find example configuration below:

sudo fcli set traffic_rule dns protocols udp
sudo fcli set traffic_rule dns active true
sudo fcli set traffic_rule dns source_ports 53
sudo fcli commit

If you configured everything correctly you will be able to see byte and packet counters from fcli:

sudo fcli show single_host_counters 1.2.3.4
dns_in_bytes             0
dns_in_packets           0
dns_out_bytes            0
dns_out_packets          0

In addition to command line you can use following pre-defined dashboards for InfluxDB:

  • Flexible Traffic Counters for specific host: dashboard
  • Flexible Traffic Counters for specific hostgroup: dashboard

To enable flexible thresholds for specific hostgroup you need to assign it to specific hostgroup this way:

sudo fcli set hostgroup flex flexible_thresholds dns

After that, you need to set threshold values (please adjust value to be relevant for your specific network) for traffic rule with same name:

sudo fcli set hostgroup flex flexible_thresholds dns active true

sudo fcli set hostgroup flex flexible_thresholds dns incoming_mbits_enable false
sudo fcli set hostgroup flex flexible_thresholds dns incoming_mbits_value 100000

sudo fcli set hostgroup flex flexible_thresholds dns incoming_packets_enable false
sudo fcli set hostgroup flex flexible_thresholds dns incoming_packets_value 100000

sudo fcli set hostgroup flex flexible_thresholds dns outgoing_mbits_enable false
sudo fcli set hostgroup flex flexible_thresholds dns outgoing_mbits_value 100000

sudo fcli set hostgroup flex flexible_thresholds dns outgoing_packets_enable false
sudo fcli set hostgroup flex flexible_thresholds dns outgoing_packets_value 100000

sudo fcli commit

Flexible thresholds may work with both per_direction_hostgroup_thresholds enabled or disabled but you must explicitly set enable_ban_incoming or enable_ban_outgoing on hostgroups basis to enable flexible thresholds for them.

It can be done that way:

sudo fcli set hostgroup <hostgroup_name> enable_ban_incoming true
sudo fcli set hostgroup <hostgroup_name> enable_ban_outgoing true
sudo fcli commit

After FastNetMon detects an attack using any of these thresholds it will trigger standard actions exactly as for static thresholds (email alert, BGP, Grafana notification). In callback script you will see addition information which explains which threshold was triggered.

24/7 Tech Support

support@fastnetmon.com

Email Us

sales@fastnetmon.com