In addition to wide range of static thresholds FastNetMon offers capability to create completely custom thresholds using almost all fields available in L3 and L4 OSI model layers. Flexible dashboards can be used for both per_host and total hostgroups.
To enable this logic you will need to set following flag:
sudo fcli set main flexible_thresholds true
Then you will need to create up to 16 traffic rules using following fields:
- name – name of traffic rule, will be used as prefix for all metrics related with the same rule, must be lowercase: latin letters, digits or _ symbol.
- active – flag which enables rule, when set to false FastNetMon will ignore it. Useful to temporarily deactivate rule without removing it
- description – description, can be any
- source_ports – allows positive integer from 0 to 65535, this field may be empty which means “any source port”. May have multiple ports (up to 10) and all ports will be evaluated using “OR” for packet matching
- destination_ports – allows positive integers from 0 to 65535, this field may be empty which means “any destination port”. May have multiple ports (up to 10) and all ports will be evaluated using “OR” for packet matching
- packet_lengths – allows positive integers from 0 to 65535 (we allow such large values to accommodate jumbo datagrams and long flows), this field may be empty which means “any length”. May have multiple lengths (up to 10) and all ports will be evaluated using “OR” for packet matching
- protocols – may carry protocol name (lowercase, IANA compliant) or protocol number (0..255). This field may be empty which means “any protocol”. May have multiple protocols (up to 10) and all ports will be evaluated using “OR” for packet matching. I’ve attached a list of well known protocol names as we use them. Our idea was to allow using well known protocol names such as tcp, udp, gre but have an option to encode any protocol with a number.
- fragmentation_flags – can be set dont-fragment, is-fragment, first-fragment, last-fragment, not-a-fragment or can be empty. We do not recommend using this field as IPFIX / Netflow do not allow fragmentation encoding.
- tcp_flags – can be empty or syn / ack / fin / urgent / push / rst. We do support only exact matches when a single flag is set, there is no support for multi matching (i.e. syn + ack).
Create new traffic rule:
sudo fcli set traffic_rule new_rule
You may find example configuration below:
sudo fcli set traffic_rule dns protocols udp sudo fcli set traffic_rule dns active true sudo fcli set traffic_rule dns source_ports 53 sudo fcli commit
To list all available traffic rules you can use following command:
sudo fcli show traffic_rule
If you configured everything correctly you will be able to see byte and packet counters from fcli:
sudo fcli show single_host_counters 1.2.3.4 dns_in_bytes 0 dns_in_packets 0 dns_out_bytes 0 dns_out_packets 0
In addition to command line you can use following pre-defined dashboards for InfluxDB:
- Flexible Traffic Counters for specific host: dashboard
- Flexible Traffic Counters for specific hostgroup: dashboard
To use these dashboards you will need to enable following metrics:
sudo fcli set main influxdb_push_host_ipv4_flexible_counters true sudo fcli set main influxdb_push_host_ipv6_flexible_counters true
Please not that flexible metrics export to Clickhouse is not supported yet. You can fill feature request for it.
To enable flexible thresholds for specific hostgroup you need to assign it to specific hostgroup this way:
sudo fcli set hostgroup flex flexible_thresholds dns
After that, you need to set threshold values (please adjust value to be relevant for your specific network) for traffic rule with same name:
sudo fcli set hostgroup flex flexible_thresholds dns active true sudo fcli set hostgroup flex flexible_thresholds dns incoming_mbits_enable false sudo fcli set hostgroup flex flexible_thresholds dns incoming_mbits_value 100000 sudo fcli set hostgroup flex flexible_thresholds dns incoming_packets_enable false sudo fcli set hostgroup flex flexible_thresholds dns incoming_packets_value 100000 sudo fcli set hostgroup flex flexible_thresholds dns outgoing_mbits_enable false sudo fcli set hostgroup flex flexible_thresholds dns outgoing_mbits_value 100000 sudo fcli set hostgroup flex flexible_thresholds dns outgoing_packets_enable false sudo fcli set hostgroup flex flexible_thresholds dns outgoing_packets_value 100000 sudo fcli commit
Flexible thresholds may work with both per_direction_hostgroup_thresholds enabled or disabled but you must explicitly set enable_ban_incoming or enable_ban_outgoing on hostgroups basis to enable flexible thresholds for them.
It can be done that way:
sudo fcli set hostgroup <hostgroup_name> enable_ban_incoming true sudo fcli set hostgroup <hostgroup_name> enable_ban_outgoing true sudo fcli commit
After FastNetMon detects an attack using any of these thresholds it will trigger standard actions exactly as for static thresholds (email alert, BGP, Grafana notification). In callback script you will see addition information which explains which threshold was triggered.
For all attacks triggered via flexible thresholds FastNetMon will add current values of all flexible counters for affected host during attack time to email reports:
Incoming tcp_ack traffic: 27 mbps Outgoing tcp_ack traffic: 0 mbps Incoming tcp_ack pps: 2283 packets per second Outgoing tcp_ack pps: 1087 packets per second