09.12.2017

FastNetMon Advanced configuration options

Introduction

In this document, we could offer detailed description of all available configuration options in all configuration namespaces

configuration_options

afpacket

Name Type Default value Description
mirror_afpacket bool false Enable capture from mirror port using AF_PACKET capture engine.

api

Name Type Default value Description
enable_api bool true Enable internal FastNetMon API. It’s mandatory for fcli and public web API
api_host numeric_ipv4_host “127.0.0.1” Internal API host for listening
api_port numeric_ipv4_port 50052 Internal API port for listening
api_host_counters_max_hosts_in_response positive_integer_without_zero 100 Max number of hosts in show host_counters output

ban_management

Name Type Default value Description
enable_ban bool false Completely enable or disable all ban actions
ban_time positive_integer_without_zero 1900 Ban time in seconds
unban_enabled bool true We will try to unban blocked IPs after this time expires
unban_only_if_attack_finished bool true Check if the attack is still active, before triggering an unblock callback with this option. If the attack is still active, check each run of the unblock watchdog
flow_spec_ban_time positive_integer_without_zero 1900 Flow spec rule lifetime in seconds
flow_spec_unban_enabled bool true We will try to withdraw flow spec rule when blocking time expires
ban_details_records_count positive_integer_without_zero 500 How many packets will be collected from attack’s traffic? Please decrease this value if you are using sampled capture
collect_attack_pcap_dumps bool false This option enables pcap collection for attack’s traffic dump. Works only for mirror and sFlow modes
collect_simple_attack_dumps bool false Collect simple attack dumps which include information from attack’s sample. Works for all capture engines

bgp

Name Type Default value Description
gobgp bool true Enable BGP daemon integration
gobgp_next_hop numeric_ipv4_host “0.0.0.0” Next hop value for BGP unicast IPv4 announces
gobgp_announce_host bool true Announce /32 host itself with BGP
gobgp_announce_whole_subnet bool false Announce origin subnet of IP address
gobgp_community_host string “65001:668” BGP community for outgoing host announces
gobgp_community_subnet string “65001:667” BGP community for outgoing subnet announces
gobgp_flow_spec_announces bool false Announce flow spec rules when we could detect certain attack type
gobgp_flow_spec_default_action string “discard” Default action for flow spec rules. You could specify discard or rate-limit here
gobgp_flow_spec_rate_limit_value positive_integer_without_zero 1024 For rate-limit action you could specify rate
flow_spec_tcp_options_use_match_bit bool false Enables force match bit in outgoing BGP Flow Spec announces about TCP flags
flow_spec_fragmentation_options_use_match_bit bool false Enables force match bit in outgoing BGP Flow Spec announces about fragmentation
flow_spec_do_not_process_length_field bool false Disables processing for length field completely. Use it if your device produces incorrect information about packet’s length
flow_spec_execute_validation bool true With this option we check that source and destination addresses in flow spec rule specified from fcli or web API belongs to our ranges

clickhouse_metrics

Name Type Default value Description
clickhouse_metrics bool false Export traffic speed mertrics to ClickHouse
clickhouse_metrics_database string “fastnetmon” Database for ClickHouse traffic metrics
clickhouse_metrics_username string “default” Username for ClickHouse metrics
clickhouse_metrics_password string “” Password for ClickHouse metrics
clickhouse_metrics_host numeric_ipv4_host “127.0.0.1” Server address for ClickHouse metric
clickhouse_metrics_port numeric_ipv4_port 9000 ClickHouse server port
clickhouse_metrics_push_period positive_integer_without_zero 1 Delay for run ClickHouse push thread

email_notification

Name Type Default value Description
email_notifications_enabled bool false Enable email notifications
email_notifications_host string “smtp.gmail.com” Hostname of SMTP server
email_notifications_port numeric_ipv4_port 587 Port of SMTP server used for email notifications
email_notifications_auth bool true Enable auth for your SMTP server
email_notifications_tls bool true Enable TLS for your SMTP server
email_notifications_username string [email protected] Username for SMTP authorization
email_notifications_password string “super-secret-password” Password for SMTP authorization
email_notifications_from string [email protected] Email address for FROM field
email_notifications_recipients string_list [ ] Email notification recipients
email_notifications_hide_flow_spec_rules bool false Hide flow spec rules from email
email_notifications_add_simple_packet_dump bool false Add simple packet dump to email

graphite

Name Type Default value Description
graphite_prefix string “fastnetmon” Default prefix for Graphite metrics
graphite bool false Enabled metrics export to Graphite
graphite_host numeric_ipv4_host “127.0.0.1” Graphite server address
graphite_port numeric_ipv4_port 2003 Graphite server port
graphite_push_period positive_integer_without_zero 1 Delay for run Graphite push thread

influxdb

Name Type Default value Description
influxdb bool false Enabled traffic metrics export to Influxdb
influxdb_skip_host_counters bool false Skip export for host counters to reduce load on InfluxDB server
influxdb_per_protocol_counters bool false Enables export for per protocol counters to InfluxDB
influxdb_database string “fastnetmon” Database for InfluxDB data
influxdb_host numeric_ipv4_host “127.0.0.1” InfluxDB server address
influxdb_port numeric_ipv4_port 8086 InfluxDB server port
influxdb_push_period positive_integer_without_zero 1 Delay for run InfluxDB push thread

logging

Name Type Default value Description
logging_local_syslog_logging bool false Enable logging to local syslog server
logging_remote_syslog_logging bool false Enable remote syslog logging
logging_remote_syslog_server numeric_ipv4_host “10.10.10.10” Remote syslog server IPv4 address
logging_remote_syslog_port numeric_ipv4_port 514 Remote syslog server port

netflow

Name Type Default value Description
netflow bool false Enable Netflow capture. We support Netflow v5, v9 and IPFIX (10)
netflow_ports numeric_ipv4_port_list [ 2055 ] Netflow collector port.
netflow_host string “0.0.0.0” Netflow collector host. To bind to all interfaces for all protocols: not possible yet. To bind to all interfaces for a specific protocol: :: or 0.0.0.0. To bind to localhost for a specific protocol: ::1 or 127.0.0.1.
netflow_sampling_ratio positive_integer_without_zero 1 NetFlow 9 or IPFIX sampling rate used at agent side
netflow_custom_sampling_ratio_enable bool false Enable or disable custom sampling ratio for Netflow v9 and IPFIX. In some cases, we could detect sampling rate automatically
netflow_templates_cache bool true Cache Netflow v9 or IPFIX data templates on disk

netmap

Name Type Default value Description
mirror_netmap bool false Enable netmap traffic capture (need custom drivers and kernel module)
netmap_sampling_ratio positive_integer_without_zero 1 Netmap port mirroring sampling ratio
netmap_read_packet_length_from_ip_header bool false Use this option if your device sends only first X bytes of data in mirror mode

network_management

Name Type Default value Description
monitor_local_ip_addresses bool false Add local IP addresses and aliases to networks_list

notify_script

Name Type Default value Description
notify_script_enabled bool false Enable notify script. FastNetMon fill invoke it when attack comes
notify_script_path file “/etc/fastnetmon/scripts/notify_about_attack.sh” Path to notify script
notify_script_pass_details bool true With this option, we will pass additional attack details to the stdin of notify script. Works only when format is text
notify_script_format string “text” Specifies format used for notify script: text or JSON

redis

Name Type Default value Description
redis_port numeric_ipv4_port 6379 Redis server port
redis_host numeric_ipv4_host “127.0.0.1” Redis server host
redis_prefix string “fastnetmon” Prefix for all Redis keys
redis_enabled bool false Enables attack’s export to Redis

sflow

Name Type Default value Description
sflow bool false Enables sFlow capture engine. We support only sFlow v5
sflow_ports numeric_ipv4_port_list [ 6343 ] Ports list for sFlow collector
sflow_host numeric_ipv4_host “0.0.0.0” sFlow collector default host
sflow_track_sampling_rate bool false Enables tracking for sFlow sampling rate for all exporting entities (devices, line cards)
sflow_use_new_generation_parser bool false Enable new improved packet parser (experimental)

system

Name Type Default value Description
pid_path file “/var/run/fastnetmon.pid” Path to pid file for checking case if another copy of tool is running, it’s useful when you run multiple instances of tool
interfaces string_list [ ] Interfaces list for traffic capture
networks_list cidr_networks_list [ ] Please specify all IPv4 and IPv6 networks which belong to you
aggregate_networks_list bool false Execute safe aggregation and remove nested networks from networks_list
networks_whitelist cidr_networks_list [ ] All ban actions will be disabled for your hosts in these networks. Use with attention!
networks_whitelist_remote cidr_networks_list [ ] We will skip traffic to/from these remote networks completely from processing
cache_path file “/var/cache/fastnetmon” Path to folder used for tool cache
system_user string “fastnetmon” Run FastNetMon daemon from particular system user
system_group string “fastnetmon” Run FastNetMon daemon from particular system group
drop_root_permissions bool false Try to run from non-root user. Not supported for mirror capture
asn_lookup bool false Enable ASN mapping database to execute ASN lookup for IP. You could use it to lookup ASN for particular IP

tera_flow

Name Type Default value Description
tera_flow bool false Receive information in Tera Flow format from the network
tera_flow_ports numeric_ipv4_port_list [ 4200 ] Tera Flow collector port.
tera_flow_host string “0.0.0.0” Tera Flow collector host. To bind to all interfaces for all protocols: not possible yet. To bind to all interfaces for a specific protocol: :: or 0.0.0.0. To bind to localhost for a specific protocol: ::1 or 127.0.0.1.

traffic_calculation_management

Name Type Default value Description
enable_connection_tracking bool false Enable traffic state tracking. If you interested in flow per second rates, please enable it
dump_other_traffic bool false Dump all traffic which belongs to other class to log. Only for debugging reasons. It significantly degrades performance
dump_all_traffic bool false Dump all traffic to log. Only for debugging reasons. It significantly degrades performance
average_calculation_time positive_integer_without_zero 5 We use average values for traffic speed to certain IP and calculates average over this time slice
average_calculation_time_for_subnets positive_integer_without_zero 5 We use average values for traffic speed for subnet and calculates average over this time slice
enable_subnet_counters bool true Enable traffic counters for all networks in networks_list
process_ipv6_traffic bool false Enable processing for IPv6 traffic (experimental)
process_incoming_traffic bool true Enables processing for incoming traffic
process_outgoing_traffic bool true Enables processing for outgoing traffic

traffic_db

Name Type Default value Description
traffic_db bool false Enable traffic export to persistent traffic database
traffic_db_sampling_rate positive_integer_without_zero 512 Sampling rate for mirored traffic for traffic_db export
traffic_db_host numeric_ipv4_host “127.0.0.1” Traffic DB server address
traffic_db_port numeric_ipv4_port 8100 Traffic DB server port

web_api

Name Type Default value Description
web_api_host numeric_ipv4_host “127.0.0.1” Web API host for listening
web_api_port numeric_ipv4_port 10007 Web API port for listening
web_api_login string “admin” Password for web API
web_api_password string “” Password for web API

web_callback

Name Type Default value Description
web_callback_enabled bool false Webhook to call when attack arrives
web_callback_url string “http://127.0.0.1:8080/attack/notify” URL address to call when attack comes

hostgroups_configuration

Name Type Default value Description
name string “global” Name of host group
description string “This is default group for all hosts” Human-friendly name for this group
networks cidr_networks_list [ ] List of networks which belong to this group
enable_ban bool false Enable ban actions for hosts in this group
ban_for_pps bool false Should we block host in this group if it exceeds packet per second threshold?
ban_for_bandwidth bool false Should we block host in this group if it exceeds bandwidth threshold?
ban_for_flows bool false Should we block host in this group if it exceeds flows threshold?
threshold_pps positive_integer_without_zero 20000 Packet per second traffic to/from this host should exceed this value
threshold_mbps positive_integer_without_zero 1000 Bandwidth to/from this host should exceed this value
threshold_flows positive_integer_without_zero 3500 Flow per second speed to/from this host should exceed this value
ban_for_tcp_bandwidth bool false Block hosts in group for TCP bandwidth threshold?
ban_for_udp_bandwidth bool false Block hosts in group for UDP bandwidth threshold?
ban_for_icmp_bandwidth bool false Block hosts in group for ICMP bandwidth threshold?
ban_for_tcp_pps bool false Should we block host in this group if it exceeds packet per second threshold for TCP?
ban_for_udp_pps bool false Should we block host in this group if it exceeds packet per second threshold for UDP?
ban_for_icmp_pps bool false Should we block host in this group if it exceeds packet per second threshold for ICMP?
threshold_tcp_mbps positive_integer_without_zero 1000 TCP bandwidth to/from this host should exceed this value
threshold_udp_mbps positive_integer_without_zero 1000 UDP bandwidth to/from this host should exceed this value
threshold_icmp_mbps positive_integer_without_zero 1000 ICMP bandwidth to/from this host should exceed this value
threshold_tcp_pps positive_integer_without_zero 100000 TCP packet per second traffic to/from this host should exceed this value
threshold_udp_pps positive_integer_without_zero 100000 UDP packet per second traffic to/from this host should exceed this value
threshold_icmp_pps positive_integer_without_zero 100000 ICMP packet per second traffic to/from this host should exceed this value

bgp_configuration

Name Type Default value Description
name string “connection_main_router” System name for this connection
description string “Connection to main Router at NOC” Human-friendly name for this connection
local_asn positive_integer_without_zero 123456 Local ASN number
local_address numeric_ipv4_host “10.11.22.33” Local address for BGP connection
remote_asn positive_integer_without_zero 9002 Remote autonomous system number
remote_address numeric_ipv4_host “10.11.22.1” Remote IP address of BGP peer
multihop bool true Enable BGP multihop option
md5_auth bool false Enable md5 auth for BGP session
md5_auth_password string “” md5 password for BGP session
ipv4_unicast bool true Enable IPv4 unicast for this peering connection
ipv6_unicast bool false Enable IPv6 unicast for this peering connection
ipv4_flowspec bool false Enable IPv4 Flow Spec / RFC 5575 for this peering connection
ipv6_flowspec bool false Enable IPv6 Flow Spec / RFC 5575 for this peering connection
active bool false You could enable or disable this peer with this option