### ### Main configuration params ### ### Logging configuration # Logging level, can be info or debug logging_level = info # enable this option if you want to send logs to local syslog facility logging_local_syslog_logging = off # enable this option if you want to send logs to a remote syslog server via UDP logging_remote_syslog_logging = off # specify a custom server and port for remote logging logging_remote_syslog_server = 10.10.10.10 logging_remote_syslog_port = 514 # To make FastNetMon better we need to know how you use it and what's your software and hardware platform. # To accomplish this FastNetMon sends usage information every 1 hour to our statistics server https://community-stats.fastnetmon.com # We keep high standards of data protection and you can find our privacy policy here: https://community-stats.fastnetmon.com # You can find information which is being sent at GitHub: https://github.com/pavel-odintsov/fastnetmon/search?q=send_usage_data_to_reporting_server # If you prefer to disable this capability you need to set following flag to on disable_usage_report = off # Enable/Disable any actions in case of attack enable_ban = on # Enable ban for IPv6 enable_ban_ipv6 = on # disable processing for certain direction of traffic process_incoming_traffic = on process_outgoing_traffic = on # dump all traffic to log file dump_all_traffic = off # dump other traffic to log, useful to detect missed prefixes dump_other_traffic = off # How many packets will be collected from attack traffic ban_details_records_count = 20 # How long (in seconds) we should keep an IP in blocked state # If you set 0 here it completely disables unban capability ban_time = 1900 # Check if the attack is still active, before triggering an unban callback with this option # If the attack is still active, check each run of the unban watchdog unban_only_if_attack_finished = on # list of all your networks in CIDR format networks_list_path = /etc/networks_list # list networks in CIDR format which will be not monitored for attacks white_list_path = /etc/networks_whitelist # redraw period for client's screen check_period = 1 # Connection tracking is very useful for attack detection because it provides huge amounts of information, # but it's very CPU intensive and not recommended in big networks enable_connection_tracking = on # Different approaches to attack detection ban_for_pps = on ban_for_bandwidth = on ban_for_flows = off # Limits for Dos/DDoS attacks threshold_pps = 20000 threshold_mbps = 1000 threshold_flows = 3500 # Per protocol attack thresholds # We do not implement per protocol flow limits due to flow calculation logic limitations # These limits should be smaller than global pps/mbps limits threshold_tcp_mbps = 100000 threshold_udp_mbps = 100000 threshold_icmp_mbps = 100000 threshold_tcp_pps = 100000 threshold_udp_pps = 100000 threshold_icmp_pps = 100000 ban_for_tcp_bandwidth = off ban_for_udp_bandwidth = off ban_for_icmp_bandwidth = off ban_for_tcp_pps = off ban_for_udp_pps = off ban_for_icmp_pps = off ### ### Traffic capture methods ### # # Default option for port mirror capture on Linux # AF_PACKET capture engine mirror_afpacket = off # High efficient XDP based traffic capture method # XDP will detach network interface from Linux network stack completely and you may lose connectivity if your route management traffic over same interface # You need to have separate network card for management interface mirror_afxdp = off # Activates poll based logic to check for new packets. Generally, it eliminates active polling and reduces CPU load poll_mode_xdp = off # Set interface into promisc mode automatically xdp_set_promisc = on # Explicitly enable zero copy mode, requires driver support zero_copy_xdp = off # Forces native XDP mode which requires support from network card force_native_mode_xdp = off # Switch to using IP length as packet length instead of data from capture engine. Must be enabled when traffic is cropped externally xdp_read_packet_length_from_ip_header = off # Path to XDP microcode programm for packet processing microcode_xdp_path = /etc/xdp_kernel.o # You can use this option to multiply all incoming traffc by this value # It may be useful for sampled mirror ports mirror_af_packet_custom_sampling_rate = 1 # AF_PACKET fanout mode mode, http://man7.org/linux/man-pages/man7/packet.7.html # Available modes: cpu, lb, hash, random, rollover, queue_mapping mirror_af_packet_fanout_mode = cpu # This option should be enabled if you are using Juniper with mirroring of the first X bytes of packet: maximum-packet-length 110; af_packet_read_packet_length_from_ip_header = off # Netmap traffic capture, only for FreeBSD mirror_netmap = off # Netmap based mirroring sampling ratio netmap_sampling_ratio = 1 # This option should be enabled if you are using Juniper with mirroring of the first X bytes of packet: maximum-packet-length 110; netmap_read_packet_length_from_ip_header = off # Pcap mode, very slow and not recommended for production use pcap = off # Netflow capture method with v5, v9 and IPFIX support netflow = off # sFLOW capture suitable for switches sflow = off # Configuration for Netmap, mirror, pcap, AF_XDP modes # For pcap we could specify "any" # For Netmap we could specify multiple interfaces separated by comma interfaces = eth3,eth4 # We use average values for traffic speed to certain IP and we calculate average over this time periond (seconds) average_calculation_time = 5 # Delay between traffic recalculation attempts speed_calculation_delay = 1 # Netflow configuration # it's possible to specify multiple ports here, using commas as delimiter netflow_port = 2055 # # Netflow collector host to listen on. # # To bind on all interfaces for IPv4 and IPv6 use :: # To bind only on IPv4 use 0.0.0.0 # # To bind on localhost for IPv4 and IPv6 use ::1 # To bind only on IPv4 use 127.0.0.1 # netflow_host = 0.0.0.0 # Netflow v9 and IPFIX agents use different and very complex approaches for notifying about sample ratio # Here you could specify a sampling ratio for all this agents # For NetFlow v5 we extract sampling ratio from packets directely and this option not used netflow_sampling_ratio = 1 # sFlow configuration # It's possible to specify multiple ports here, using commas as delimiter sflow_port = 6343 # sflow_port = 6343,6344 sflow_host = 0.0.0.0 # Some vendors may lie about full packet length in sFlow packet. To avoid this issue we can switch to using IP packet length from parsed header sflow_read_packet_length_from_ip_header = off ### ### Actions when attack detected ### # This script executed for ban, unban and attack detail collection notify_script_path = /usr/local/bin/notify_about_attack.sh # collect a full dump of the attack with full payload in pcap compatible format collect_attack_pcap_dumps = off # Save attack details to Redis redis_enabled = off # Redis configuration redis_port = 6379 redis_host = 127.0.0.1 # specify a custom prefix here redis_prefix = mydc1 # We could store attack information to MongoDB mongodb_enabled = off mongodb_host = localhost mongodb_port = 27017 mongodb_database_name = fastnetmon # Announce blocked IPs with BGP protocol with ExaBGP exabgp = off exabgp_command_pipe = /var/run/exabgp.cmd exabgp_community = 65001:666 # specify multiple communities with this syntax: # exabgp_community = [65001:666 65001:777] # specify different communities for host and subnet announces # exabgp_community_subnet = 65001:667 # exabgp_community_host = 65001:668 exabgp_next_hop = 10.0.3.114 # In complex cases you could have both options enabled and announce host and subnet simultaneously # Announce /32 host itself with BGP exabgp_announce_host = on # Announce origin subnet of IP address instead IP itself exabgp_announce_whole_subnet = off # GoBGP integration gobgp = off # Configuration for IPv4 announces gobgp_next_hop = 0.0.0.0 gobgp_announce_host = on gobgp_announce_whole_subnet = off gobgp_community_host = 65001:666 gobgp_community_subnet = 65001:777 # Configuration for IPv6 announces gobgp_next_hop_ipv6 = 100::1 gobgp_announce_host_ipv6 = on gobgp_announce_whole_subnet_ipv6 = off gobgp_community_host_ipv6 = 65001:666 gobgp_community_subnet_ipv6 = 65001:777 # Before using InfluxDB you need to create database using influx tool: # create database fastnetmon # InfluxDB integration # More details can be found here: https://fastnetmon.com/docs/influxdb_integration/ influxdb = off influxdb_host = 127.0.0.1 influxdb_port = 8086 influxdb_database = fastnetmon # InfluxDB auth influxdb_auth = off influxdb_user = fastnetmon influxdb_password = secure # How often we export metrics to InfluxDB influxdb_push_period = 1 # Graphite monitoring graphite = off # Please use only IP because domain names are not allowed here graphite_host = 127.0.0.1 graphite_port = 2003 # Default namespace for Graphite data graphite_prefix = fastnetmon # How often we export metrics to Graphite graphite_push_period = 1 # Add local IP addresses and aliases to monitoring list # Works only for Linux monitor_local_ip_addresses = on # Add IP addresses for OpenVZ / Virtuozzo VEs to network monitoring list monitor_openvz_vps_ip_addresses = off # Create group of hosts with non-standard thresholds # You should create this group before (in configuration file) specifying any limits # hostgroup = my_hosts:10.10.10.221/32,10.10.10.222/32 # Configure this group my_hosts_enable_ban = off my_hosts_ban_for_pps = off my_hosts_ban_for_bandwidth = off my_hosts_ban_for_flows = off my_hosts_threshold_pps = 100000 my_hosts_threshold_mbps = 1000 my_hosts_threshold_flows = 3500 # Path to pid file for checking "if another copy of tool is running", it's useful when you run multiple instances of tool pid_path = /var/run/fastnetmon.pid # Path to file where we store IPv4 traffic information for fastnetmon_client cli_stats_file_path = /tmp/fastnetmon.dat # Path to file where we store IPv6 traffic information for fastnetmon_client cli_stats_ipv6_file_path = /tmp/fastnetmon_ipv6.dat # Enable gRPC API (required for fastnetmon_api_client tool) enable_api = on # Enables traffic export to Kafka kafka_traffic_export = off # Kafka traffic export topic name kafka_traffic_export_topic = fastnetmon # Kafka traffic export format: json or protobuf kafka_traffic_export_format = json # Kafka traffic export list of brokers separated by comma kafka_traffic_export_brokers = 10.154.0.1:9092,10.154.0.2:9092 # Prometheus monitoring endpoint prometheus = on # Prometheus port prometheus_port = 9209 # Prometheus host prometheus_host = 127.0.0.1 ### ### Client configuration ### # Field used for sorting in client, valid values are: packets, bytes or flows sort_parameter = packets # How much IPs will be listed for incoming and outgoing channel eaters max_ips_in_list = 7