Comments (12)
pavel-odintsov
commented on June 3, 2024
Hello!
Thank you for filling report and sorry about this issue .
We removed attack_details callback recently and "ban" now has complete
attack dump in place passed via stdin.
Our new detection logic allows it to collect attack dump when we detect
attack.
from fastnetmon.
przemeksw
commented on June 3, 2024
I do not know if I understand correctly.
In version 1.2.0 I was getting a pcap dump when an attack was detected and sending it by e-mail.
At the moment, even after tataku is detected, this dump is missing, even in the form of a log file.
Do I understand correctly that you have discontinued this functionality?
If so - how can we currently analyze what the system has detected and whether it is true or false?
from fastnetmon.
pavel-odintsov
commented on June 3, 2024
Hello!
To be completely clear we never had functionality to send pcap dumps to
email or pass them to script.
We had logic to save them in filesystem and we have disabled it during
refactoring. We may return it back.
We had logic to provide text based attack sample information and previously
we passed it only for attack_details callback.
Now we pass all the information about attack for ban callback which has
initial information about attack.
If you can share your callback script I can help you with correct
adjustments for it.
Basically instead of two subsequent calls of script with ban and then
attack_details arguments we have just one "ban" which has all the
information in place.
Let me if you need more information. Will be happy to explain.
from fastnetmon.
przemeksw
commented on June 3, 2024
Ok I see.
I actually described it wrong.
In earlier versions, I was getting around 20 lines of packet flow and it was actually under $4=attack_details
example:
2022-12-30 22:24:14.030461 51.178.56.235:33792 > 46.45.109.198:0 protocol: udp frag: 1 packets: 1 size: 68 bytes ttl: 117 sample ratio: 1024
2022-12-30 22:24:14.030481 80.77.122.198:389 > 46.45.109.198:80 protocol: udp frag: 1 packets: 1 size: 1522 bytes ttl: 121 sample ratio: 1024
From what you write, I should get the above for $4=ban, but I don't get it. I only get basic information about the number of packets for a given type of tcp/udp/icmp traffic, and such information.
from fastnetmon.
pavel-odintsov
commented on June 3, 2024
Hello!
Yep, this information is expected to be here that way for ban action.
Can you drop fastnetmon.log to ***@***.***? It may be bug and we
will fix it.
from fastnetmon.
przemeksw
commented on June 3, 2024
Hi,
log in the attachment
from fastnetmon.
przemeksw
commented on June 3, 2024
any ideas?
from fastnetmon.
pavel-odintsov
commented on June 3, 2024
Yep, we just did not implement this logic. Please wait 20 minutes and install FastNetMon Community again using:
wget https://install.fastnetmon.com/installer -Oinstaller
sudo chmod +x installer
sudo ./installer -install_community_edition
After this fix 587fc70 attack information to callback script will be in that format:
FastNetMon Guard: IP 192.168.1.201 blocked because incoming attack with power 395 pps
IP: 192.168.1.201
Attack type: unknown
Initial attack power: 395 packets per second
Peak attack power: 395 packets per second
Attack direction: incoming
Attack protocol: tcp
Total incoming traffic: 34 mbps
Total outgoing traffic: 0 mbps
Total incoming pps: 395 packets per second
Total outgoing pps: 340 packets per second
Total incoming flows: 0 flows per second
Total outgoing flows: 0 flows per second
Incoming ip fragmented traffic: 0 mbps
Outgoing ip fragmented traffic: 0 mbps
Incoming ip fragmented pps: 0 packets per second
Outgoing ip fragmented pps: 0 packets per second
Incoming dropped traffic: 0 mbps
Outgoing dropped traffic: 0 mbps
Incoming dropped pps: 0 packets per second
Outgoing dropped pps: 0 packets per second
Incoming tcp traffic: 34 mbps
Outgoing tcp traffic: 0 mbps
Incoming tcp pps: 395 packets per second
Outgoing tcp pps: 340 packets per second
Incoming syn tcp traffic: 0 mbps
Outgoing syn tcp traffic: 0 mbps
Incoming syn tcp pps: 0 packets per second
Outgoing syn tcp pps: 0 packets per second
Incoming udp traffic: 0 mbps
Outgoing udp traffic: 0 mbps
Incoming udp pps: 0 packets per second
Outgoing udp pps: 0 packets per second
Incoming icmp traffic: 0 mbps
Outgoing icmp traffic: 0 mbps
Incoming icmp pps: 0 packets per second
Outgoing icmp pps: 0 packets per second
Attack traffic dump
2023-07-31 12:03:06.334902 80.249.99.148:80 > 192.168.1.201:41610 protocol: tcp flags: ack frag: 0 packets: 1 size: 1466 bytes ttl: 249 sample ratio: 1
2023-07-31 12:03:06.334920 80.249.99.148:80 > 192.168.1.201:41610 protocol: tcp flags: ack frag: 0 packets: 1 size: 21066 bytes ttl: 249 sample ratio: 1
2023-07-31 12:03:06.334925 192.168.1.201:41610 > 80.249.99.148:80 protocol: tcp flags: ack frag: 0 packets: 1 size: 66 bytes ttl: 64 sample ratio: 1
2023-07-31 12:03:06.334929 80.249.99.148:80 > 192.168.1.201:41610 protocol: tcp flags: psh,ack frag: 0 packets: 1 size: 4266 bytes ttl: 249 sample ratio: 1
2023-07-31 12:03:06.334934 192.168.1.201:41610 > 80.249.99.148:80 protocol: tcp flags: ack frag: 0 packets: 1 size: 66 bytes ttl: 64 sample ratio: 1
2023-07-31 12:03:06.334938 80.249.99.148:80 > 192.168.1.201:41610 protocol: tcp flags: ack frag: 0 packets: 1 size: 9866 bytes ttl: 249 sample ratio: 1
2023-07-31 12:03:06.334942 192.168.1.201:41610 > 80.249.99.148:80 protocol: tcp flags: ack frag: 0 packets: 1 size: 66 bytes ttl: 64 sample ratio: 1
2023-07-31 12:03:06.334946 80.249.99.148:80 > 192.168.1.201:41610 protocol: tcp flags: ack frag: 0 packets: 1 size: 22466 bytes ttl: 249 sample ratio: 1
2023-07-31 12:03:06.334950 192.168.1.201:41610 > 80.249.99.148:80 protocol: tcp flags: ack frag: 0 packets: 1 size: 66 bytes ttl: 64 sample ratio: 1
2023-07-31 12:03:06.334954 80.249.99.148:80 > 192.168.1.201:41610 protocol: tcp flags: psh,ack frag: 0 packets: 1 size: 7066 bytes ttl: 249 sample ratio: 1
2023-07-31 12:03:06.334958 192.168.1.201:41610 > 80.249.99.148:80 protocol: tcp flags: ack frag: 0 packets: 1 size: 66 bytes ttl: 64 sample ratio: 1
2023-07-31 12:03:06.334962 80.249.99.148:80 > 192.168.1.201:41610 protocol: tcp flags: ack frag: 0 packets: 1 size: 14066 bytes ttl: 249 sample ratio: 1
2023-07-31 12:03:06.334966 192.168.1.201:41610 > 80.249.99.148:80 protocol: tcp flags: ack frag: 0 packets: 1 size: 66 bytes ttl: 64 sample ratio: 1
2023-07-31 12:03:06.334970 80.249.99.148:80 > 192.168.1.201:41610 protocol: tcp flags: psh,ack frag: 0 packets: 1 size: 11266 bytes ttl: 249 sample ratio: 1
2023-07-31 12:03:06.334975 192.168.1.201:41610 > 80.249.99.148:80 protocol: tcp flags: ack frag: 0 packets: 1 size: 66 bytes ttl: 64 sample ratio: 1
2023-07-31 12:03:06.334979 80.249.99.148:80 > 192.168.1.201:41610 protocol: tcp flags: ack frag: 0 packets: 1 size: 1466 bytes ttl: 249 sample ratio: 1
2023-07-31 12:03:06.334983 80.249.99.148:80 > 192.168.1.201:41610 protocol: tcp flags: ack frag: 0 packets: 1 size: 21066 bytes ttl: 249 sample ratio: 1
2023-07-31 12:03:06.334987 192.168.1.201:41610 > 80.249.99.148:80 protocol: tcp flags: ack frag: 0 packets: 1 size: 66 bytes ttl: 64 sample ratio: 1
2023-07-31 12:03:06.334990 80.249.99.148:80 > 192.168.1.201:41610 protocol: tcp flags: psh,ack frag: 0 packets: 1 size: 16866 bytes ttl: 249 sample ratio: 1
2023-07-31 12:03:06.334995 192.168.1.201:41610 > 80.249.99.148:80 protocol: tcp flags: ack frag: 0 packets: 1 size: 66 bytes ttl: 64 sample ratio: 1
Flow dump
Incoming
TCP flows: 1
192.168.1.201:41610 < 80.249.99.148:80 39387866 bytes 3101 packets
Outgoing
TCP flows: 1
192.168.1.201:41610 > 80.249.99.148:80 178596 bytes 2706 packets
from fastnetmon.
przemeksw
commented on June 3, 2024
Works great.
Thanks for fast reaction !
from fastnetmon.
pavel-odintsov
commented on June 3, 2024
Awesome! Thank you for testing and sorry about this issue.
from fastnetmon.
przemeksw
commented on June 3, 2024
No problem.
Please write more, because I have not found such information anywhere.
Does the fastnetmon community have any advanced attack detection or is it all based on pps and bandwidth overruns?
from fastnetmon.
pavel-odintsov
commented on June 3, 2024
FastNetMon Advanced has multiple exclusive detection methods not available in community edition such as: https://fastnetmon.com/docs-fnm-advanced/flexible-thresholds/ or https://fastnetmon.com/docs-fnm-advanced/per-hostgroup-thresholds/ but all of them are thresholds based. To help with baselines Advanced edition has baseline recommendation tool in place: https://fastnetmon.com/docs-fnm-advanced/automated-baseline-calculation-with-fastnetmon-advanced/
from fastnetmon.
Related Issues (20)
- Netflow v9 is broken on Router OS v7.12 HOT 9
- "Can't parse line from whitelist: " v6 address not working in whitelist FNM Community HOT 7
- sFlow v5 header ethertype encoding issues on Cisco ASR-9903 with IOS-XR 7.9.2 HOT 1
- Unusual high memory and cpu consumption after hours which causes system instablility: expected behaviour due to presence of dynamically allocated IPv6 counters HOT 5
- Remove unused daemon flags and build options for Homebrew Formula HOT 1
- IPv6 ban is only triggered when packet capture buffer is full HOT 3
- class std::map has no member named 'contains' on Debian Sid HOT 2
- Compilation failure on macOS: Protobuf only supports C++14 and newer HOT 2
- Mikrotik RouterOS v6.49.6 encodes sampling rate using wrong byte order (endian-less) in Netflow v9 HOT 3
- Fastnetmon_client not showing traffic HOT 5
- Windows build fails with _ZN6google8protobuf8internal15ThreadSafeArena13thread_cache_E
- Connection tracking logic was disabled due to sporadic failures in test lab
- sFlow agent on Huawei sends too short packets when traffic includes vlans HOT 9
- Database suggestion for Fastnetmon HOT 1
- Fastnetmon stops working with error "Can't find vector address in subnet map for unban function" HOT 4
- InfluxDB v2 support HOT 1
- key "attack_uuid" is "00000000-0000-0000-0000-000000000000" HOT 1
- Issues with package from Debian Bookworm backprots HOT 16
- Possibility to show information in email which rule has blocked HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fastnetmon.