pavel-odintsov / fastnetmon Goto Github PK

We can talk via shm memory block

C:\git\fastnetmon>"C:\Program Files (x86)\Cppcheck\cppcheck.exe" --enable=all *.cpp
Checking fastnetmon.cpp...
[fastnetmon.cpp:331]: (style) Unused variable: pps_as_string
[fastnetmon.cpp:351]: (style) Variable 'result' is assigned a value that is never used.
[fastnetmon.cpp:722]: (style) Unused variable: our_networks_netmask
[fastnetmon.cpp:863]: (style) Unused variable: icmphdr
[fastnetmon.cpp:866]: (style) Unused variable: id
[fastnetmon.cpp:866]: (style) Unused variable: seq
[fastnetmon.cpp:995]: (style) Variable 'packet_direction' is assigned a value that is never used.
[fastnetmon.cpp:1226]: (style) Unused variable: dev
[fastnetmon.cpp:1140]: (performance) Possible inefficient checking for 'ban_list' emptiness.
Checking fastnetmon.cpp: GEOIP...
Checking fastnetmon.cpp: PCAP...
[fastnetmon.cpp:1236]: (style) The scope of the variable 'errbuf' can be reduced.
[fastnetmon.cpp:1237]: (style) Unused variable: packet
[fastnetmon.cpp:1422]: (style) Variable 'pcap_read_timeout' is assigned a value that is never used.
Checking fastnetmon.cpp: PF_RING...
Checking fastnetmon.cpp: REDIS...
Checking fastnetmon.cpp: THREADLESS...
Checking fastnetmon.cpp: ULOG2...
1/3 files checked 77% done
Checking ip_lookup.cpp...
[ip_lookup.cpp:46]: (style) Variable 'result' is assigned a value that is never used.
2/3 files checked 91% done
Checking long_prefix_match_unused_code.cpp...
3/3 files checked 100% done
Checking usage of global functions..
[fastnetmon.cpp:1581]: (style) The function 'dump_ip_lookup_tree' is never used.
[ip_lookup.cpp:96]: (style) The function 'get_bit' is never used.
(information) Cppcheck cannot find all the include files (use --check-config for details)

Subject

Subjetc

We should add all our subnets to this file in CIDR format.

Поставил последний PF_RING
[root@vz71 fastnetmon]# cat /proc/net/pf_ring/info
PF_RING Version : 6.0.2 ($Revision: exported$)
Total rings : 1

Standard (non DNA) Options
Ring slots : 4096
Slot version : 16
Capture TX : Yes [RX+TX]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
и пытаюсь собрать последний fastnetmon (предыдущий fastnetmon работает корректно с PF_RING 6.0.2)
Строки в Makefile поменял (replace line "LIBS += -lboost_thread" by line "LIBS += -lboost_thread-mt" и убрал static)
[root@vz71 fastnetmon]# make
g++ -c libipulog.c -o libipulog.o -Wno-write-strings
g++ -DPF_RING -I/opt/pf_ring/include -c fastnetmon.cpp -o fastnetmon.o
gcc -c libpatricia/patricia.c -o libpatricia/patricia.o -Wno-write-strings -lstdc++
g++ -c -D_REENTRANT lru_cache/lru_cache.cpp -o lru_cache/lru_cache.o
g++ libipulog.o libpatricia/patricia.o lru_cache/lru_cache.o fastnetmon.o -o fastnetmon -L/opt/pf_ring/lib -lpfring -lnuma -lrt -lpthread -lncurses -ltermcap -lgpm -llog4cpp -lboost_thread-mt -pthread
/usr/local/lib/libpfring.so: undefined reference to bpf_filter' /usr/local/lib/libpfring.so: undefined reference topcap_compile_nopcap'
collect2: ld returned 1 exit status
make: *** [fastnetmon] Error 1

Current startup scheme with screen and /etc/rc.local is very ugly and should be dropped.

Subject

modinfo pf_ring
filename: /lib/modules/2.6.32-042stab092.2/kernel/net/pf_ring/pf_ring.ko
alias: net-pf-27
description: Packet capture acceleration and analysis
author: Luca Deri [email protected]
license: GPL
srcversion: 9205E6179CCDF3C754F2122
depends:
vermagic: 2.6.32-042stab092.2 SMP mod_unload modversions
parm: min_num_slots:Min number of ring slots (uint)
parm: perfect_rules_hash_size:Perfect rules hash size (uint)
parm: transparent_mode:0=standard Linux, 1=direct2pfring+transparent, 2=direct2pfring+non transparentFor 1 and 2 you need to use a PF_RING aware driver (uint)
parm: enable_debug:Set to 1 to enable PF_RING debug tracing into the syslog (uint)
parm: enable_tx_capture:Set to 1 to capture outgoing packets (uint)
parm: enable_frag_coherence:Set to 1 to handle fragments (flow coherence) in clusters (uint)
parm: enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint)
parm: quick_mode:Set to 1 to run at full speed but with upto one socket per interface (uint)

uname -a
Linux 2.6.32-042stab092.2 #1 SMP Tue Jul 8 10:35:55 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/redhat-release
CentOS release 6.5 (Final)

mkdir /root/fastnetmon
cd /root/fastnetmon
wget https://raw.githubusercontent.com/FastVPSEestiOu/fastnetmon/master/fastnetmon -Ofastnetmon
chmod +x fastnetmon
./fastnetmon eth0
Segmentation fault (core dumped)

Конфиг дефолтный, в /etc/networks_list
6 сеток /21-/22

Core-файл: https://dl.dropboxusercontent.com/u/37627/core.206245

Subject

Тестируем fastnetmon на openvz, для автоматической блокировки контейнера и возник такой нюанс.
Дописали в скрипт остановку контейнера и удаление IP контейнера.
Начинаем флудить, все хорошо: контейнер стопается, ip удаляется в скрине fastnetmon
Ban list:
37.143../582262 pps incoming

Но в условиях хостинга бывают ситуации, что клиент просыпается, пишет радостно атака закончилась (я порешал), впс запускается, IP добавляется, но атака никуда не ушла и в этом случае fastnetmon не сработает, т.к. в Ban list есть 37.143../582262 pps incoming
Планируется какой-то сброс Ban list или, например после выполнения команды/команд на блокировку выполнять сброс Ban list?
Или проще пока написать хак, который будет перезапускать fastnetmon при старте контейнера?

http://stackoverflow.com/questions/4066576/passing-a-parameter-to-a-comparison-function

Subject

2014-11-24 18:48:43.888877 XXXX:0 > 193.42.142.115:0 protocol: unknown flags:  size: 138 bytes
2014-11-24 18:48:43.890119 XXXX:0 > 193.42.142.115:0 protocol: unknown flags:  size: 130 bytes
2014-11-24 18:48:43.890983 XXXX:0 > 217.69.223.22:0 protocol: unknown flags:  size: 118 bytes
2014-11-24 18:48:43.896008 XXXX:0 > 217.69.223.22:0 protocol: unknown flags:  size: 1518 bytes
2014-11-24 18:48:43.896010 XXXX:0 > 217.69.223.22:0 protocol: unknown flags:  size: 534 bytes
2014-11-24 18:48:43.900128 XXXX:0 > 217.69.223.22:0 protocol: unknown flags:  size: 1518 bytes
2014-11-24 18:48:43.900129 XXXX:0 > 217.69.223.22:0 protocol: unknown flags:  size: 510 bytes

Subject

Интересует как fastnetmon будет реагировать на скачк pps в течение пары секунд и можно ли настроить блокировку только если превышение длится больше чем N-секунд?

Add incoming, outgoing pps and incoming/outgoing channel bandwidth into letter about attack.

We can add it to both letters.

Subject

Subject. It's very useful for debugging false positive events.

Subject.

sibject

Hi! Please, add config file for some settings. For expamle
max_pps for notify_about_attack

It needed for more fine tuning data structures.

Very nice idea from Preetam Jinka https://twitter.com/PreetamJinka/status/536581423185268736

subject

ULOG packets received: -1888239807

Subject

Subject

Current screen updater produce big amount of crap on console.

2014-07-09 15:58:44.920330 xxxxx:80 > 66.249.81.48:40250 protocol: tcp size: 7160 bytes
2014-07-09 15:58:44.920357 xxxxx:80 > 66.249.81.48:40250 protocol: tcp size: 1488 bytes
2014-07-09 15:58:44.920411 xxxxx:80 > 66.249.81.48:40250 protocol: tcp size: 2906 bytes
2014-07-09 15:58:44.920441 xxxxx80 > 66.249.81.48:40250 protocol: tcp size: 2906 bytes

На openvz ядрах словили kernel panic, при остановке fastnetmon и выгрузке pf_ring все нормализовалось, подозреваю связано с tun/tap - это в баг трекер openvz лучше отправить или как-то можно локально решить?

Aug 13 19:06:22 vz60 kernel: [ 286.620099] remove_proc_entry: removing non-empty directory 'dev/tap0', leaking at least 'info'
Aug 13 19:06:22 vz60 kernel: [ 286.620102] Modules linked in: vzethdev pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop simfs vzrst vzcpt nfs lockd fscache auth_rpcgss nfs_acl sunrpc vziolimit vzdquota ip6t_REJECT ip6table_mangle ip6table_filter ip6_tables vzevent vznetdev vzmon vzdev ipv6 flashcache(U) pf_ring(U) xt
_connlimit xt_MARK xt_mark ppp_deflate zlib_deflate ppp_async crc_ccitt arc4 ecb ppp_mppe ppp_generic slhc nf_conntrack_tftp nf_conntrack_proto_sctp nf_conntrack_netlink nfnetlink nf_nat_sip nf_conntrack_sip nf_nat_pptp nf_conntrack_pptp nf_conntrack_proto_gre nf_nat_proto_gre nf_nat_h323 nf_conntrack_h323 nf_nat_a
manda ts_kmp nf_conntrack_amanda iptable_raw xt_recent xt_owner xt_iprange xt_hashlimit ipt_ecn ipt_ah ipt_addrtype ipt_ULOG xt_HL ipt_REDIRECT ipt_NETMAP ipt_ECN ipt_CLUSTERIP ipt_MASQUERADE tun xt_DSCP nf_nat_irc nf_nat_ftp iptable_nat nf_nat xt_state xt_helper xt_conntrack ipt_LOG nf_conntrack_irc nf_conntrack_f
tp nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 xt_length xt_hl xt_tcpmss xt
Aug 13 19:06:22 vz60 kernel: TCPMSS iptable_mangle iptable_filter xt_multiport xt_limit xt_dscp ipt_REJECT ip_tables microcode iTCO_wdt iTCO_vendor_support igb i2c_algo_bit ptp pps_core sg i2c_i801 i2c_core lpc_ich mfd_core ioatdma dca i7core_edac edac_core shpchp ext4 jbd2 mbcache sd_mod crc_t10dif pata_acpi ata
generic ata_piix dm_mirror dm_region_hash dm_log dm_mod megaraid_sas [last unloaded: scsi_wait_scan]
Aug 13 19:06:22 vz60 kernel: [ 286.620193] Pid: 14403, comm: openvpn veid: 98018 Tainted: G W --------------- 2.6.32-042stab092.3 #1
Aug 13 19:06:22 vz60 kernel: [ 286.620196] Call Trace:
Aug 13 19:06:22 vz60 kernel: [ 286.620203] [] ? warn_slowpath_common+0x87/0xc0
Aug 13 19:06:22 vz60 kernel: [ 286.620207] [] ? warn_slowpath_fmt+0x46/0x50
Aug 13 19:06:22 vz60 kernel: [ 286.620210] [] ? xlate_proc_name+0x4d/0xd0
Aug 13 19:06:22 vz60 kernel: [ 286.620214] [] ? remove_proc_entry+0x26a/0x270
Aug 13 19:06:22 vz60 kernel: [ 286.620221] [] ? remove_device_from_ring_list+0x78/0x100 [pf_ring]
Aug 13 19:06:22 vz60 kernel: [ 286.620226] [] ? ring_notifier+0x201/0x3c0 [pf_ring]
Aug 13 19:06:22 vz60 kernel: [ 286.620231] [] ? call_rcu_sched+0x15/0x20
Aug 13 19:06:22 vz60 kernel: [ 286.620236] [] ? notifier_call_chain+0x55/0x80
Aug 13 19:06:22 vz60 kernel: [ 286.620241] [] ? raw_notifier_call_chain+0x16/0x20
Aug 13 19:06:22 vz60 kernel: [ 286.620246] [] ? call_netdevice_notifiers+0x1b/0x20
Aug 13 19:06:22 vz60 kernel: [ 286.620249] [] ? rollback_registered_many+0x179/0x2e0
Aug 13 19:06:22 vz60 kernel: [ 286.620253] [] ? rollback_registered+0x38/0x50
Aug 13 19:06:22 vz60 kernel: [ 286.620256] [] ? unregister_netdevice_queue+0x70/0xc0
Aug 13 19:06:22 vz60 kernel: [ 286.620259] [] ? unregister_netdevice+0x10/0x20
Aug 13 19:06:22 vz60 kernel: [ 286.620265] [] ? tun_chr_close+0xd8/0x100 [tun]
Aug 13 19:06:22 vz60 kernel: [ 286.620270] [] ? __fput+0xf8/0x280
Aug 13 19:06:22 vz60 kernel: [ 286.620274] [] ? fput+0x25/0x30
Aug 13 19:06:22 vz60 kernel: [ 286.620277] [] ? filp_close+0x5d/0x90
Aug 13 19:06:22 vz60 kernel: [ 286.620280] [] ? sys_close+0xa5/0x100
Aug 13 19:06:22 vz60 kernel: [ 286.620286] [] ? ia32_sysret+0x0/0x5
Aug 13 19:06:22 vz60 kernel: [ 286.620288] ---[ end trace de0e4cfc384a232c ]---
Aug 13 19:06:22 vz60 kernel: [ 286.620290] Tainting kernel with flag 0x9
Aug 13 19:06:22 vz60 kernel: [ 286.620292] Pid: 14403, comm: openvpn veid: 98018 Tainted: G W --------------- 2.6.32-042stab092.3 #1
Aug 13 19:06:22 vz60 kernel: [ 286.620295] Call Trace:
Aug 13 19:06:22 vz60 kernel: [ 286.620298] [] ? add_taint+0x71/0x80
Aug 13 19:06:22 vz60 kernel: [ 286.620301] [] ? warn_slowpath_common+0x94/0xc0
Aug 13 19:06:22 vz60 kernel: [ 286.620305] [] ? warn_slowpath_fmt+0x46/0x50
Aug 13 19:06:22 vz60 kernel: [ 286.620308] [] ? xlate_proc_name+0x4d/0xd0
Aug 13 19:06:22 vz60 kernel: [ 286.620311] [] ? remove_proc_entry+0x26a/0x270
Aug 13 19:06:22 vz60 kernel: [ 286.620316] [] ? remove_device_from_ring_list+0x78/0x100 [pf_ring]
Aug 13 19:06:22 vz60 kernel: [ 286.620321] [] ? ring_notifier+0x201/0x3c0 [pf_ring]
Aug 13 19:06:22 vz60 kernel: [ 286.620324] [] ? call_rcu_sched+0x15/0x20
Aug 13 19:06:22 vz60 kernel: [ 286.620328] [] ? notifier_call_chain+0x55/0x80
Aug 13 19:06:22 vz60 kernel: [ 286.620332] [] ? raw_notifier_call_chain+0x16/0x20
Aug 13 19:06:22 vz60 kernel: [ 286.620335] [] ? call_netdevice_notifiers+0x1b/0x20
Aug 13 19:06:22 vz60 kernel: [ 286.620338] [] ? rollback_registered_many+0x179/0x2e0
Aug 13 19:06:22 vz60 kernel: [ 286.620342] [] ? rollback_registered+0x38/0x50
Aug 13 19:06:22 vz60 kernel: [ 286.620345] [] ? unregister_netdevice_queue+0x70/0xc0
Aug 13 19:06:22 vz60 kernel: [ 286.620348] [] ? unregister_netdevice+0x10/0x20
Aug 13 19:06:22 vz60 kernel: [ 286.620353] [] ? tun_chr_close+0xd8/0x100 [tun]
Aug 13 19:06:22 vz60 kernel: [ 286.620356] [] ? __fput+0xf8/0x280
Aug 13 19:06:22 vz60 kernel: [ 286.620359] [] ? fput+0x25/0x30
Aug 13 19:06:22 vz60 kernel: [ 286.620362] [] ? filp_close+0x5d/0x90
Aug 13 19:06:22 vz60 kernel: [ 286.620365] [] ? sys_close+0xa5/0x100
Aug 13 19:06:22 vz60 kernel: [ 286.620369] [] ? ia32_sysret+0x0/0x5

Subject...

Subject

Because if we slow down our speed_recalculator it can result to massive ban of clients.

I.e. we collect data for 10 second and count it as ONE second. Which result to ban of middle-network intensive clients.

We should for another thread or pass data to another tread and execute all ban works.a

Subject. It's versy useful for slow 20 kpps attacks with big packets.

Hello!

http://forum.nag.ru/forum/index.php?showtopic=89703&view=findpost&p=1024139

Subject

FastNetMon v1.0 IPs ordered by: packets threshold is: 20000

Incoming Traffic    0 pps 0 mbps

Outgoing traffic    0 pps 0 mbps

Internal traffic    0 pps 0 mbps

Other traffic       70 pps 0 mbps

Packets received:   3244
Packets dropped:    0
Packets dropped:    0.0 %

getcap fastnetmon
fastnetmon = cap_net_admin+eip

Subject

Был зафиксирован один случай при котором не был отправлен лог атаки. Первое общее письмо пришло, а второе нет. Это произошло точно не из-за почасовой перезагрузки скрипта. Так как, первое письмо было отправлено в 18:44:49, а скрипт перезагружается каждый час ровно в 00 минут.
cat syslog | grep -i cron | grep fastnetmon-restart
Sep 10 07:00:01 netflow /USR/SBIN/CRON[13951]: (root) CMD (/usr/bin/fastnetmon-restart >/dev/null 2>&1)
Sep 10 08:00:01 netflow /USR/SBIN/CRON[14058]: (root) CMD (/usr/bin/fastnetmon-restart >/dev/null 2>&1)
Sep 10 09:00:01 netflow /USR/SBIN/CRON[14165]: (root) CMD (/usr/bin/fastnetmon-restart >/dev/null 2>&1)

Сегодня 17.09.2014 при атаке в 1.5Млн пакетов было отправлено одно первое письмо и три письма с логом атаки.
Все три письма содержат одну и туже шапку, кроме строки "Peak attack power" - она у всех трех разная.
Все три содержат лог за разные промежутки времени:
одно письмо содержит лог собранный в 2014-09-18 00:07:55,
второе письмо лог 2014-09-18 00:07:57,
третье письмо лог 2014-09-18 00:08:01.

Еще заметил особенность. Четыре письма были отправлены с разницей в 3 секунды:
Sep 18 00:08:00 netflow postfix/pickup[3057]: D115E2780673: uid=0 from=
Sep 18 00:08:00 netflow postfix/cleanup[3187]: D115E2780673: message-id=[email protected]
Sep 18 00:08:03 netflow postfix/pickup[3057]: 05E6B2780679: uid=0 from=
Sep 18 00:08:03 netflow postfix/cleanup[3187]: 05E6B2780679: message-id=[email protected]
Sep 18 00:08:06 netflow postfix/pickup[3057]: 16FD22780687: uid=0 from=
Sep 18 00:08:06 netflow postfix/cleanup[3187]: 16FD22780687: message-id=[email protected]
Sep 18 00:08:09 netflow postfix/pickup[3057]: 2B35E278068B: uid=0 from=
Sep 18 00:08:09 netflow postfix/cleanup[3187]: 2B35E278068B: message-id=[email protected]

Сбой при генерации логов точно есть.

Subject!

And move path to script to defines.

Subject)

We need check time needed for this script!

Hello, i have server(not VM) with Ubuntu 12.04 and HAProxy on it. When run precompiled fastnetmon like a ./fastnetmon eth1, i got only "Other traffic", what i doing wrong?

"FastNetMon v1.0 IPs ordered by: packets threshold is: 20000

Incoming Traffic 0 pps 0 mbps

Outgoing traffic 0 pps 0 mbps

Internal traffic 0 pps 0 mbps

Other traffic 14953 pps 146 mbps

Packets received: 136462
Packets dropped: 0
Packets dropped: 0.0 %"

Is it GPLv2 only or GPLv2+? I mean can I se this source code as GPLv3?

I suppose best solution for this task is Boost Accumulators: http://www.boost.org/doc/libs/1_55_0/doc/html/accumulators/user_s_guide.html

Introduce connection tracking facility for detecting malware activity more efficiently

We got more packets (1 from 500) for protocol: udp

Without syn flag is really hard to identify attack direction