Few issues..

28 views
Skip to first unread message

Nick Fawcett

unread,
Jan 21, 2021, 10:46:30 AM1/21/21
to fastn...@googlegroups.com
Not sure if I am experiencing a couple of bugs or misconfiguration.  Currently running version 1.1.9

First, I have "pcap = off", yet I still see pcap files accumulate in /var/log/fastnetmon_attacks/ directory.  Is this expected behavior?

Second, I have "unban_only_if_attack_finished = on" but I have noticed that when ban_time is reached, the app calls the notify_script_path script with the "unban" attribute. If the attack is still present then it calls it again with the "ban" attribute, and then again with "attack_details".

Third, I have noticed a few times that the daemon will ban an IP and it will show up in the client as "x.x.x.x/0 pps other at 18_04_37_03:35:02". The "x.x.x.x_18_04_37_03:35:02.pcap" file is 0 bytes, but the "x.x.x.x_18_04_37_03:35:02.txt" has all the details in it.  I noticed the pcap file is 0 bytes only when this anomaly happens.  When this happens the daemon will not unban the IP after the ban_time has been reached.  A restart of the fastnetmon service is required to release it.

Thanks in advance..

Nick

Pavel Odintsov

unread,
Jan 21, 2021, 6:42:47 PM1/21/21
to Nick Fawcett, FastNetMon user group
Hello!

Great questions! Let me reply to them one by one.

1. Pcap option does not control pcap dumps, it controls pcap traffic capture engine.  You need to tune flag collect_attack_pcap_dumps

2. "unban_only_if_attack_finished" compares traffic level with specific threshold before unban. If your traffic to / from host is below threshold then it will be unblocked

3. I recommend filling a bug report about it at https://github.com/pavel-odintsov/fastnetmon/issues We have plans to rework Ipv4 ban logic completely. IPv6 got a new blocking pipeline which works in a completely predictable manner. 



--
Follow us on social media: Twitter: https://twitter.com/fastnetmon | Facebook: https://www.facebook.com/fastnetmon/ | LinkedIn: https://www.linkedin.com/company/fastnetmon/
---
You received this message because you are subscribed to the Google Groups "FastNetMon user group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fastnetmon+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/fastnetmon/CAPnA9ByJVa0HRsin%2B3X0zRRbqZ49O6USgGoeGVeOndV2jLsfMA%40mail.gmail.com.


--
Sincerely yours, Pavel Odintsov
Reply all
Reply to author
Forward
0 new messages