Not sure if I am experiencing a couple of bugs or misconfiguration. Currently running version 1.1.9
First, I have "pcap = off", yet I still see pcap files accumulate in /var/log/fastnetmon_attacks/ directory. Is this expected behavior?
Second, I have "unban_only_if_attack_finished = on" but I have noticed that when ban_time is reached, the app calls the notify_script_path script with the "unban" attribute. If the attack is still present then it calls it again with the "ban" attribute, and then again with "attack_details".
Third, I have noticed a few times that the daemon will ban an IP and it will show up in the client as "x.x.x.x/0 pps other at 18_04_37_03:35:02". The "x.x.x.x_18_04_37_03:35:02.pcap" file is 0 bytes, but the "x.x.x.x_18_04_37_03:35:02.txt" has all the details in it. I noticed the pcap file is 0 bytes only when this anomaly happens. When this happens the daemon will not unban the IP after the ban_time has been reached. A restart of the fastnetmon service is required to release it.
Thanks in advance..
Nick