Hosts group personal thresholds

11 views
Skip to first unread message

Константин (aztec102)

unread,
Jun 29, 2026, 10:42:33 PM (6 days ago) Jun 29
to sFlow-RT
Hello! Is it possible to add the ability to create host groups and set their own trigger thresholds?

Peter Phaal

unread,
Jun 30, 2026, 12:34:00 PM (5 days ago) Jun 30
to sFlow-RT
There are two approaches you might consider:
1. Create a separate flow definition for each host group and apply a threshold to each flow definition. This works if you have a small number of host groups you want to apply thresholds to.
2. Have a single flow definition and include the group as part of the flow key then set a number of threshold on that flow definition. This scales well if you have a large number of host groups (e.g. host group per customer) and a small number of thresholds (e.g. small, medium, large).

Examples of the two approaches are given below. See Writing Applications for information on sFlow-RT APIs. Ther

1. Separate Flow Definitions

var groups = {
  "external":["0.0.0.0/0"],
  "internal":["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"]
};
setGroups('host_groups',groups);
setFlow('internal',{
  keys:'ipdestination',
  value:'bytes',
  filter:'group:ipdestination:host_groups=internal'
});
setFlow('external',{
  keys:'ipdestination',
  value:'bytes',
  filter:'group:ipdestination:host_groups=external'
});
setThreshold('internal', {metric:'internal', value:10000, byFlow:true});
setThreshold('external', {metric:'external', value:20000, byFlow:true});
setEventHandler(evt => logInfo(JSON.stringify(evt)), ['internal','external']);

2. Single Flow Definition

var groups = {
  "external":["0.0.0.0/0"],
  "internal":["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"]
};
setGroups('host_groups',groups);
setFlow('grouped',{
  keys:'ipdestination,group:ipdestination:host_groups',
  value:'bytes',
});
setThreshold('small', {metric:'grouped', value:10000, byFlow:true});
setThreshold('medium', {metric:'grouped', value:20000, byFlow:true});
setThreshold('large', {metric:'grouped', value:50000, byFlow:true});
setEventHandler(evt => logInfo(JSON.stringify(evt)), ['small','medium','large']);

We developed a script that is a more complete example of this second approach. It’s a pared down (removed BGP, user settings, etc) version of the DDoS Protect application.

The new application is ddos-detect, so settings use the ddos_detect prefix, but otherwise it’s basically a stripped down ddos-protect.

wget https://inmon.com/products/sFlow-RT/ddos-detect.tgz

unpack the tarball in the sFlow-RT/app/ directory.

Settings are no longer done through user interface, but instead are pushed via REST API.

Set address groups:

curl -d @groups.json -X PUT -H "Content-Type: application/json" http://localhost:8008/app/ddos-detect/scripts/ddos.js/groups/json

Get address groups:

curl -o groups.json http://localhost:8008/app/ddos-detect/scripts/ddos.js/groups/json

Set thresholds:

curl -d @settings.json -X PUT -H "Content-Type: application/json" http://localhost:8008/app/ddos-detect/scripts/ddos.js/settings/json

Get thresholds:

curl -o settings.json http://localhost:8008/app/ddos-detect/scripts/ddos.js/settings/json

There are three threshold per attack sm,md,lg for small medium and large attacks. The three thresholds are shown in the charts and an attack will generate an event for each threshold it crosses

Add code to the sendEvent() method to push events to a customer controller.
Reply all
Reply to author
Forward
0 new messages