-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathapermon.conf.example
186 lines (181 loc) · 5.91 KB
/
apermon.conf.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
# global options
options {
listen 0.0.0.0 6343 sflow v5; # listen for sflow v5 on 0.0.0.0:6343
listen 0.0.0.0 9001 sflow v5; # you can listen multiple ports
min-ban-time 300; # default min ban time for host/net
burst-period 5; # default burst period for host/net
# dump bps/pps of each host/net of each trigger to file
# can be viewed with "utils/status-viewer <status-file> <trigger-name>"
status-file "/var/run/apermon.status" dump-interval 1;
}
# define agnets to accept sflow packets from
agents {
# agent name
qfx5110 {
# agent address - note that this is not the source address of the sflow
# packet, but the agent address in the sflow header.
addresses [ 10.89.64.117 ];
}
}
# optionally, define a list of network interfaces for filter matching
interfaces {
# interface name
hkix {
# interface ifindexes - format "<agent_name>.<ifindex>"
# for junos, this is the "SNMP ifIndex"
ifindexes [ qfx5110.500 qfx5110.501 ];
}
eie {
ifindexes [ qfx5110.502 ];
}
telstra {
ifindexes [ qfx5110.503 ];
}
cug {
ifindexes [ qfx5110.504 ];
}
ctg {
ifindexes [ qfx5110.505 ];
}
cdn77 {
ifindexes [ qfx5110.510 ];
}
}
# define prefixes - use in various places later
prefixes {
apernet-light {
103.152.34.0/24;
}
apernet-premium {
103.152.35.0/24;
}
no-ban {
103.152.35.1/32;
}
}
# define actions
actions {
# action name
default-blackhole {
# script to invoke
script "/opt/apermon/scripts/exabgp.sh" {
# when to invoke the said script - possible values are: "ban" and
# "unban"
events [ ban unban ];
env {
EXABGP_CONTROL_SOCKET = "/var/run/exabgp.sock";
EXABGP_COMMUNITIES = "65535:666 65001:666";
EXABGP_NEXTHOP = "10.66.66.66";
LOCKFILE = "/tmp/apermon-exabgp.lock";
}
}
}
telstra-blackhole {
script "/opt/apermon/scripts/apernet-announce-telstra-blackhole.sh" {
events [ ban ];
}
script "/opt/apermon/scripts/apernet-withdraw-telstra-blackhole.sh" {
events [ unban ];
}
}
amplification-attack {
script "/opt/apermon/scripts/apernet-firewall-drop-amp-ports.sh" {
events [ ban ];
}
script "/opt/apermon/scripts/apernet-firewall-accept-amp-ports.sh" {
events [ unban ];
}
}
notify {
script "/opt/apermon/scripts/mailgun.sh" {
events [ ban unban ];
env {
API_KEY = "api:key-...";
DOMAIN = "noreply.example.com";
FROM = "AperMon <[email protected]>";
TO = "[email protected]";
# mailgun script will eval echo the SUBJECT variable to expand var refs
SUBJECT = "[apermon] $TRIGGER: $TYPE $TARGET";
}
}
script "/opt/apermon/scripts/telegram.sh" {
events [ ban unban ];
env {
BOT_TOKEN = "...";
CHAT_ID = "...";
}
}
}
}
# define triggers - when to do what
triggers {
# trigger name
telstra-protect {
# networks to monitor
networks [ apernet-light apernet-premium ];
# directions of the traffic to monitor
directions [ ingress egress ];
# defines how to aggregate the traffic
# - host: aggregate by host (i.e., /32 or /128 for inet and inet6)
# - net: aggregate by net (networks defined above under "networks")
aggregate-type host;
# when to trigger the action
thresholds {
# trigger if the aggregate traffic exceeds 2.5gbps
bps 2.5g;
}
# optionally, deifne filters to filter traffic. possible terms are:
# - and { <term1>; <term2>; ... } - logical AND (all terms must match)
# - or { <term1>; <term2>; ... } - logical OR (match any terms)
# - not { <term1>; <term2>; ... } - logical NOT (all terms must not match)
# - in-interface <interface-name>; - match packets coming from the interface
# - out-interface <interface-name>; - match packets going to the interface
# - source <inet/inet6-address>; - match packets with the source address
# - destination <inet/inet6-address>; - match packets with the destination address
# - source-port <number>; - match packets with the source port
# - destination-port <number>; - match packets with the destination port
# - protocol <tcp/udp/number>; - match packets with the protocol
# - is-fragment; - match packets that are fragments (i.e., frag-off != 0 or mf bit set)
filter {
# filters {} assumes and if and/or/not are not the root term. i.e.,
# here both in-interface and destination must match.
in-interface telstra;
destination apernet-light;
}
# actions to take when the trigger status changes
actions [ telstra-blackhole notify ];
}
apernet-light {
min-ban-time 600;
aggregate-type host;
networks [ apernet-light ];
directions [ ingress egress ];
filter {
not {
source no-ban;
destination no-ban;
}
}
thresholds {
pps 1m;
bps 1g;
}
actions [ default-blackhole notify ];
}
ntp {
networks [ apernet-light apernet-premium ];
directions [ ingress ];
aggregate-type net;
filter {
protocol udp;
or {
source-port 123;
source-port 389;
}
}
thresholds {
bps 300m;
}
actions [ amplification-attack notify ];
}
}