Export attack information in JSON output

[stkonst]

Currently the fastnetmon implementations provide useful information about the current attack as variables to the notify script:

# $1 --> IP blocked
# $2 --> type of attack
# $3 --> pps pf attack
# $4 --> ban/unban

Perhaps it's possible to provide this information in a JSON format to feed it easily to custom scripts, but also enrich the output with more information like amount of flows, direction, etc

Or in case of multiple hosts being under attack, the tool can summarize the info in one JSON output and feed it to the script.

[pavel-odintsov]

Hello!

Thank you for feedback.

That's indeed make sense. We can add some basic information in same format as for Advanced edition like this:

{
  "ip": "127.0.0.1",
  "action": "ban",
  "attack_details": {
    "attack_uuid": "041eb504-2b33-4ff7-a6b7-8235408d5062",
    "attack_detection_source": "automatic",
    "total_incoming_traffic": 15253500,
    "total_outgoing_traffic": 15253590,
    "total_incoming_pps": 282472,
    "total_outgoing_pps": 282473,
    "total_incoming_flows": 0,
    "total_outgoing_flows": 0,
    "incoming_ip_fragmented_traffic": 0,
    "outgoing_ip_fragmented_traffic": 0,
    "incoming_ip_fragmented_pps": 0,
    "outgoing_ip_fragmented_pps": 0,
    "incoming_tcp_traffic": 15253547,
    "outgoing_tcp_traffic": 15253590,
    "incoming_tcp_pps": 282472,
    "outgoing_tcp_pps": 282473,
    "incoming_syn_tcp_traffic": 0,
    "outgoing_syn_tcp_traffic": 0,
    "incoming_syn_tcp_pps": 0,
    "outgoing_syn_tcp_pps": 0,
    "incoming_udp_traffic": 0,
    "outgoing_udp_traffic": 0,
    "incoming_udp_pps": 0,
    "outgoing_udp_pps": 0,
    "incoming_icmp_traffic": 0,
    "outgoing_icmp_traffic": 0,
    "incoming_icmp_pps": 0,
    "outgoing_icmp_pps": 0
  }
}

[pavel-odintsov]

We did some progress in that direction and reworked JSON logic to make it possible in near future: fe98664

[deivisonmarteleto]

I was checking the data that fastnetmon saves in mongo, I noticed that the "attack_uuid" key is "00000000-0000-0000-0000-000000000000"

{ "_id" : ObjectId("65496f63d3dcccc998064bd1"), "xxxx_information_06_11_23_19:57:28" : { "action" : "ban", "alert_scope" : "host", "attack_details" : { "attack_uuid" : "00000000-0000-0000-0000-000000000000", "host_group" : "global", "incoming_dropped_pps" : 0, "incoming_dropped_traffic" : 0, "incoming_dropped_traffic_bits" : 0, "incoming_icmp_pps" : 0, "incoming_icmp_traffic" : 0, "incoming_icmp_traffic_bits" : 0, "incoming_ip_fragmented_pps" : 0, "incoming_ip_fragmented_traffic" : 0, "incoming_ip_fragmented_traffic_bits" : 0, "incoming_syn_tcp_pps" : 134, "incoming_syn_tcp_traffic" : 43872, "incoming_syn_tcp_traffic_bits" : 350976, "incoming_tcp_pps" : 135, "incoming_tcp_traffic" : 43921, "incoming_tcp_traffic_bits" : 351368, "incoming_udp_pps" : 0, "incoming_udp_traffic" : 0, "incoming_udp_traffic_bits" : 0, "outgoing_dropped_pps" : 0, "outgoing_dropped_traffic" : 0, "outgoing_dropped_traffic_bits" : 0, "outgoing_icmp_pps" : 0, "outgoing_icmp_traffic" : 0, "outgoing_icmp_traffic_bits" : 0, "outgoing_ip_fragmented_pps" : 0, "outgoing_ip_fragmented_traffic" : 0, "outgoing_ip_fragmented_traffic_bits" : 0, "outgoing_syn_tcp_pps" : 0, "outgoing_syn_tcp_traffic" : 0, "outgoing_syn_tcp_traffic_bits" : 0, "outgoing_tcp_pps" : 0, "outgoing_tcp_traffic" : 0, "outgoing_tcp_traffic_bits" : 0, "outgoing_udp_pps" : 0, "outgoing_udp_traffic" : 0, "outgoing_udp_traffic_bits" : 0, "protocol_version" : "IPv4", "total_incoming_flows" : 12, "total_incoming_pps" : 135, "total_incoming_traffic" : 43921, "total_incoming_traffic_bits" : 351368, "total_outgoing_flows" : 0, "total_outgoing_pps" : 0, "total_outgoing_traffic" : 0, "total_outgoing_traffic_bits" : 0 }, "ip" : "xxxx" } }

[deivisonmarteleto]

A cool advance would be to have the "attack_uuid" key being sent along with the notification script args.