Prevent fastnetmon to write to rtbh routing table #1034
Replies: 4 comments
-
|
Hello!
I can assure you that FastNetMon is not writing to rtbh routing table. So
it works exactly as you want. It just calls script.
Sincerely yours, Pavel Odintsov
…On Fri, 31 Jan 2025 at 19:44, hELLO wORLD ***@***.***> wrote:
Hello,
I use fastnetmon community, and it works well. Thank you for this piece of
software :)
I would like to use it in a particular way.
I want to manage all actions only from notify_about_attack.sh, but it
seems that in any case, it is writing to the rtbh routing table (that any
bgp option is enabled or not in the configuration file).
This is a problem because independently of fastnetmon, I am using the rtbh
table with bgp, and I need to decide what to blackhole or not in the
notify_about_attack.sh.
To be exact, the script decides if an ip needs to be added to the rtbh
blackhole or if other custom actions need to be taken instead.
So I need the script notify_about_attack.sh to be triggered when there is
an attack detected, but nothing else done.
I thought that maybe the enable_ban option was simply it, but I cannot
find any documentation about it.
If I put it to off, and use fastnetmon_api_client ban ip to simulate an
attack, fastnetmon writes to the rtbh routing table. Maybe this is not
the right way to test (as I suspect the api is bypassing the enable_ban
setting).
Can you confirm what the option enable_ban does exactly?
Does it disable attack detection? (I suppose not)
If not, does it disable the call to notify_about_attack.sh if an attack
is detected?
And does it alter the rtbh routing table if an attack is detected?
Thank you
—
Reply to this email directly, view it on GitHub
<#1034>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAU56ZWYKKNYVHNTYHQWQIT2NOR7FAVCNFSM6AAAAABWH7EJBCVHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZXHA4TQMBXGU>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Hello Pavel,
Thank you for you fast answer.
You mean when enable_ban = off, then FastNetMon is not writing to rtbh routing table?
And when enable_ban = on, then it does?
If so, this is perfect :)
Best Regards,
Gabriel ROUSSEAU
… Le 31 janv. 2025 à 17:55, Pavel Odintsov ***@***.***> a écrit :
Hello!
I can assure you that FastNetMon is not writing to rtbh routing table. So
it works exactly as you want. It just calls script.
Sincerely yours, Pavel Odintsov
On Fri, 31 Jan 2025 at 19:44, hELLO wORLD ***@***.***> wrote:
> Hello,
>
> I use fastnetmon community, and it works well. Thank you for this piece of
> software :)
>
> I would like to use it in a particular way.
> I want to manage all actions only from notify_about_attack.sh, but it
> seems that in any case, it is writing to the rtbh routing table (that any
> bgp option is enabled or not in the configuration file).
>
> This is a problem because independently of fastnetmon, I am using the rtbh
> table with bgp, and I need to decide what to blackhole or not in the
> notify_about_attack.sh.
> To be exact, the script decides if an ip needs to be added to the rtbh
> blackhole or if other custom actions need to be taken instead.
>
> So I need the script notify_about_attack.sh to be triggered when there is
> an attack detected, but nothing else done.
>
> I thought that maybe the enable_ban option was simply it, but I cannot
> find any documentation about it.
> If I put it to off, and use fastnetmon_api_client ban ip to simulate an
> attack, fastnetmon writes to the rtbh routing table. Maybe this is not
> the right way to test (as I suspect the api is bypassing the enable_ban
> setting).
>
> Can you confirm what the option enable_ban does exactly?
> Does it disable attack detection? (I suppose not)
> If not, does it disable the call to notify_about_attack.sh if an attack
> is detected?
> And does it alter the rtbh routing table if an attack is detected?
>
> Thank you
>
> —
> Reply to this email directly, view it on GitHub
> <#1034>, or
> unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAU56ZWYKKNYVHNTYHQWQIT2NOR7FAVCNFSM6AAAAABWH7EJBCVHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZXHA4TQMBXGU>
> .
> You are receiving this because you are subscribed to this thread.Message
> ID: ***@***.***>
>
—
Reply to this email directly, view it on GitHub <#1034 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADL3GNHYKNQWMF7F57AEI732NOTGJAVCNFSM6AAAAABWH7EJBCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTEMBSGAYDQMQ>.
You are receiving this because you authored the thread.
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Hello!
Thank you for such warm feedback!
Let me clarify. FastNetMon is not capable to write to any routing tables.
We have no such functionality but clearly it will be nice addition
Enable Ban options enables any actions for attack detection. Without this
flag FastNetMon is not doing anything
Sincerely yours, Pavel Odintsov
…On Fri, 31 Jan 2025 at 19:59, hELLO wORLD ***@***.***> wrote:
Hello Pavel,
Thank you for you fast answer.
You mean when enable_ban = off, then FastNetMon is not writing to rtbh
routing table?
And when enable_ban = on, then it does?
If so, this is perfect :)
Best Regards,
Gabriel ROUSSEAU
> Le 31 janv. 2025 à 17:55, Pavel Odintsov ***@***.***> a écrit :
>
>
> Hello!
>
> I can assure you that FastNetMon is not writing to rtbh routing table.
So
> it works exactly as you want. It just calls script.
>
> Sincerely yours, Pavel Odintsov
>
>
> On Fri, 31 Jan 2025 at 19:44, hELLO wORLD ***@***.***> wrote:
>
> > Hello,
> >
> > I use fastnetmon community, and it works well. Thank you for this
piece of
> > software :)
> >
> > I would like to use it in a particular way.
> > I want to manage all actions only from notify_about_attack.sh, but it
> > seems that in any case, it is writing to the rtbh routing table (that
any
> > bgp option is enabled or not in the configuration file).
> >
> > This is a problem because independently of fastnetmon, I am using the
rtbh
> > table with bgp, and I need to decide what to blackhole or not in the
> > notify_about_attack.sh.
> > To be exact, the script decides if an ip needs to be added to the rtbh
> > blackhole or if other custom actions need to be taken instead.
> >
> > So I need the script notify_about_attack.sh to be triggered when there
is
> > an attack detected, but nothing else done.
> >
> > I thought that maybe the enable_ban option was simply it, but I cannot
> > find any documentation about it.
> > If I put it to off, and use fastnetmon_api_client ban ip to simulate
an
> > attack, fastnetmon writes to the rtbh routing table. Maybe this is not
> > the right way to test (as I suspect the api is bypassing the
enable_ban
> > setting).
> >
> > Can you confirm what the option enable_ban does exactly?
> > Does it disable attack detection? (I suppose not)
> > If not, does it disable the call to notify_about_attack.sh if an
attack
> > is detected?
> > And does it alter the rtbh routing table if an attack is detected?
> >
> > Thank you
> >
> > —
> > Reply to this email directly, view it on GitHub
> > <#1034>, or
> > unsubscribe
> > <
https://github.com/notifications/unsubscribe-auth/AAU56ZWYKKNYVHNTYHQWQIT2NOR7FAVCNFSM6AAAAABWH7EJBCVHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZXHA4TQMBXGU>
> > .
> > You are receiving this because you are subscribed to this
thread.Message
> > ID: ***@***.***>
> >
> —
> Reply to this email directly, view it on GitHub <
#1034 (comment)>,
or unsubscribe <
https://github.com/notifications/unsubscribe-auth/ADL3GNHYKNQWMF7F57AEI732NOTGJAVCNFSM6AAAAABWH7EJBCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTEMBSGAYDQMQ>.
> You are receiving this because you authored the thread.
>
—
Reply to this email directly, view it on GitHub
<#1034 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAU56ZUNHPMT44OLBZ7THZL2NOTXHAVCNFSM6AAAAABWH7EJBCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTEMBSGAYTOMQ>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
bolemo
-
|
duh! My bad. You are absolutely right, the writing to routing tables was already in the current script. Sorry for the disturbance, but I am glad it gave you ideas of new functionalities ;) |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello,
I use fastnetmon community, and it works well. Thank you for this piece of software :)
I would like to use it in a particular way.
I want to manage all actions only from
notify_about_attack.sh, but it seems that in any case, it is writing to thertbhrouting table (that any bgp option is enabled or not in the configuration file).This is a problem because independently of fastnetmon, I am using the rtbh table with bgp, and I need to decide what to blackhole or not in the
notify_about_attack.sh.To be exact, the script decides if an ip needs to be added to the rtbh blackhole or if other custom actions need to be taken instead.
So I need the script
notify_about_attack.shto be triggered when there is an attack detected, but nothing else done.I thought that maybe the
enable_banoption was simply it, but I cannot find any documentation about it.If I put it to off, and use
fastnetmon_api_client ban ipto simulate an attack, fastnetmon writes to thertbhrouting table. Maybe this is not the right way to test (as I suspect the api is bypassing theenable_bansetting).Can you confirm what the option
enable_bandoes exactly?Does it disable attack detection? (I suppose not)
If not, does it disable the call to
notify_about_attack.shif an attack is detected?And does it alter the
rtbhrouting table if an attack is detected?Thank you
Beta Was this translation helpful? Give feedback.
All reactions