diff options
| author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2023-07-21 10:35:34 +0000 |
|---|---|---|
| committer | Viacheslav Hletenko <v.gletenko@vyos.io> | 2023-07-21 13:16:03 +0000 |
| commit | bd4bb4f869d6df02bfda1ce5668b8cf15a95b4af (patch) | |
| tree | e77fff1b934bfbf48435f2657b72e98ad9238168 /src | |
| parent | 26af45a61bbe8b219b57127a869e723b11886522 (diff) | |
| download | vyos-1x-bd4bb4f869d6df02bfda1ce5668b8cf15a95b4af.tar.gz vyos-1x-bd4bb4f869d6df02bfda1ce5668b8cf15a95b4af.zip | |
T5368: service ids ddos-protection add support sflow mode
sFlow mode requires fewer resources then mode "mirror"
Integrate it into configuration mode
set service ids ddos-protection mode 'sflow'
set service ids ddos-protection sflow listen-address '127.0.0.1'
set service ids ddos-protection sflow port '6343'
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/service_ids_fastnetmon.py | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py index 2e678cf0b..f6b80552b 100755 --- a/src/conf_mode/service_ids_fastnetmon.py +++ b/src/conf_mode/service_ids_fastnetmon.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2022 VyOS maintainers and contributors +# Copyright (C) 2018-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -30,6 +30,7 @@ airbag.enable() config_file = r'/run/fastnetmon/fastnetmon.conf' networks_list = r'/run/fastnetmon/networks_list' excluded_networks_list = r'/run/fastnetmon/excluded_networks_list' +attack_dir = '/var/log/fastnetmon_attacks' def get_config(config=None): if config: @@ -55,8 +56,11 @@ def verify(fastnetmon): if 'mode' not in fastnetmon: raise ConfigError('Specify operating mode!') - if 'listen_interface' not in fastnetmon: - raise ConfigError('Specify interface(s) for traffic capture') + if fastnetmon.get('mode') == 'mirror' and 'listen_interface' not in fastnetmon: + raise ConfigError("Incorrect settings for 'mode mirror': must specify interface(s) for traffic mirroring") + + if fastnetmon.get('mode') == 'sflow' and 'listen_address' not in fastnetmon.get('sflow', {}): + raise ConfigError("Incorrect settings for 'mode sflow': must specify sFlow 'listen-address'") if 'alert_script' in fastnetmon: if os.path.isfile(fastnetmon['alert_script']): @@ -74,6 +78,10 @@ def generate(fastnetmon): return None + # Create dir for log attack details + if not os.path.exists(attack_dir): + os.mkdir(attack_dir) + render(config_file, 'ids/fastnetmon.j2', fastnetmon) render(networks_list, 'ids/fastnetmon_networks_list.j2', fastnetmon) render(excluded_networks_list, 'ids/fastnetmon_excluded_networks_list.j2', fastnetmon) |