nikrozman/sflow-abuse
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5 Commits 1 Branch 0 Tags
master
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Nik Rozman 9a3770380c FIx startup service
2023-10-27 21:31:38 +02:00
src
Make webhook configurable
2023-10-27 18:32:41 +02:00
config.ini
Make webhook configurable
2023-10-27 18:32:41 +02:00
go.mod
Make webhook configurable
2023-10-27 18:32:41 +02:00
ignored.txt
Add alert handling
2023-10-27 18:05:58 +02:00
main.go
Make webhook configurable
2023-10-27 18:32:41 +02:00
README.md
FIx startup service
2023-10-27 21:31:38 +02:00
subnets.txt
Initial commit
2023-10-27 17:17:20 +02:00

README.md

sflow-abuse

Overview

sflow-abuse is a Go-based network abuse monitoring tool that listens to sFlow data and detects abuse based on specified criteria. It is designed to run in conjunction with sflowtool.

Prerequisites

Before using sflow-abuse, ensure the following requirements are met:

  • Install and configure sflowtool from the sflow/sflowtool repository (version 6.02 is tested and recommended).

Installation and Usage

1. Setting Up sflowtool

Ensure that sflowtool is installed and configured correctly. Refer to the sflow/sflowtool repository for instructions on how to set up and run sflowtool.

2. Daemonize sflowtool

To run sflowtool in the background as a daemon, you can use systemd. Create a systemd service file (e.g., /etc/systemd/system/sflowtool.service) with the following content:

[Unit]
Description=sFlow Collection Daemon
After=network.target

[Service]
Type=simple
ExecStart=/bin/sh -c "/path/to/sflowtool -p 6343 -l > /path/to/sflow-abuse/pipe"
Restart=always

[Install]
WantedBy=multi-user.target

Replace /path/to/sflowtool with the actual path to your sflowtool binary, and refer to the configuration for the pipe location. Then, enable and start the sflowtool service:

sudo systemctl enable sflowtool.service
sudo systemctl start sflowtool.service

3. Install sflow-abuse

To build and run sflow-abuse, follow these steps:

  1. Compile the sflow-abuse binary:
go build
  1. Create a systemd service file (e.g., /etc/systemd/system/sflow-abuse.service) with the following content:
[Unit]
Description=sFlow Abuse Service
After=network.target sflowtool.service

[Service]
Type=simple
ExecStart=/path/to/sflow-abuse
WorkingDirectory=/path/to/sflow-abuse
Restart=always

[Install]
WantedBy=multi-user.target

Replace /path/to/sflow-abuse with the actual path to your sflow-abuse binary. Then, enable and start the sflow-abuse service:

sudo systemctl enable sflow-abuse.service
sudo systemctl start sflow-abuse.service

Configuration

sflow-abuse has a couple of different configuration files:

  • config.ini - main configuration file
  • subnets.txt - list of subnets to monitor
  • ignored.txt - list of IP addresses to ignore

Note: to reload the configuration, use sudo systemctl restart sflow-abuse.service.

Reference in New Issue View Git Blame Copy Permalink
Description
Detect malicious activity on a given network using sFlow
Readme 32 KiB
Languages
Go 100%