From 8781b47ec076da05cb6123e44414db2e12cd266a Mon Sep 17 00:00:00 2001
From: Nik Rozman <nik.r@sparkedhost.com>
Date: Fri, 27 Oct 2023 18:48:52 +0200
Subject: [PATCH] Add README.md

---
 README.md | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..032f95b
--- /dev/null
+++ b/README.md
@@ -0,0 +1,86 @@
+# sflow-abuse
+
+## Overview
+
+sflow-abuse is a Go-based network abuse monitoring tool that listens to sFlow data and detects abuse based on specified criteria. It is designed to run in conjunction with `sflowtool`.
+
+## Prerequisites
+
+Before using sflow-abuse, ensure the following requirements are met:
+
+- Install and configure `sflowtool` from the [sflow/sflowtool](https://github.com/sflow/sflowtool) repository (version 6.02 is tested and recommended).
+
+## Installation and Usage
+
+### 1. Setting Up sflowtool
+
+Ensure that `sflowtool` is installed and configured correctly. Refer to the [sflow/sflowtool repository](https://github.com/sflow/sflowtool) for instructions on how to set up and run `sflowtool`.
+
+### 2. Daemonize sflowtool
+
+To run `sflowtool` in the background as a daemon, you can use systemd. Create a systemd service file (e.g., `/etc/systemd/system/sflowtool.service`) with the following content:
+
+```ini
+[Unit]
+Description=sFlow Collection Daemon
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/path/to/sflowtool -p 6343 -l > /path/to/sflow-abuse/pipe
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+```
+
+
+Replace `/path/to/sflowtool` with the actual path to your `sflowtool` binary, and refer to the configuration for the pipe location. Then, enable and start the `sflowtool` service:
+
+```bash
+sudo systemctl enable sflowtool.service
+sudo systemctl start sflowtool.service
+```
+
+### 3. Install sflow-abuse
+
+To build and run sflow-abuse, follow these steps:
+
+1. Compile the sflow-abuse binary:
+
+```bash
+go build
+```
+
+3. Create a systemd service file (e.g., `/etc/systemd/system/sflow-abuse.service`) with the following content:
+
+```ini
+[Unit]
+Description=sFlow Abuse Service
+After=network.target sflowtool.service
+
+[Service]
+Type=simple
+ExecStart=/path/to/sflow-abuse
+WorkingDirectory=/path/to/sflow-abuse
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Replace `/path/to/sflow-abuse` with the actual path to your sflow-abuse binary. Then, enable and start the sflow-abuse service:
+
+```bash
+sudo systemctl enable sflow-abuse.service
+sudo systemctl start sflow-abuse.service
+```
+
+## Configuration
+
+sflow-abuse has a couple of different configuration files:
+- config.ini - main configuration file
+- subnets.txt - list of subnets to monitor
+- ignored.txt - list of IP addresses to ignore
+
+Note: to reload the configuration, use `sudo systemctl restart sflow-abuse.service`.
\ No newline at end of file