Add README.md
This commit is contained in:
Nik Rozman
86
README.md
Normal file
86
README.md
Normal file
@@ -0,0 +1,86 @@
|
|||||||
|
# sflow-abuse
|
||||||
|
|
||||||
|
## Overview
|
||||||
|
|
||||||
|
sflow-abuse is a Go-based network abuse monitoring tool that listens to sFlow data and detects abuse based on specified criteria. It is designed to run in conjunction with `sflowtool`.
|
||||||
|
|
||||||
|
## Prerequisites
|
||||||
|
|
||||||
|
Before using sflow-abuse, ensure the following requirements are met:
|
||||||
|
|
||||||
|
- Install and configure `sflowtool` from the [sflow/sflowtool](https://github.com/sflow/sflowtool) repository (version 6.02 is tested and recommended).
|
||||||
|
|
||||||
|
## Installation and Usage
|
||||||
|
|
||||||
|
### 1. Setting Up sflowtool
|
||||||
|
|
||||||
|
Ensure that `sflowtool` is installed and configured correctly. Refer to the [sflow/sflowtool repository](https://github.com/sflow/sflowtool) for instructions on how to set up and run `sflowtool`.
|
||||||
|
|
||||||
|
### 2. Daemonize sflowtool
|
||||||
|
|
||||||
|
To run `sflowtool` in the background as a daemon, you can use systemd. Create a systemd service file (e.g., `/etc/systemd/system/sflowtool.service`) with the following content:
|
||||||
|
|
||||||
|
```ini
|
||||||
|
[Unit]
|
||||||
|
Description=sFlow Collection Daemon
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
ExecStart=/path/to/sflowtool -p 6343 -l > /path/to/sflow-abuse/pipe
|
||||||
|
Restart=always
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
Replace `/path/to/sflowtool` with the actual path to your `sflowtool` binary, and refer to the configuration for the pipe location. Then, enable and start the `sflowtool` service:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo systemctl enable sflowtool.service
|
||||||
|
sudo systemctl start sflowtool.service
|
||||||
|
```
|
||||||
|
|
||||||
|
### 3. Install sflow-abuse
|
||||||
|
|
||||||
|
To build and run sflow-abuse, follow these steps:
|
||||||
|
|
||||||
|
1. Compile the sflow-abuse binary:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
go build
|
||||||
|
```
|
||||||
|
|
||||||
|
3. Create a systemd service file (e.g., `/etc/systemd/system/sflow-abuse.service`) with the following content:
|
||||||
|
|
||||||
|
```ini
|
||||||
|
[Unit]
|
||||||
|
Description=sFlow Abuse Service
|
||||||
|
After=network.target sflowtool.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
ExecStart=/path/to/sflow-abuse
|
||||||
|
WorkingDirectory=/path/to/sflow-abuse
|
||||||
|
Restart=always
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
```
|
||||||
|
|
||||||
|
Replace `/path/to/sflow-abuse` with the actual path to your sflow-abuse binary. Then, enable and start the sflow-abuse service:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo systemctl enable sflow-abuse.service
|
||||||
|
sudo systemctl start sflow-abuse.service
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
sflow-abuse has a couple of different configuration files:
|
||||||
|
- config.ini - main configuration file
|
||||||
|
- subnets.txt - list of subnets to monitor
|
||||||
|
- ignored.txt - list of IP addresses to ignore
|
||||||
|
|
||||||
|
Note: to reload the configuration, use `sudo systemctl restart sflow-abuse.service`.
|
||||||
Reference in New Issue
Block a user