Add README.md
This commit is contained in:
Nik Rozman
86
README.md
Normal file
86
README.md
Normal file
@@ -0,0 +1,86 @@
|
||||
# sflow-abuse
|
||||
|
||||
## Overview
|
||||
|
||||
sflow-abuse is a Go-based network abuse monitoring tool that listens to sFlow data and detects abuse based on specified criteria. It is designed to run in conjunction with `sflowtool`.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
Before using sflow-abuse, ensure the following requirements are met:
|
||||
|
||||
- Install and configure `sflowtool` from the [sflow/sflowtool](https://github.com/sflow/sflowtool) repository (version 6.02 is tested and recommended).
|
||||
|
||||
## Installation and Usage
|
||||
|
||||
### 1. Setting Up sflowtool
|
||||
|
||||
Ensure that `sflowtool` is installed and configured correctly. Refer to the [sflow/sflowtool repository](https://github.com/sflow/sflowtool) for instructions on how to set up and run `sflowtool`.
|
||||
|
||||
### 2. Daemonize sflowtool
|
||||
|
||||
To run `sflowtool` in the background as a daemon, you can use systemd. Create a systemd service file (e.g., `/etc/systemd/system/sflowtool.service`) with the following content:
|
||||
|
||||
```ini
|
||||
[Unit]
|
||||
Description=sFlow Collection Daemon
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/path/to/sflowtool -p 6343 -l > /path/to/sflow-abuse/pipe
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
```
|
||||
|
||||
|
||||
Replace `/path/to/sflowtool` with the actual path to your `sflowtool` binary, and refer to the configuration for the pipe location. Then, enable and start the `sflowtool` service:
|
||||
|
||||
```bash
|
||||
sudo systemctl enable sflowtool.service
|
||||
sudo systemctl start sflowtool.service
|
||||
```
|
||||
|
||||
### 3. Install sflow-abuse
|
||||
|
||||
To build and run sflow-abuse, follow these steps:
|
||||
|
||||
1. Compile the sflow-abuse binary:
|
||||
|
||||
```bash
|
||||
go build
|
||||
```
|
||||
|
||||
3. Create a systemd service file (e.g., `/etc/systemd/system/sflow-abuse.service`) with the following content:
|
||||
|
||||
```ini
|
||||
[Unit]
|
||||
Description=sFlow Abuse Service
|
||||
After=network.target sflowtool.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/path/to/sflow-abuse
|
||||
WorkingDirectory=/path/to/sflow-abuse
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
```
|
||||
|
||||
Replace `/path/to/sflow-abuse` with the actual path to your sflow-abuse binary. Then, enable and start the sflow-abuse service:
|
||||
|
||||
```bash
|
||||
sudo systemctl enable sflow-abuse.service
|
||||
sudo systemctl start sflow-abuse.service
|
||||
```
|
||||
|
||||
## Configuration
|
||||
|
||||
sflow-abuse has a couple of different configuration files:
|
||||
- config.ini - main configuration file
|
||||
- subnets.txt - list of subnets to monitor
|
||||
- ignored.txt - list of IP addresses to ignore
|
||||
|
||||
Note: to reload the configuration, use `sudo systemctl restart sflow-abuse.service`.
|
||||
Reference in New Issue
Block a user