# sflow-abuse ## Overview sflow-abuse is a Go-based network abuse monitoring tool that listens to sFlow data and detects abuse based on specified criteria. It is designed to run in conjunction with `sflowtool`. ## Prerequisites Before using sflow-abuse, ensure the following requirements are met: - Install and configure `sflowtool` from the [sflow/sflowtool](https://github.com/sflow/sflowtool) repository (version 6.02 is tested and recommended). ## Installation and Usage ### 1. Setting Up sflowtool Ensure that `sflowtool` is installed and configured correctly. Refer to the [sflow/sflowtool repository](https://github.com/sflow/sflowtool) for instructions on how to set up and run `sflowtool`. ### 2. Daemonize sflowtool To run `sflowtool` in the background as a daemon, you can use systemd. Create a systemd service file (e.g., `/etc/systemd/system/sflowtool.service`) with the following content: ```ini [Unit] Description=sFlow Collection Daemon After=network.target [Service] Type=simple ExecStart=/bin/sh -c "/path/to/sflowtool -p 6343 -l > /path/to/sflow-abuse/pipe" Restart=always [Install] WantedBy=multi-user.target ``` Replace `/path/to/sflowtool` with the actual path to your `sflowtool` binary, and refer to the configuration for the pipe location. Then, enable and start the `sflowtool` service: ```bash sudo systemctl enable sflowtool.service sudo systemctl start sflowtool.service ``` ### 3. Install sflow-abuse To build and run sflow-abuse, follow these steps: 1. Compile the sflow-abuse binary: ```bash go build ``` 3. Create a systemd service file (e.g., `/etc/systemd/system/sflow-abuse.service`) with the following content: ```ini [Unit] Description=sFlow Abuse Service After=network.target sflowtool.service [Service] Type=simple ExecStart=/path/to/sflow-abuse WorkingDirectory=/path/to/sflow-abuse Restart=always [Install] WantedBy=multi-user.target ``` Replace `/path/to/sflow-abuse` with the actual path to your sflow-abuse binary. Then, enable and start the sflow-abuse service: ```bash sudo systemctl enable sflow-abuse.service sudo systemctl start sflow-abuse.service ``` ## Configuration sflow-abuse has a couple of different configuration files: - config.ini - main configuration file - subnets.txt - list of subnets to monitor - ignored.txt - list of IP addresses to ignore Note: to reload the configuration, use `sudo systemctl restart sflow-abuse.service`.