86 lines
2.4 KiB
Markdown
86 lines
2.4 KiB
Markdown
# sflow-abuse
|
|
|
|
## Overview
|
|
|
|
sflow-abuse is a Go-based network abuse monitoring tool that listens to sFlow data and detects abuse based on specified criteria. It is designed to run in conjunction with `sflowtool`.
|
|
|
|
## Prerequisites
|
|
|
|
Before using sflow-abuse, ensure the following requirements are met:
|
|
|
|
- Install and configure `sflowtool` from the [sflow/sflowtool](https://github.com/sflow/sflowtool) repository (version 6.02 is tested and recommended).
|
|
|
|
## Installation and Usage
|
|
|
|
### 1. Setting Up sflowtool
|
|
|
|
Ensure that `sflowtool` is installed and configured correctly. Refer to the [sflow/sflowtool repository](https://github.com/sflow/sflowtool) for instructions on how to set up and run `sflowtool`.
|
|
|
|
### 2. Daemonize sflowtool
|
|
|
|
To run `sflowtool` in the background as a daemon, you can use systemd. Create a systemd service file (e.g., `/etc/systemd/system/sflowtool.service`) with the following content:
|
|
|
|
```ini
|
|
[Unit]
|
|
Description=sFlow Collection Daemon
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStart=/bin/sh -c "/path/to/sflowtool -p 6343 -l > /path/to/sflow-abuse/pipe"
|
|
Restart=always
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
```
|
|
|
|
|
|
Replace `/path/to/sflowtool` with the actual path to your `sflowtool` binary, and refer to the configuration for the pipe location. Then, enable and start the `sflowtool` service:
|
|
|
|
```bash
|
|
sudo systemctl enable sflowtool.service
|
|
sudo systemctl start sflowtool.service
|
|
```
|
|
|
|
### 3. Install sflow-abuse
|
|
|
|
To build and run sflow-abuse, follow these steps:
|
|
|
|
1. Compile the sflow-abuse binary:
|
|
|
|
```bash
|
|
go build
|
|
```
|
|
|
|
3. Create a systemd service file (e.g., `/etc/systemd/system/sflow-abuse.service`) with the following content:
|
|
|
|
```ini
|
|
[Unit]
|
|
Description=sFlow Abuse Service
|
|
After=network.target sflowtool.service
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStart=/path/to/sflow-abuse
|
|
WorkingDirectory=/path/to/sflow-abuse
|
|
Restart=always
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
```
|
|
|
|
Replace `/path/to/sflow-abuse` with the actual path to your sflow-abuse binary. Then, enable and start the sflow-abuse service:
|
|
|
|
```bash
|
|
sudo systemctl enable sflow-abuse.service
|
|
sudo systemctl start sflow-abuse.service
|
|
```
|
|
|
|
## Configuration
|
|
|
|
sflow-abuse has a couple of different configuration files:
|
|
- config.ini - main configuration file
|
|
- subnets.txt - list of subnets to monitor
|
|
- ignored.txt - list of IP addresses to ignore
|
|
|
|
Note: to reload the configuration, use `sudo systemctl restart sflow-abuse.service`. |