service data-source
type { ip-traffic | netflow | libpcap | netgraph }
The type of the source of the data is assigned
- ip-traffic
data are taken via interception ip-packets from the core through divert socket (FreeBSD) or netfilter (Linux 2.4.x)
- netflow
the data about the passed traffic come from Cisco-router, which returns information flow in packets NetFlow, or from any other collector, which supports NetFlow v.5 (ulog2netflow, ipfw2netfloe, flowprobe)
- libpcap
data are taken via the interception of packets with the aid of library libpcap, which copies into the program the passing through the nucleus systems the specific packets so it works, for example, tcpdump. Cmotri this division.
- netgraph
data are transferred from the established module of nucleus. Only for FreeBSD shch..khkh. Cmotri this division.
source { tee XXX | divert XXX | ipq | ulog NL1 [NL2 ... NL32] |
A.B.C.D | ifname [promisc] | nodename [divert] }
The source of the data is assigned:
For
FreeBSD
- tee XXX
packets will be copied into the program and processed in parallel by system, number divert-port XXX
- divert XXX
packets will be turned up into the program and it can return or not return to their system conversely, number divert-port XXX
- nodename [divert]
will be established connection with module NETGRAPH of nucleus nodename. Parameter divert ukanyvayet to the need for conducting the authorization of the flow before its transmission. Cmotri this division.
For
Linux
Is necessary the presence in system netfilter.
For more detail it is possible to read
man iptables, also, on site
www.netfilter.org
- ipq
packets will be turned up into the program and it can return or not return to their system conversely. Izpol'zuyetsya library libipq.
For the work must be loaded module ip_queue (modprobe ip_queue). In order to activate the transfer of packets from the nucleus, it is necessary to assign this in firewall, for example by the command:
iptables -A FORWARD -j QUEUE ...
- ulog NL1 [NL2 ... NL32]
the packets will be copied into the program and processed in parallel by system, NLx determines numbers it mul'tikast groups in which program will listen to packets sent through ULOG.
In order to activate the transfer of packets from the nucleus, it is necessary to assign this in firewall, for example by the command:
iptables -A FORWARD -j ULOG --ulog-nlgroup NLx ...
nlgroup NLx должно быть в границах 1-32
General
- A.B.C.D
flow NetFlow will go from host (router) with IP-address of source A.B.C.D to local UDP-port 20001 or that, which will be indicated in command listen
- ifname [promisc]
the name of the local net interface, on which will be seized the passing packets
If is indicated flag promisc, then interface will be placed in promisc mode. Bye default - it is not indicated.
listen { 0 | ip } port_number
Are assigned IP the address and UDP-port, to which will start packets NetFlow from the information source about the traffic (collector).
clock { remote | local }
He indicates, what value of the current time of the creation of packet to use for the recording of information onto the base - local or indicated in NetFlow- communication.
layer7-detect { none | urls }
Will enable URL detection in traffic which passes this data-source. Valid values are "none" (disabled) or "urls". In latter case, first few packets with the destionation ports 80, 81, 8080, 8000, 3128 will be observer to look for Host: and GET fields. This data will be passed to monitoring service, if desired (new column "layer7" in "monitor" table).
rule ID rule_string
Is assigned the system rule, according to which the data will fall into the program:
- ID the number of rule, for Linux does not have a sense since rule they are placed in the end of the chain
- rule_string the rule in the form of text line, which will be transmitted to system (Linux or FreeBSD) for the installation of the interceptor of packets.
no rule ID
Abolishes rule with number ID.