-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmmt-probe-int.conf
344 lines (285 loc) · 16.1 KB
/
mmt-probe-int.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
# This is the configuration file for MMT Probe
# the unique identifier given to the probe
probe-id = 3
#root stack of network protocol
# for Ethernet: 1
# for ieee802154: 800
# for Linux cooked capture: 624
stack-type = 1
stack-offset = 0
# path to the license key file
license = "./license.key"
# enable reporting non-ip traffic, such as, ARP, PPP
enable-proto-without-session-report = false
# enable reporting information about fragmentation if IP packets
enable-ip-fragmentation-report = false
# perform defragemtation of IP packets
enable-ip-defragmentation = false
# perform reassembly of TCP segments. Enabling this option requires to enable the option "enable-ip-defragmentation"
enable-tcp-reassembly = false
# indicates the period of sampling in seconds, e.g., do statistics each 5 seconds
stats-period = 5
# dynamic configuration from outside of probe, such as, start, stop processing, or update some configurations
dynamic-config {
enable = false
# indicate the descriptor of UNIX domain socket to receive control commands,
descriptor = "/tmp/mmt.sock"
}
input {
# in case for PCAP the input mode can be ONLINE or OFFLINE, however for DPDK it's only ONLINE
mode = ONLINE
# input source for PCAP online mode (interface name) and for offline mode (pcap name),
# however for DPDK its interface port number
# in DPDK mode, MMT supports also multi-port inputs,
# - e.g., source="0,1" will tell MMT to capture packets on port 0 and 1
# - MMT will aggregate traffic on these 2 ports, thus 2 packets of one flow can be received on 2 different ports
source = "enp0s10"
# maximal size of a packet
snap-len = 0 # 0 means the default value 65535, apparently what tcpdump uses for -s 0 (only for PCAP)
# option only for DPDK capture
dpdk-option = "--syslog=syslog --log-level=5 -c 0x55555555555"
}
# Each kind of report can output to different channel, such as, file, kafak, ...
# General setting of output will be in this block, such as, output format, ...
output {
# output format: either JSON or CSV
format = CSV
# probe maintains a cache of reports to send them by bulk to output channels (file, mongodb, redis, kafka) to improve its execution performace.
# The cache will be flushed:
# - when the cache is full
# - or periodically designed by the "cace-period" parameter
cache-max = 100000 # number of messages in the cache
# number of seconds representing a period to flush cache to destination (file, mongodb)
# in case of file-output, a new file will be created each 5 seconds if file-output.sample-file=true
cache-period = 5
}
# Indicates outputing report to files
file-output {
enable = true # set to false to disable file output, true to enable
output-file = "data-int.csv" # file name where the reports will be dumped:
output-dir = "./" # Location where files are written:
# indicate output to multiple sample files or a single file
#- if sample-file=true, a new sample file is created each x seconds given by output.cache-period
sample-file = false
# retains the last x sample files, if sample-file=true
# - set to 0 to retain all files
# - note that the value of retain-files must be greater than the value of thread_nb + 1
retain-files = 80
}
# indicates REDIS output:
redis-output {
enable = false # set to false to disable publishing to REDIS , true to enable
# publishing to REDIS:
hostname = "localhost" # hostname of REDIS server
port = 6379 # port number of REDIS server
channel = "report" #name of channel to which the messages will be published
}
# indicates KAFKA output:
kafka-output {
enable = false # set to false to disable publishing to KAFKA, true to enable
# publishing to KAFKA:
hostname = "localhost" # hostname of KAFKA server
port = 9092 # port number of KAFKA server
topic = "report" #name of topic to which the message will be published
}
# indicates mongodb output:
mongodb-output {
enable = false
hostname = "localhost"
port = 27017
database = "mmt-data"
# collection to store reports
collection = "reports"
# limit size (megabytes - MB = 1000*1000 bytes) of collection
# - set 0 to unlimit
# - if the size of collection reaches the limit, the oldest reports will be removed to maintain the limit
limit-size = 0
}
# socket output
socket-output {
enable = false # set to true to enable , false to disable:
type = BOTH # type of socket domain: either UNIX or INTERNET or BOTH
descriptor = "/tmp/mmt-probe-output.sock" # required for UNIX domain.
# It is a location where socket file descriptor is created.
port = 5000 # Required for Internet domain.
hostname = "127.0.0.1" # required for Internet domain.
}
# Indicates where the traffic data will be dumped to pcap files
dump-pcap {
enable = false # set to true/false to enable/disable dumping packet
# output-dir = "/opt/mmt/probe/" # Location where files will be located
output-dir = "/opt/mmt/probe/pcap/" # Location where files will be located
protocols = {"unknown"} # List of protocols appearing in a packet which will be dumped
period = 60 # New pcap file is created every x seconds. 0 means default value 3600 seconds
retain-files = 50 # retains the last x sampled files,
snap-len = 65355 # set snaplength in the output pcap files
}
# indicates the threads configuration options
thread-nb = 0 # this is the number of threads MMT will use for processing packets.
# 0: use only one thread to read then process packets
# 1: use one thread to process packets, another to read packets
thread-queue = 262144 # 8388608 # 4194304 # this is the maximum number of packets being queued for processing that a single thread accepts (only for PCAP).
# 0 means MMT decides how many packets to queue (default =1000)
# If a packet is dispatched for a thread having a full queue, then the packet will be dropped.
# smp-security
security {
enable = false
thread-nb = 1 # the number of security threads per one probe thread , e .g . , if we have 16 probe threads and thread-nb = x ,
# then x*16 security threads will be used .
# If set to zero this means that the security analysis will be done by the threads of the probe .
exclude-rules = "" # Range of rules to be excluded from the verification
rules-mask = "" # Mapping of rules to the security threads:
# Format: rules-mask = (thread-index:rule-range);
# thread-index = a number greater than 0
# rule-range = number greater than 0, or a range of numbers greater than 0.
# Example: If we have thread-nb = 3 and "(1:1,2,4-6)(2:3)" ,
# this means that:
# thread 1 verifies rules 1 ,2 ,4 ,5 ,6;
# thread 2 verifies only rule 3; and
# thread 3 verifies the rest
# Note: if we have thread-nb = 2 and "(1:1)(2:3)", then only rules 1 and 3 are verified (the others are not)
output-channel = {} # Reports are sent to the output channels . The default value is a file .
# More than one output channel is possible . In this case , the value should be a set of comma - separated values ; for example: { redis , kafka , file, mongodb, socket }.
# Reports are sent to output channels only when the global parameters are enable ( file-output.enable = true ,redis-output.enable = true , kafka-output.enable = true, mongodb-output.enable = true)
report-rule-description = true # true to include rule's description into the alert reports,
# otherwise it will be excluded (thus rules's descriptions will be an empty string in the reports)
# Excluding rules's descriptions will reduce the size of reports.
ignore-remain-flow = true # ignore the security verification on the left of an IP flow when an alert is detected.
#The 3 following parameters are specific for libmmt_security2 to override its default configuration
input.max-message-size = 60000 #size of a message, in bytes, to encapsulate data sending from MMT-Probe to MMT-Security
security.max-instances = 100000 # Maximum number of instances of a rule
security.smp.ring-size = 1000 # Maximum number of messages that will be stored in a ring buffer
ip-encapsulation-index = LAST # If traffic is ip-in-ip, this option selects which IP will be analysed.
# - FIRST: first ip in the protocol hierarchy
# - LAST: last ip in the protocol hierarchy
# - i: i-th ip in ther protocol hierarchy.
# For example, given ETH.IP.UDP.GTP.IP.TCP.VPN.IP.SSL,
# - FIRST, or 1, indicates IP after ETH
# - LAST, or any number >= 3, indicates IP after VPN
# - 2 indicates IP after GTP
# NOTE: this option will be ignored in non ip-in-ip traffic
}
# CPU and memory usage monitor of the machin on that MMT-Probe is running
system-report {
enable = false # set to 1 to perform cpu-mem reporting, false to disable it
period = 5
output-channel = {} # see security.output-channel for more detailed information
}
# indicates output for behaviour analysis
behaviour {
enable = false # set to true to enable , false to disable:
output-dir = "/opt/mmt/probe/result/behaviour/online/" # Folder to write the output on
output-file = "data.csv" # file name where the reports will be dumped:
# retains the last x sample files, if sample-file=true
# - set to 0 to retain all files
# - note that the value of retain-files must be greater than the value of thread_nb + 1
retain-files = 160
}
# Indicates that FTP data reconstruction should be done .
# To enable the reconstruction, also need to enable the options "enable-tcp-reassembly" and "enable-ip-defragmentation"
reconstruct-data ftp {
enable = false
output-dir = "/tmp/" # indicates the folder where the output file is created:
output-channel = {} # see security.output-channel for more detailed information
}
# indicate that HTTP response data should be written to files
# To enable the reconstruction, also need to enable the options "enable-tcp-reassembly" and "enable-ip-defragmentation"
reconstruct-data http {
enable = false
output-dir = "/tmp/" # location where the files are reconstructed .
output-channel = {}
}
data-output {
include-user-agent = 32 # Indicates the threshold in terms of data volume for parsing the user agent in Web traffic.
# The value is in kiloBytes ( kB ) . If the value is zero , this indicates that the parsing of the user agent should be done .
# To disable the user agent parsing, set the threshold to a negative value (-1).
}
# Specifies the criteria to consider a flow as micro flow.
# - IF a flow has some characters, such as, number of packets/bytes, being less than some litmits,
# then it will be considered as a micro flow.
# - A micro-flow is identified by protocol ID. This means that a micro-flow represents several flows having
# + the same protocol ID, and,
# + number of bytes or packets are less than the thresholds
# - Set value of a limits/threshold to zero to unlimit it
micro-flows {
enable = false
packet-threshold = 2 # packets count threshold to consider a flow as a micro flow:
byte-threshold = 100 # data volume threshold to consider a flow as a micro flow:
# a micro-flow will be reported to its output-channel:
# - at the end of execution of MMT-Probe
# - or when one of its stats (packets, bytes, flows) is greater than or equal some litmit as specified below.
report-packet-count = 1000 # packets count threshold to report micro flows aggregated statistics:
report-byte-count = 10000 # data volume threshold to report micro flows aggregated statistics:
report-flow-count = 500 # limit nb of flows
output-channel = {} # see security.output-channel for more detailed information
}
# indicates the strategy for RADIUS reporting
radius-report {
enable = false
message-id = 0 # indicates the kind of message one needs to report .
# set to 0 to report all messages .
# set to a number (from 1 to 255) to indicate the code of message to report, e.g., 1: Access-Request, 2: Access-Accept, 45: CoA-NAK, etc.
output-channel = {} # see security.output-channel for more detailed information
}
# Specifies the session timeout time, in seconds, for different type of applications
session-timeout {
default-session-timeout = 60 # Default timeout (in seconds) for sessions.
short-session-timeout = 15
long-session-timeout = 6000 # This is reasonable for Web and SSL connections especially when long polling is used.
# Usually applications have a long polling period of about 3~5 minutes.
live-session-timeout = 1500 #For persistent connections like messaging applications and so on
}
# Indicates session based reporting
session-report {
enable = false
output-channel = {file} # see security.output-channel for more detailed information
# enable/disable specific reports for specific protocol applications
ftp = false
http = false
rtp = false
ssl = false
gtp = true
rtt-base = CAPTOR # Order of timestamp's origin that is used to calculate RTT in QOS reports
# - SENDER: timestamp being marked in packet by its sender, e.g., tcp option TSVal, TSerc
# This timestamp is available only on certain monitoring protocol, e.g., TCP
# - CAPTOR: timestamp being marked in packet at the captured moment by its captor (e.g., tcpdump, wireshark)
# This timestamp is always available.
# The value of this rtt setting can be one of the followings:
# - CAPTOR (by default): use only CAPTOR.
# - SENDER: use only SENDER. Ignore if it is not available
# - PREFER_SENDER: use SENDER if it is available, otherwise CAPTOR
}
# Indicates event based reporting: do a report when an event occurs.
# For example: when MMT-Probe sees a IP packet having IP.SRC, it will report ARP.AR_HLN and IP.SRC.
# If a packet does not containt an attribute, e.g., ARP.AR_HLN, the attribute's value is replaced by an empty value (either 0 or "").
# We may have multiple "event-report" but its name, e.g., "ip-event", must be unique.
# For example, event-report http-url{ ...} event-report sample2{ ...}
event-report ip-event {
enable = false
event = "ip.src" # Indicates the event:
attributes = {"arp.ar_hln", "ip.src", "meta.proto_hierarchy"} # Indicates the list of attributes that are reported when a event is triggered:
}
event-report iot {
enable = false
event = "ieee802154.sequence_number" # Indicates the event:
attributes = {"ieee802154.src_address_extended", "ieee802154.dst_address_extended", "meta.packet_len"} # Indicates the list of attributes that are reported when a event is triggered:
output-channel = {} # see security.output-channel for more detailed information
}
query-report int {
enable = true
ms-period = 1000
select = {"last(ip.src)", "last(ip.dst)", "avg(int.hop_latencies)", "sum(meta.packet_len)", "count(meta.packet_index)",
"sum(int.hop_l4s_mark)", "sum(int.hop_l4s_drop)", "sum(int.hop_queue_occups)", "last(int.hop_queue_ids)",
"sum(tcp.ece)", "sum(tcp.cwr)", "last(ip.ecn)", "last(meta.proto_hierarchy)"}
where = { "int.latency" }
group-by = { "ip.src", "ip.dst", "int.hop_queue_ids", "meta.proto_hierarchy" }
output-channel = {file}
}
query-report tot {
enable = false
ms-period = 1000
select = {"last(ip.src)", "last(ip.dst)", "sum(meta.packet_len)", "count(meta.packet_index)"}
where = { "ip.src" }
group-by = { "ip.src", "ip.dst" }
output-channel = {file}
}