Differences

This shows you the differences between two versions of the page.

--- en:dpi:qoe:use_cases:triggers_setup:start [2023/08/30 08:53] – created elena.krasnobryzh
+++ en:dpi:qoe:use_cases:triggers_setup:start [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
@@ Line 1: / Line 1: @@
-====== Triggers in QoE ======
-{{indexmenu_n>5}}
-Triggers are used to search for data in QoE Stor according to the specified parameters. After the trigger is fired, one of the following actions is possible:
-   * GUI notification
-   * HTTP action
-   * sending email
-Required SSG options:
-  * [[en:dpi:dpi_options:opt_statistics:start]]
-  * [[en:dpi:dpi_options:opt_notify:start]]
-Required additional modules:
-  * [[en:dpi:dpi_components:dpiui:start|]]
-  * [[en:dpi:dpi_components:qoestor:start|]]
-===== Trigger configuration example: Finding the source of a Flood DDOS attack =====
-=== General Information ===
-{{ en:dpi:qoe:use_cases:ddos_general_en.jpg?nolink&600 |}}
-Trigger name «Source of DDoS», days of week – all, check frequency – every hour, number of positives – once, time and date of start/end - not specified.
-<note>Every day, once an hour, a check will be carried out according to the conditions described below.</note>
-=== Queries ===
-{{ dpi:qoe:use_cases:ddos_query.png?nolink&600 |}}
-  * Add a field
-  * Name: A
-  * Choose a table to be scanned: Raw full netflow -> Tables -> Attacks detection -> Top hosts IPs -> Maxi
-  * Set the period from: «now – 15minute»,  until : «now»
-<note>In this case, the traffic analysis for the selected page will be carried out for the period of the last 15 minutes.</note>
-=== Conditions ===
-{{ dpi:qoe:use_cases:ddos_conditions.png?nolink&600 |}}
-  * Add "+" 2 fields
-  * Bind – AND
-  * Function – avg
-  * Serie in the 1 field – session timeout <= 20(ms)
-  * Serie in the 2 field – number of sessions >= 1500
-<note>We have set a condition — the trigger will fire when it detects both signs: sessions with lifetime equal or less than 20ms AND more than 1500 sessions from one IP-host.</note>
-=== Error handling ===
-{{ dpi:qoe:use_cases:ddos_error.png?nolink&600 |}}
-  * In the field "If no data" — No data
-  * In the field "If execution error or timeout" — Keep last state
-<note>In this configuration — if there are no errors, no data will be saved; if any, information will be saved in the form of a table containing suspicious sessions.</note>
-=== Actions ===
-== E-mail ==
-{{ en:dpi:qoe:use_cases:ddos_action_email_en.jpg?nolink&600 |}}
-  * For automatic filling - click on the "</>" icon (automatic filling of the form)
-  * In the field "Send to" — specify email address
-<note>With this setting, when the trigger is fired, all information about the event will be sent to the specified email: ID, trigger name, status, link to the report (saved state).</note>
-== Notification ==
-{{ en:dpi:qoe:use_cases:ddos_action_notification_en.jpg?nolink&600 |}}
-  * For automatic filling - click on the "</>" icon (automatic filling of the form)
-  * Choose the notification type — "Warning"
-  * With this setting, a notification will be created in the SSG
-{{ dpi:qoe:use_cases:ddos_alerts.png?nolink&600 |}}
-You can get a link to the report in the notification menu
-{{ dpi:qoe:use_cases:ddos_report.png?nolink&400 |}}
-Select notification \\
-Select - "Details"
-{{ dpi:qoe:use_cases:ddos_details.png?nolink&400 |}}
-Follow the link to the report - it will open in a new tab.
-== HTTP ==
-{{ dpi:qoe:use_cases:ddos_http.png?nolink&600 |}}
-  * For automatic filling - click on the "</>" icon (automatic filling of the form)
-  * Choose the method most suitable for your ticket system and enter the URL
-<note important>It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.</note>
-===== Trigger configuration example: Finding the target of a Flood DDOS attack =====
-It differs from the previous example in setting 2 and 3 stages (Queries and Conditions).
-=== Queries ===
-{{ dpi:qoe:use_cases:ddos_target_query.png?nolink&600 |}}
-In the "Report" field choose Raw full netflow -> Tables -> Attacks detection -> Top subscribers -> Maxi
-=== Conditions ===
-{{ dpi:qoe:use_cases:ddos_target_conditions.png?nolink&600 |}}
-Serie — "Flow volume to subscribers", >= 10000
-<note important>It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.</note>
-===== BotNet Analysis =====
-It differs from the previous example in setting 2 and 3 stages (Queries and Conditions).
-=== Queries ===
-{{ dpi:qoe:use_cases:botnet_query.png?nolink&600 |}}
-  * Choose Raw full netflow -> Tables -> Attacks detection -> Top application protocols -> Maxi for the "А" value
-  * Raw full network -> Tables -> Raw log -> Full raw log for the "B" value
-=== Conditions ===
-{{ dpi:qoe:use_cases:botnet_conditions.png?nolink&600 |}}
-Most often, BotNet uses ports 6667 and 1080 — add each destination/source port by selecting query "B" with value "OR" and choose Flow Pcts/s equal or more than 2000.
-<note>With this configuration, if at least on one of the ports (6667/1080) the number of passing packets is more than 2000 per second, the trigger will fire.</note>
-<note important>It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.</note>
-===== Subscriber's interest in competitor resources =====
-=== General information ===
-{{ en:dpi:qoe:use_cases:competitors_general_en.jpg?nolink&600 |}}
-Trigger name «Subscriber's interest in competitor resources», days of week – all, check frequency – every hour, number of positives – once, time and date of start/end - not specified.
-<note>Every day, once an hour, a check will be carried out according to the conditions described below.</note>
-=== Queries ===
-{{ dpi:qoe:use_cases:competitors_query.png?nolink&600 |}}
-  * Add "+" field
-  * Name А \\ Choose a table to be scanned: Raw clickstream -> Tables -> Raw clickstream
-  * Name B \\ Choose a table to be scanned:  Raw full netflow -> Tables -> Attacks detection -> Top hosts IPs -> Maxi
-  * Set the period from: "now – 1 hour",  until : "now"
-<note>In this case, the traffic analysis for the selected tables will be carried out every hour.</note>
-=== Conditions ===
-{{ dpi:qoe:use_cases:competitors_conditions.png?nolink&600 |}}
-  * Add "+" 3 fields
-  * First field — choose table "А"; Bind – "OR"; Function – "avg"; Serie Host = *megafon.com (or any other competitor ISP)
-  * Second field — choose table "B"; Bind "AND";  Function – "avg"; Serie Flow volume from subscriber, Pct/s >= 800
-<note>We have set a condition — the trigger will fire at least 800 packets (not an accidental but meaningful visits) from a subscriber to a competitor's site.</note>
-=== Error handling ===
-{{ dpi:qoe:use_cases:competitors_errors.png?nolink&600 |}}
-  * In the field "If no data" — No data
-  * In the field "If execution error or timeout" — Keep last state
-<note>In this configuration — if there are no errors, no data will be saved; if any, information will be saved in the form of a table containing suspicious sessions.</note>
-=== Actions ===
-== E-mail ==
-{{ en:dpi:qoe:use_cases:ddos_action_email_en.jpg?nolink&600 |}}
-  * For automatic filling - click on the "</>" icon (automatic filling of the form)
-  * In the field "Send to" — specify email address
-<note>With this setting, when the trigger is fired, all information about the event will be sent to the specified email: ID, trigger name, status, link to the report (saved state).</note>
-== Notification ==
-{{ en:dpi:qoe:use_cases:ddos_action_notification_en.jpg?nolink&600 |}}
-  * For automatic filling - click on the "</>" icon (automatic filling of the form)
-  * Choose the notification type — "Warning"
-  * With this setting, a notification will be created in the SSG
-{{ dpi:qoe:use_cases:competitors_alerts.png?nolink&600 |}}
-You can get a link to the report in the notification menu
-{{ dpi:qoe:use_cases:competitors_report.png?nolink&400 |}}
-Select notification \\
-Select — "Details"
-{{ dpi:qoe:use_cases:competitors_details.png?nolink&400 |}}
-Follow the link to the report — it will open in a new tab.
-== HTTP ==
-{{ dpi:qoe:use_cases:competitors_http.png?nolink&600 |}}
-  * For automatic filling — click on the "</>" icon (automatic filling of the form)
-  * Choose the method most suitable for your ticket system and enter the URL
-<note important>It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.</note>

Profile

Settings

Differences