| Both sides previous revisionPrevious revision | |
| en:dpi:qoe:use_cases:triggers_setup [2023/08/30 08:53] – elena.krasnobryzh | en:dpi:qoe:use_cases:triggers_setup [2024/09/26 15:29] (current) – external edit 127.0.0.1 |
|---|
| ====== triggers_setup ====== | ====== Triggers in QoE ====== |
| | {{indexmenu_n>5}} |
| | |
| | Triggers are used to search for data in QoE Stor according to the specified parameters. After the trigger is fired, one of the following actions is possible: |
| | * GUI notification |
| | * HTTP action |
| | * sending email |
| | |
| | Required SSG options: |
| | * [[en:dpi:dpi_options:opt_statistics]] |
| | * [[en:dpi:dpi_options:opt_notify]] |
| | Required additional modules: |
| | * [[en:dpi:dpi_components:dpiui|]] |
| | * [[en:dpi:dpi_components:qoestor|]] |
| | ===== Trigger configuration example: Finding the source of a Flood DDOS attack ===== |
| | |
| | === General Information === |
| | |
| | {{ en:dpi:qoe:use_cases:ddos_general_en.jpg?nolink&600 |}} |
| | |
| | Trigger name «Source of DDoS», days of week – all, check frequency – every hour, number of positives – once, time and date of start/end - not specified. |
| | |
| | <note>Every day, once an hour, a check will be carried out according to the conditions described below.</note> |
| | |
| | === Queries === |
| | |
| | {{ dpi:qoe:use_cases:ddos_query.png?nolink&600 |}} |
| | |
| | * Add a field |
| | * Name: A |
| | * Choose a table to be scanned: Raw full netflow -> Tables -> Attacks detection -> Top hosts IPs -> Maxi |
| | * Set the period from: «now – 15minute», until : «now» |
| | |
| | <note>In this case, the traffic analysis for the selected page will be carried out for the period of the last 15 minutes.</note> |
| | |
| | === Conditions === |
| | |
| | {{ dpi:qoe:use_cases:ddos_conditions.png?nolink&600 |}} |
| | |
| | * Add "+" 2 fields |
| | * Bind – AND |
| | * Function – avg |
| | * Serie in the 1 field – session timeout <= 20(ms) |
| | * Serie in the 2 field – number of sessions >= 1500 |
| | |
| | <note>We have set a condition — the trigger will fire when it detects both signs: sessions with lifetime equal or less than 20ms AND more than 1500 sessions from one IP-host.</note> |
| | |
| | === Error handling === |
| | |
| | {{ dpi:qoe:use_cases:ddos_error.png?nolink&600 |}} |
| | |
| | * In the field "If no data" — No data |
| | * In the field "If execution error or timeout" — Keep last state |
| | |
| | <note>In this configuration — if there are no errors, no data will be saved; if any, information will be saved in the form of a table containing suspicious sessions.</note> |
| | |
| | === Actions === |
| | == E-mail == |
| | |
| | {{ en:dpi:qoe:use_cases:ddos_action_email_en.jpg?nolink&600 |}} |
| | |
| | * For automatic filling - click on the "</>" icon (automatic filling of the form) |
| | * In the field "Send to" — specify email address |
| | |
| | <note>With this setting, when the trigger is fired, all information about the event will be sent to the specified email: ID, trigger name, status, link to the report (saved state).</note> |
| | |
| | == Notification == |
| | |
| | {{ en:dpi:qoe:use_cases:ddos_action_notification_en.jpg?nolink&600 |}} |
| | |
| | * For automatic filling - click on the "</>" icon (automatic filling of the form) |
| | * Choose the notification type — "Warning" |
| | * With this setting, a notification will be created in the SSG |
| | |
| | {{ dpi:qoe:use_cases:ddos_alerts.png?nolink&600 |}} |
| | |
| | You can get a link to the report in the notification menu |
| | |
| | {{ dpi:qoe:use_cases:ddos_report.png?nolink&400 |}} |
| | |
| | Select notification \\ |
| | Select - "Details" |
| | |
| | {{ dpi:qoe:use_cases:ddos_details.png?nolink&400 |}} |
| | |
| | Follow the link to the report - it will open in a new tab. |
| | |
| | == HTTP == |
| | |
| | {{ dpi:qoe:use_cases:ddos_http.png?nolink&600 |}} |
| | |
| | * For automatic filling - click on the "</>" icon (automatic filling of the form) |
| | * Choose the method most suitable for your ticket system and enter the URL |
| | |
| | <note important>It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.</note> |
| | |
| | ===== Trigger configuration example: Finding the target of a Flood DDOS attack ===== |
| | It differs from the previous example in setting 2 and 3 stages (Queries and Conditions). |
| | |
| | === Queries === |
| | |
| | {{ dpi:qoe:use_cases:ddos_target_query.png?nolink&600 |}} |
| | |
| | In the "Report" field choose Raw full netflow -> Tables -> Attacks detection -> Top subscribers -> Maxi |
| | |
| | === Conditions === |
| | |
| | {{ dpi:qoe:use_cases:ddos_target_conditions.png?nolink&600 |}} |
| | |
| | Serie — "Flow volume to subscribers", >= 10000 |
| | |
| | <note important>It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.</note> |
| | |
| | ===== BotNet Analysis ===== |
| | It differs from the previous example in setting 2 and 3 stages (Queries and Conditions). |
| | |
| | === Queries === |
| | |
| | {{ dpi:qoe:use_cases:botnet_query.png?nolink&600 |}} |
| | |
| | * Choose Raw full netflow -> Tables -> Attacks detection -> Top application protocols -> Maxi for the "А" value |
| | * Raw full network -> Tables -> Raw log -> Full raw log for the "B" value |
| | |
| | === Conditions === |
| | |
| | {{ dpi:qoe:use_cases:botnet_conditions.png?nolink&600 |}} |
| | |
| | Most often, BotNet uses ports 6667 and 1080 — add each destination/source port by selecting query "B" with value "OR" and choose Flow Pcts/s equal or more than 2000. |
| | <note>With this configuration, if at least on one of the ports (6667/1080) the number of passing packets is more than 2000 per second, the trigger will fire.</note> |
| | |
| | <note important>It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.</note> |
| | |
| | ===== Subscriber's interest in competitor resources ===== |
| | === General information === |
| | |
| | {{ en:dpi:qoe:use_cases:competitors_general_en.jpg?nolink&600 |}} |
| | |
| | Trigger name «Subscriber's interest in competitor resources», days of week – all, check frequency – every hour, number of positives – once, time and date of start/end - not specified. |
| | |
| | <note>Every day, once an hour, a check will be carried out according to the conditions described below.</note> |
| | |
| | === Queries === |
| | |
| | {{ dpi:qoe:use_cases:competitors_query.png?nolink&600 |}} |
| | |
| | * Add "+" field |
| | * Name А \\ Choose a table to be scanned: Raw clickstream -> Tables -> Raw clickstream |
| | * Name B \\ Choose a table to be scanned: Raw full netflow -> Tables -> Attacks detection -> Top hosts IPs -> Maxi |
| | * Set the period from: "now – 1 hour", until : "now" |
| | |
| | <note>In this case, the traffic analysis for the selected tables will be carried out every hour.</note> |
| | |
| | === Conditions === |
| | |
| | {{ dpi:qoe:use_cases:competitors_conditions.png?nolink&600 |}} |
| | |
| | * Add "+" 3 fields |
| | * First field — choose table "А"; Bind – "OR"; Function – "avg"; Serie Host = *megafon.com (or any other competitor ISP) |
| | * Second field — choose table "B"; Bind "AND"; Function – "avg"; Serie Flow volume from subscriber, Pct/s >= 800 |
| | |
| | <note>We have set a condition — the trigger will fire at least 800 packets (not an accidental but meaningful visits) from a subscriber to a competitor's site.</note> |
| | |
| | === Error handling === |
| | |
| | {{ dpi:qoe:use_cases:competitors_errors.png?nolink&600 |}} |
| | |
| | * In the field "If no data" — No data |
| | * In the field "If execution error or timeout" — Keep last state |
| | |
| | <note>In this configuration — if there are no errors, no data will be saved; if any, information will be saved in the form of a table containing suspicious sessions.</note> |
| | |
| | === Actions === |
| | == E-mail == |
| | |
| | {{ en:dpi:qoe:use_cases:ddos_action_email_en.jpg?nolink&600 |}} |
| | |
| | * For automatic filling - click on the "</>" icon (automatic filling of the form) |
| | * In the field "Send to" — specify email address |
| | |
| | <note>With this setting, when the trigger is fired, all information about the event will be sent to the specified email: ID, trigger name, status, link to the report (saved state).</note> |
| | |
| | == Notification == |
| | |
| | {{ en:dpi:qoe:use_cases:ddos_action_notification_en.jpg?nolink&600 |}} |
| | |
| | * For automatic filling - click on the "</>" icon (automatic filling of the form) |
| | * Choose the notification type — "Warning" |
| | * With this setting, a notification will be created in the SSG |
| | |
| | {{ dpi:qoe:use_cases:competitors_alerts.png?nolink&600 |}} |
| | |
| | You can get a link to the report in the notification menu |
| | |
| | {{ dpi:qoe:use_cases:competitors_report.png?nolink&400 |}} |
| | |
| | Select notification \\ |
| | Select — "Details" |
| | |
| | {{ dpi:qoe:use_cases:competitors_details.png?nolink&400 |}} |
| | |
| | Follow the link to the report — it will open in a new tab. |
| | |
| | == HTTP == |
| | |
| | {{ dpi:qoe:use_cases:competitors_http.png?nolink&600 |}} |
| | |
| | * For automatic filling — click on the "</>" icon (automatic filling of the form) |
| | * Choose the method most suitable for your ticket system and enter the URL |
| | |
| | <note important>It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.</note> |
