Skip to content

jelenamirkovic/AMON-SENSS

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

169 Commits
autom4te.cache
autom4te.cache
 
 
ground-truth
ground-truth
 
 
AMONSENSS-create.sql
AMONSENSS-create.sql
 
 
AMONSENSS.sql
AMONSENSS.sql
 
 
AUTHORS
AUTHORS
 
 
COPYING
COPYING
 
 
ChangeLog
ChangeLog
 
 
INSTALL
INSTALL
 
 
Makefile.am
Makefile.am
 
 
Makefile.in
Makefile.in
 
 
NEWS
NEWS
 
 
README
README
 
 
aclocal.m4
aclocal.m4
 
 
amonsenss.cc
amonsenss.cc
 
 
amonsenss.config
amonsenss.config
 
 
amqp_consumer-checkStatus.c
amqp_consumer-checkStatus.c
 
 
anum
anum
 
 
autoconfig
autoconfig
 
 
compile
compile
 
 
config.h
config.h
 
 
config.h.in
config.h.in
 
 
configure
configure
 
 
configure.ac
configure.ac
 
 
control.cc
control.cc
 
 
depcomp
depcomp
 
 
install-sh
install-sh
 
 
localprefs.txt
localprefs.txt
 
 
match.pl
match.pl
 
 
merge.pl
merge.pl
 
 
missing
missing
 
 
rabbitmq_utils.cc
rabbitmq_utils.cc
 
 
rabbitmq_utils.h
rabbitmq_utils.h
 
 
read_alerts
read_alerts
 
 
rotate
rotate
 
 
services.txt
services.txt
 
 
size.cc
size.cc
 
 
sum_alerts
sum_alerts
 
 
utils.cc
utils.cc
 
 
utils.h
utils.h
 
 

Repository files navigation

This is AMON-SENSS, software for scalable detection of DDoS attacks and
creation of signatures for attack filtering. Signatures and alerts are
exported in real time into alerts.txt file. You will soon discover when
you run this tool that there are many attacks that get detected. This is
an unfortunate fact -- today's traffic is often one-way and has many
anomalies that AMON-SENSS picks up. You can use read_alerts tool to narrow
down just to attacks for which we have high confidence. 

==== INSTALLATION ====

See the INSTALL file for detailed information about how to configure
and install AMON-SENSS.

Run the Perl script autoconfig to configure the parameters via a dialogue. 
Specifically, parameter min_oci will govern how large an estimated attack's
packet rate must be to warrant printing an alert. If you are seeing too many
alerts try specifying a higher value for min_oci. However, you can always
increase RATE parameter in read_alerts to only focus on high-rate attacks.

==== RUNNING ====

To run please specify prefixes you want to protect in localprefs.txt file.
A sample file is provided. Replace its contents with your own.

Service ports of interest are in services.txt file. You don't need to change
this file.

Typical usage:
  ./amonsenss -r /folder-w-nfdump -F nf -f > /dev/null

AMON-SENSS expects as input one or more files with Netflow records
(nfdump or flow-tools format), pcap or Flowride records.
If you specify a folder holding these files, possibly in some subfolders,
the program will read all the folder(s)
contents, sort by file name and process files in this order.

AMON-SENSS produces alerts in alerts.txt file in real time. Ongoing attacks
will result in steady stream of alerts. AMON-SENSS uses a simple bash script -- rotate --
to rotate this file.

If you run the code with -v flag, it will also produce debugging output, which is
very verbose. So use this option sparingly.

Use read_alerts tool to get condensed START/STOP messages for attacks.

perl read_alerts alerts.txt

This tool will read alerts.txt on ongoing basis and produce human-readable,
low volume of actionable alerts. If you rotate alerts.txt you will need to
restart read_alerts as well.

==== OTHER ====

To understand how AMON-SENSS works download the document
http://steel.isi.edu/projects/SENSS/amon-senss.pdf

AMON-SENSS has a Web page, with accompanying tools that can help you respond
to attacks that are detected (although many are research grade)

   https://steel.isi.edu/projects/SENSS/

For any questions please reach out to Jelena Mirkovic  <[email protected]>

=======================================================================


 Copyright (C) 2018 University of Southern California.

 This program is free software; you can redistribute it and/or
 modify it under the terms of the GNU General Public License,
 version 2, as published by the Free Software Foundation.

 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.

 You should have received a copy of the GNU General Public License along
 with this program; if not, write to the Free Software Foundation, Inc.,
 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

About

SENSS All-packet MONitor

Resources

Readme

License

GPL-2.0 license
Activity

Stars

4 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases 8

Patch for continuous reading Latest
Sep 8, 2023
+ 7 releases

Packages

No packages published

Languages

  • C++ 37.5%
  • Roff 36.6%
  • Perl 9.6%
  • Shell 8.6%
  • Makefile 4.0%
  • C 2.7%
  • Other 1.0%