Netgate SG-1000 microFirewall

Author Topic: How to Alert on Single IP uploading too much?  (Read 138 times)

0 Members and 1 Guest are viewing this topic.

Offline SkinnerVic

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
How to Alert on Single IP uploading too much?
« on: January 17, 2018, 11:21:04 pm »
OK, so I have been reading about different ways to accomplish this simple task to no avail.  Here's what I am trying to do:

I have a single client (maybe more down the line) that I know something is really wacky if they push too much data from LAN to WAN.  I just want to set some thresholds on up data over some unit time (like 1 min resolution) that if it exceeds XX kb/s, then send me an email (preferably a SMS).  I don't want to cap the client either, just know what's going on (discreetly).  8)

I'm not interested in retaining any of the data for logging, etc.  I may want to see what the traffic is like for a week to set a reasonable level, then let it ride until further notice.

I know I'm compiling two different skills - Monitoring, Notification.  You'd think I was pulling teeth.  I thought about using Snort and having it be a rule.  At this point, I'm all ears...

Suggestions?

Offline SkinnerVic

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: How to Alert on Single IP uploading too much?
« Reply #1 on: January 18, 2018, 09:09:07 pm »
I decided to head the ntopng route.  OK, not quite what I was looking for but it's fancy and fast for my purposes as I found a solution and wanted to pass it along:

In ntopng, there is per host alerting.  While it's not an email or sms, it does SLACK!!  Woot.  I just integrated a new workspace with my existing workspace in Slack and followed the instructions here:

https://github.com/ntop/ntopng/blob/dev/doc/README.slack

I set two threshold items - the Activity Time and Traffic, Layer 2 with the levels low to see what a baseline looked like.  Sure enough, it is quite gated unless it gets stupid. 

Hope this can help anyone else looking for this solution.  The only way it could be better is to split send/rec in Traffic, but it works for now!