====== Triggers in QoE ====== {{indexmenu_n>5}} Triggers are used to search for data in QoE Stor according to the specified parameters. After the trigger is fired, one of the following actions is possible: * GUI notification * HTTP action * sending email Required SSG options: * [[dpi:dpi_options:opt_statistics]] * [[dpi:dpi_options:opt_notify]] Required additional modules: * [[dpi:dpi_components:dpiui|]] * [[dpi:dpi_components:qoestor|]] ===== Trigger configuration example: Finding the source of a Flood DDOS attack ===== === General Information === {{ dpi:qoe:use_cases:ddos_general_en.jpg?nolink&600 |}} Trigger name «Source of DDoS», days of week – all, check frequency – every hour, number of positives – once, time and date of start/end - not specified. Every day, once an hour, a check will be carried out according to the conditions described below. === Queries === {{ dpi:qoe:use_cases:ddos_query.png?nolink&600 |}} * Add a field * Name: A * Choose a table to be scanned: Raw full netflow -> Tables -> Attacks detection -> Top hosts IPs -> Maxi * Set the period from: «now – 15minute», until : «now» In this case, the traffic analysis for the selected page will be carried out for the period of the last 15 minutes. === Conditions === {{ dpi:qoe:use_cases:ddos_conditions.png?nolink&600 |}} * Add "+" 2 fields * Bind – AND * Function – avg * Serie in the 1 field – session timeout <= 20(ms) * Serie in the 2 field – number of sessions >= 1500 We have set a condition — the trigger will fire when it detects both signs: sessions with lifetime equal or less than 20ms AND more than 1500 sessions from one IP-host. === Error handling === {{ dpi:qoe:use_cases:ddos_error.png?nolink&600 |}} * In the field "If no data" — No data * In the field "If execution error or timeout" — Keep last state In this configuration — if there are no errors, no data will be saved; if any, information will be saved in the form of a table containing suspicious sessions. === Actions === == E-mail == {{ dpi:qoe:use_cases:ddos_action_email_en.jpg?nolink&600 |}} * For automatic filling - click on the "" icon (automatic filling of the form) * In the field "Send to" — specify email address With this setting, when the trigger is fired, all information about the event will be sent to the specified email: ID, trigger name, status, link to the report (saved state). == Notification == {{ dpi:qoe:use_cases:ddos_action_notification_en.jpg?nolink&600 |}} * For automatic filling - click on the "" icon (automatic filling of the form) * Choose the notification type — "Warning" * With this setting, a notification will be created in the SSG {{ dpi:qoe:use_cases:ddos_alerts.png?nolink&600 |}} You can get a link to the report in the notification menu {{ dpi:qoe:use_cases:ddos_report.png?nolink&400 |}} Select notification \\ Select - "Details" {{ dpi:qoe:use_cases:ddos_details.png?nolink&400 |}} Follow the link to the report - it will open in a new tab. == HTTP == {{ dpi:qoe:use_cases:ddos_http.png?nolink&600 |}} * For automatic filling - click on the "" icon (automatic filling of the form) * Choose the method most suitable for your ticket system and enter the URL It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network. ===== Trigger configuration example: Finding the target of a Flood DDOS attack ===== It differs from the previous example in setting 2 and 3 stages (Queries and Conditions). === Queries === {{ dpi:qoe:use_cases:ddos_target_query.png?nolink&600 |}} In the "Report" field choose Raw full netflow -> Tables -> Attacks detection -> Top subscribers -> Maxi === Conditions === {{ dpi:qoe:use_cases:ddos_target_conditions.png?nolink&600 |}} Serie — "Flow volume to subscribers", >= 10000 It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network. ===== BotNet Analysis ===== It differs from the previous example in setting 2 and 3 stages (Queries and Conditions). === Queries === {{ dpi:qoe:use_cases:botnet_query.png?nolink&600 |}} * Choose Raw full netflow -> Tables -> Attacks detection -> Top application protocols -> Maxi for the "А" value * Raw full network -> Tables -> Raw log -> Full raw log for the "B" value === Conditions === {{ dpi:qoe:use_cases:botnet_conditions.png?nolink&600 |}} Most often, BotNet uses ports 6667 and 1080 — add each destination/source port by selecting query "B" with value "OR" and choose Flow Pcts/s equal or more than 2000. With this configuration, if at least on one of the ports (6667/1080) the number of passing packets is more than 2000 per second, the trigger will fire. It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network. ===== Subscriber's interest in competitor resources ===== === General information === {{ dpi:qoe:use_cases:competitors_general_en.jpg?nolink&600 |}} Trigger name «Subscriber's interest in competitor resources», days of week – all, check frequency – every hour, number of positives – once, time and date of start/end - not specified. Every day, once an hour, a check will be carried out according to the conditions described below. === Queries === {{ dpi:qoe:use_cases:competitors_query.png?nolink&600 |}} * Add "+" field * Name А \\ Choose a table to be scanned: Raw clickstream -> Tables -> Raw clickstream * Name B \\ Choose a table to be scanned: Raw full netflow -> Tables -> Attacks detection -> Top hosts IPs -> Maxi * Set the period from: "now – 1 hour", until : "now" In this case, the traffic analysis for the selected tables will be carried out every hour. === Conditions === {{ dpi:qoe:use_cases:competitors_conditions.png?nolink&600 |}} * Add "+" 3 fields * First field — choose table "А"; Bind – "OR"; Function – "avg"; Serie Host = *megafon.com (or any other competitor ISP) * Second field — choose table "B"; Bind "AND"; Function – "avg"; Serie Flow volume from subscriber, Pct/s >= 800 We have set a condition — the trigger will fire at least 800 packets (not an accidental but meaningful visits) from a subscriber to a competitor's site. === Error handling === {{ dpi:qoe:use_cases:competitors_errors.png?nolink&600 |}} * In the field "If no data" — No data * In the field "If execution error or timeout" — Keep last state In this configuration — if there are no errors, no data will be saved; if any, information will be saved in the form of a table containing suspicious sessions. === Actions === == E-mail == {{ dpi:qoe:use_cases:ddos_action_email_en.jpg?nolink&600 |}} * For automatic filling - click on the "" icon (automatic filling of the form) * In the field "Send to" — specify email address With this setting, when the trigger is fired, all information about the event will be sent to the specified email: ID, trigger name, status, link to the report (saved state). == Notification == {{ dpi:qoe:use_cases:ddos_action_notification_en.jpg?nolink&600 |}} * For automatic filling - click on the "" icon (automatic filling of the form) * Choose the notification type — "Warning" * With this setting, a notification will be created in the SSG {{ dpi:qoe:use_cases:competitors_alerts.png?nolink&600 |}} You can get a link to the report in the notification menu {{ dpi:qoe:use_cases:competitors_report.png?nolink&400 |}} Select notification \\ Select — "Details" {{ dpi:qoe:use_cases:competitors_details.png?nolink&400 |}} Follow the link to the report — it will open in a new tab. == HTTP == {{ dpi:qoe:use_cases:competitors_http.png?nolink&600 |}} * For automatic filling — click on the "" icon (automatic filling of the form) * Choose the method most suitable for your ticket system and enter the URL It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.