====== Triggers in QoE ======
{{indexmenu_n>5}}
Triggers are used to search for data in QoE Stor according to the specified parameters. After the trigger is fired, one of the following actions is possible:
* GUI notification
* HTTP action
* sending email
Required SSG options:
* [[dpi:dpi_options:opt_statistics]]
* [[dpi:dpi_options:opt_notify]]
Required additional modules:
* [[dpi:dpi_components:dpiui|]]
* [[dpi:dpi_components:qoestor|]]
===== Trigger configuration example: Finding the source of a Flood DDOS attack =====
=== General Information ===
{{ dpi:qoe:use_cases:ddos_general_en.jpg?nolink&600 |}}
Trigger name «Source of DDoS», days of week – all, check frequency – every hour, number of positives – once, time and date of start/end - not specified.
Every day, once an hour, a check will be carried out according to the conditions described below.
=== Queries ===
{{ dpi:qoe:use_cases:ddos_query.png?nolink&600 |}}
* Add a field
* Name: A
* Choose a table to be scanned: Raw full netflow -> Tables -> Attacks detection -> Top hosts IPs -> Maxi
* Set the period from: «now – 15minute», until : «now»
In this case, the traffic analysis for the selected page will be carried out for the period of the last 15 minutes.
=== Conditions ===
{{ dpi:qoe:use_cases:ddos_conditions.png?nolink&600 |}}
* Add "+" 2 fields
* Bind – AND
* Function – avg
* Serie in the 1 field – session timeout <= 20(ms)
* Serie in the 2 field – number of sessions >= 1500
We have set a condition — the trigger will fire when it detects both signs: sessions with lifetime equal or less than 20ms AND more than 1500 sessions from one IP-host.
=== Error handling ===
{{ dpi:qoe:use_cases:ddos_error.png?nolink&600 |}}
* In the field "If no data" — No data
* In the field "If execution error or timeout" — Keep last state
In this configuration — if there are no errors, no data will be saved; if any, information will be saved in the form of a table containing suspicious sessions.
=== Actions ===
== E-mail ==
{{ dpi:qoe:use_cases:ddos_action_email_en.jpg?nolink&600 |}}
* For automatic filling - click on the ">" icon (automatic filling of the form)
* In the field "Send to" — specify email address
With this setting, when the trigger is fired, all information about the event will be sent to the specified email: ID, trigger name, status, link to the report (saved state).
== Notification ==
{{ dpi:qoe:use_cases:ddos_action_notification_en.jpg?nolink&600 |}}
* For automatic filling - click on the ">" icon (automatic filling of the form)
* Choose the notification type — "Warning"
* With this setting, a notification will be created in the SSG
{{ dpi:qoe:use_cases:ddos_alerts.png?nolink&600 |}}
You can get a link to the report in the notification menu
{{ dpi:qoe:use_cases:ddos_report.png?nolink&400 |}}
Select notification \\
Select - "Details"
{{ dpi:qoe:use_cases:ddos_details.png?nolink&400 |}}
Follow the link to the report - it will open in a new tab.
== HTTP ==
{{ dpi:qoe:use_cases:ddos_http.png?nolink&600 |}}
* For automatic filling - click on the ">" icon (automatic filling of the form)
* Choose the method most suitable for your ticket system and enter the URL
It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.
===== Trigger configuration example: Finding the target of a Flood DDOS attack =====
It differs from the previous example in setting 2 and 3 stages (Queries and Conditions).
=== Queries ===
{{ dpi:qoe:use_cases:ddos_target_query.png?nolink&600 |}}
In the "Report" field choose Raw full netflow -> Tables -> Attacks detection -> Top subscribers -> Maxi
=== Conditions ===
{{ dpi:qoe:use_cases:ddos_target_conditions.png?nolink&600 |}}
Serie — "Flow volume to subscribers", >= 10000
It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.
===== BotNet Analysis =====
It differs from the previous example in setting 2 and 3 stages (Queries and Conditions).
=== Queries ===
{{ dpi:qoe:use_cases:botnet_query.png?nolink&600 |}}
* Choose Raw full netflow -> Tables -> Attacks detection -> Top application protocols -> Maxi for the "А" value
* Raw full network -> Tables -> Raw log -> Full raw log for the "B" value
=== Conditions ===
{{ dpi:qoe:use_cases:botnet_conditions.png?nolink&600 |}}
Most often, BotNet uses ports 6667 and 1080 — add each destination/source port by selecting query "B" with value "OR" and choose Flow Pcts/s equal or more than 2000.
With this configuration, if at least on one of the ports (6667/1080) the number of passing packets is more than 2000 per second, the trigger will fire.
It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.
===== Subscriber's interest in competitor resources =====
=== General information ===
{{ dpi:qoe:use_cases:competitors_general_en.jpg?nolink&600 |}}
Trigger name «Subscriber's interest in competitor resources», days of week – all, check frequency – every hour, number of positives – once, time and date of start/end - not specified.
Every day, once an hour, a check will be carried out according to the conditions described below.
=== Queries ===
{{ dpi:qoe:use_cases:competitors_query.png?nolink&600 |}}
* Add "+" field
* Name А \\ Choose a table to be scanned: Raw clickstream -> Tables -> Raw clickstream
* Name B \\ Choose a table to be scanned: Raw full netflow -> Tables -> Attacks detection -> Top hosts IPs -> Maxi
* Set the period from: "now – 1 hour", until : "now"
In this case, the traffic analysis for the selected tables will be carried out every hour.
=== Conditions ===
{{ dpi:qoe:use_cases:competitors_conditions.png?nolink&600 |}}
* Add "+" 3 fields
* First field — choose table "А"; Bind – "OR"; Function – "avg"; Serie Host = *megafon.com (or any other competitor ISP)
* Second field — choose table "B"; Bind "AND"; Function – "avg"; Serie Flow volume from subscriber, Pct/s >= 800
We have set a condition — the trigger will fire at least 800 packets (not an accidental but meaningful visits) from a subscriber to a competitor's site.
=== Error handling ===
{{ dpi:qoe:use_cases:competitors_errors.png?nolink&600 |}}
* In the field "If no data" — No data
* In the field "If execution error or timeout" — Keep last state
In this configuration — if there are no errors, no data will be saved; if any, information will be saved in the form of a table containing suspicious sessions.
=== Actions ===
== E-mail ==
{{ dpi:qoe:use_cases:ddos_action_email_en.jpg?nolink&600 |}}
* For automatic filling - click on the ">" icon (automatic filling of the form)
* In the field "Send to" — specify email address
With this setting, when the trigger is fired, all information about the event will be sent to the specified email: ID, trigger name, status, link to the report (saved state).
== Notification ==
{{ dpi:qoe:use_cases:ddos_action_notification_en.jpg?nolink&600 |}}
* For automatic filling - click on the ">" icon (automatic filling of the form)
* Choose the notification type — "Warning"
* With this setting, a notification will be created in the SSG
{{ dpi:qoe:use_cases:competitors_alerts.png?nolink&600 |}}
You can get a link to the report in the notification menu
{{ dpi:qoe:use_cases:competitors_report.png?nolink&400 |}}
Select notification \\
Select — "Details"
{{ dpi:qoe:use_cases:competitors_details.png?nolink&400 |}}
Follow the link to the report — it will open in a new tab.
== HTTP ==
{{ dpi:qoe:use_cases:competitors_http.png?nolink&600 |}}
* For automatic filling — click on the ">" icon (automatic filling of the form)
* Choose the method most suitable for your ticket system and enter the URL
It is important to understand: the number of established sessions, the number of incoming packets, etc. are averaged. More precise configuration should be made taking into account the specifics of your network.