DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

DOS attacks

  • aimdev
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
29 May 2023 15:00 #102519 by aimdev
Replied by aimdev on topic Re: DOS attacks
Hi

There are quite a few stages, so here is the simplified flow.

Vigor syslog -- graylog input -- graylog stream -- graylog pipeline (add reverse dns, whois, port identification etc )
Check to see if this works using graylogs tools.
Then using grafana connect to the elastic search database (or opensearch, though I have not tested this yet) to create tables, charts and maps

I run graylog v5 within a debian bullseye VM, its a bit greedy, 4cores and 5gb memory, ~ 32 Gb disk, supports graylog and elastic search.
Grafana is on a separate vm, not so greedy, 2 cores , 2Gb
There are three streams, DOS, Passed & Blocked derived from the Vigor syslog, parsed using the Grok parsers. I have only shown the DOS stream, the other two are similar

Not sure the attachments work, if not pm me on this board with an email address and I will send the screen shots

Pipeline rule Reverse Dns Firewall dst_ip.png
extractor vigor_parse_dos for input vigor firewall.png
extractor vigor for input vigor firewall.png
GrayLog Indices - DOS.png
GrayLog input.png
Graylog Pipeline - DOS.png
PipeLines.png
Graylog Rules.png
Graylog Streams.png

Please Log in or Create an account to join the conversation.

More
30 May 2023 09:46 #102520 by pharcyder
Replied by pharcyder on topic Re: DOS attacks
Thanks for the overview. Are you log scraping into Graylog or using SNMP (or something else)? How does that bit work?

Please Log in or Create an account to join the conversation.

  • aimdev
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
30 May 2023 11:12 #102521 by aimdev
Replied by aimdev on topic Re: DOS attacks
No, direct syslog, read by graylog, parsed and then as I said earlier.
Graylog is not the easiest of products to understand, but basically

syslog -> streams -> pipelines -> database -> presentation (Grafina, Kibana or others).

Did you get the screenshots?

Please Log in or Create an account to join the conversation.

More
30 May 2023 13:01 #102525 by pharcyder
Replied by pharcyder on topic Re: DOS attacks
Thanks for the update. Doesn't appear I can PM you with my email from those screenshots :?

Please Log in or Create an account to join the conversation.

  • aimdev
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
30 May 2023 13:31 #102526 by aimdev
Replied by aimdev on topic Re: DOS attacks
Bit confused as the screen shots are from the Vigor & Graylog.
Please confirm you can read the screenshot's contents, which will assist your quest, if not I can email them if you supply an address.
Not sure if the Vigor Community forum support private messaging, couldn't find an option.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami