On Thu, 15 Dec 2022 19:03:45 +0000 "Compton, Rich A" <rich.comp...@charter.com> wrote:
> Hi, I have a few (~20) lists of IPs provided by Shadowserver > (https://www.shadowserver.org) on a daily basis. Some lists contain > a few hundred IPs and some contain tens of thousands of IPs. I want > to have pmacct filter out netflow records that do not have a > destination IP contained in these lists. Example logic would be: If > the netflow record is destined to an IP in the open DNS server list > and on UDP dst port 53 Then store netflow record Else If the netflow > record is destined to an IP in the open NTP server list and on UDP > dst port 123 Then store netflow record ..additional lists... Else > drop netflow record > > Is there a way to do this? It seems like there would be too many > entries for BPF. Also, I want to dynamically update these lists > every night. My first thought is to do this on the database side. However, that means collecting all the traffic with pmacct and I've no idea whether that would consist of too much traffic volume. Anyhow, I'd use Postgres (I suppose MariaDB would do just as well) and put insert triggers on the table. The trigger would silently drop inserted rows appearing in your list of IP numbers. You'd keep the list of IP numbers in your database. Updating your IP list in a transaction would let you do something simple like deleting all of them and then inserting the new list. I've put no thought into this. There may well be a much better way. Regards, Karl <k...@karlpinc.com> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
