Man page - fever-run(1)
Packages contains this manual
- fever(1)
- fever-help(1)
- fever-bloom-show(1)
- fever-alertify(1)
- fever-run(1)
- fever-bloom-add(1)
- fever-bloom(1)
- fever-completion(1)
- fever-completion-bash(1)
- fever-bloom-save(1)
- fever-version(1)
- fever-completion-powershell(1)
- fever-completion-zsh(1)
- fever-bloom-reload(1)
- fever-completion-fish(1)
- fever-makeman(1)
apt-get install fever
Manual
FEVER-RUN
NAMESYNOPSIS
DESCRIPTION
OPTIONS
OPTIONS INHERITED FROM PARENT COMMANDS
SEE ALSO
NAME
fever-run - start FEVER service
SYNOPSIS
fever run [flags]
DESCRIPTION
The ’run’ command starts the FEVER service, consuming events from the input and executing all processing components.
OPTIONS
|
--active-rdns [=false] |
enable active rDNS enrichment for src/dst IPs |
||
|
--active-rdns-cache-expiry =2m0s |
cache expiry interval for rDNS lookups |
||
|
--active-rdns-private-only [=false] |
only do active rDNS enrichment for RFC1918 IPs |
||
|
--bloom-alert-prefix ="BLF" |
String prefix for Bloom filter alerts |
||
|
--bloom-blacklist-iocs =[/,/index.htm,/index.html] |
Blacklisted strings in Bloom filter (will cause filter to be rejected) |
||
|
-b , --bloom-file ="" |
Bloom filter for external indicator screening |
||
|
-z , --bloom-zipped [=false] |
use gzipped Bloom filter file |
||
|
-c , --chunksize =50000 |
chunk size for batched event handling (e.g. inserts) |
||
|
--context-cache-timeout =1h0m0s |
time for flow metadata to be kept for uncompleted flows |
||
|
--context-enable [=false] |
collect and forward flow context for alerted flows |
||
|
--context-submission-exchange ="context" |
Exchange to which flow context events will be submitted |
||
|
--context-submission-url ="amqp://guest:guest@localhost:5672/" |
URL to which flow context will be submitted |
||
|
-d , --db-database ="events" |
database DB |
||
|
--db-enable [=false] |
write events to database |
||
|
-s , --db-host ="localhost:5432" |
database host |
||
|
--db-maxtablesize =500 |
Maximum allowed cumulative table size in GB |
||
|
-m , --db-mongo [=false] |
use MongoDB |
||
|
-p , --db-password ="sensor" |
database password |
||
|
--db-rotate =1h0m0s |
time interval for database table rotations |
||
|
-u , --db-user ="sensor" |
database user |
||
|
--dummy [=false] |
log locally instead of sending home |
||
|
--flowextract-bloom-selector ="" |
IP address Bloom filter to select flows to extract |
||
|
--flowextract-enable [=false] |
extract and forward flow metadata |
||
|
--flowextract-submission-exchange ="flows" |
Exchange to which raw flow events will be submitted |
||
|
--flowextract-submission-url ="amqp://guest:guest@localhost:5672/" |
URL to which raw flow events will be submitted |
||
|
-n , --flowreport-interval =0s |
time interval for report submissions |
||
|
--flowreport-nocompress [=false] |
send uncompressed flow reports (default is gzip) |
||
|
--flowreport-submission-exchange ="aggregations" |
Exchange to which flow reports will be submitted |
||
|
--flowreport-submission-url ="amqp://guest:guest@localhost:5672/" |
URL to which flow reports will be submitted |
||
|
--flushcount =100000 |
maximum number of events in one batch (e.g. for flow extraction) |
||
|
-f , --flushtime =1m0s |
time interval for event aggregation |
||
|
-T , --fwd-all-types [=false] |
forward all event types |
||
|
-t , --fwd-event-types =[alert,stats] |
event types to forward to socket |
||
|
--heartbeat-enable [=false] |
Forward HTTP heartbeat event |
||
|
--heartbeat-times =[] |
Times of day to send heartbeat (list of 24h HH:MM strings) |
||
|
-h , --help [=false] |
help for run |
||
|
--in-buffer-drop [=true] |
drop incoming events on FEVER side instead of blocking the input socket |
||
|
--in-buffer-length =500000 |
input buffer length (counted in EVE objects) |
||
|
-r , --in-redis ="" |
Redis input server (assumes "suricata" list key, no pwd) |
||
|
--in-redis-nopipe [=false] |
do not use Redis pipelining |
||
|
-i , --in-socket ="/tmp/suri.sock" |
filename of input socket (accepts EVE JSON) |
||
|
--ip-alert-prefix ="IP-BLACKLIST" |
String prefix for IP blacklist alerts |
||
|
--ip-blacklist ="" |
List with IP ranges to alert on |
||
|
--logfile ="" |
Path to log file |
||
|
--logjson [=false] |
Output logs in JSON format |
||
|
--metrics-enable [=false] |
submit performance metrics to central sink |
||
|
--metrics-submission-exchange ="metrics" |
Exchange to which metrics will be submitted |
||
|
--metrics-submission-url ="amqp://guest:guest@localhost:5672/" |
URL to which metrics will be submitted |
||
|
-o , --out-socket ="/tmp/suri-forward.sock" |
path to output socket (to forwarder), empty string disables forwarding |
||
|
--pdns-enable [=false] |
collect and forward aggregated passive DNS data |
||
|
--pdns-submission-exchange ="pdns" |
Exchange to which passive DNS events will be submitted |
||
|
--pdns-submission-url ="amqp://guest:guest@localhost:5672/" |
URL to which passive DNS events will be submitted |
||
|
--profile ="" |
enable runtime profiling to given file |
||
|
--reconnect-retries =0 |
number of retries connecting to socket or sink, 0 = no retry limit |
||
|
--toolname ="fever" |
set toolname |
||
|
-v , --verbose [=false] |
enable verbose logging (debug log level) |
OPTIONS INHERITED FROM PARENT COMMANDS
|
--config ="" |
config file (default is $HOME/.fever.yaml) |
||
|
--mgmt-host ="" |
hostname:port definition for management server |
||
|
--mgmt-network ="tcp" |
network (tcp/udp) definition for management server |
||
|
--mgmt-socket ="/tmp/fever-mgmt.sock" |
Socket path for management server |
SEE ALSO
fever(1)