The engine is available for Debian versions 7 and later (GLIBC 2.14 or higher).
We have developed this tool to allow you to secure old servers, and to accompany them to a better life in order to have the last updates of the lists addresses bad quality.
Artica PCAP filter is available on all amd64 Linux distributions, We use Debian as our preferred distribution, but it works on Ubuntu, CentOS, Astra, RedHat...
Extract the tarball tar -xf articapsniffer-Debian10-1.0.38.tar.gz -C /usr/local/bin/
Set permissions : chmod 0755 /usr/local/bin/articapsniffer
use -interface token to define the network card :
articapsniffer -interface eth0
Artica PCAP filter run in daemon mode, tune the memory buffers according your needs
If you want to test the program easily, you can use :
./articapsniffer-quick-setup-ipset
Add predefined sources with IPSet remediation
The second thing to do is add HTTPS or RBL sources to instruct the engine which addresses to detect as malicious.
You create rules using IP country localization in order to set IP as malicious.
Whitelist is a software-internal database that automatically authorizes addresses, networks, domains
Artica PCAP sniffer supports 5 remediation modes.
Detected bad IP [1.2.3.4] entries in log file.Artica write its logs inside the /var/log/articapsniffer.log, tokens -syslog-on or -syslog-off add possibility to log in kernel.log ( Like iptables ) suspicious address via syslog.
The /var/log/articapsniffer.log is automatically rotated and compressed when it reach a size of 100Mb if you need to reduce or increase the log rotation size, use the token -max-logsize
Use the -log-status token to get the logging configuration
You can test if an IP address is detected by using the token -test-ip
articapsniffer -test-ip 1.2.3.4
Results can be BAD or GOOD
Examples :
~# ../articapsniffer -test-ip 5.42.199.25.42.199.2 is BAD
~# ./articapsniffer -test-ip 37.187.156.237.187.156.2 is GOOD
The token -current-config display all available settings
./articapsniffer -current-config
Current Configuration of Artica PCAP Sniffer reputation checker:
NETWORK -----------Packet Capture...: INACTIVEListen Interface.: eth0 (used to monitor Network interface)Packets Timeout..: 4s
Remediation Mode-----------White-listed.....: 8 record(s)IPSet Mode.......: ACTIVEIPSet Object.....: articaIPSet Time-out...: 5mn
DAEMON Mode-----------Daemon Mode......: ACTIVEPID File path....: /var/run/articapsniffer.pidUpdate schedule..: 10mn (*/10 * * * *)
DNS -----------resolv.conf......: /etc/resolv.confDNS Timeout......: 2 seconds (Used for RBL queries)DNS Server.......: 1.1.1.1 (Use for RBL query)DNS Server.......: 8.8.8.8 (Use for RBL query)RBL Server.......: b.barracudacentral.org expect 127.0.0.2End of Configuration