Community Annotations

Hijack alerts can be optionally annotated with an additional user-defined tag, that is assigned automatically based on the communities that are present in the hijack BGP updates.

Sample configuration snippet (note that reserved keywords are marked in bold; the annotations themselves are user-specific, therefore not reserved):

- prefixes:
  - ...
  - ...
  origin_asns:
  - ...
  - ...
  neighbors:
  - ...
  - ...
  community_annotations:
  - critical:
    - in:
      - 'asn:value'
      - ...
      out:
      - ...
      - ...
    - in:
      - ...
  - medium:
    - in:
      - ...
      - ...
      out:
      - ...
      - ...
  - low:
    - out:
      - ...

Logic: For an incoming BGP update, for each possible annotation, check if:

in_communities <= bgp_update_communities and out_communities.isdisjoint(bgp_update_communities)

If this holds, annotate the hijack event accordingly. Note that the order of the annotation list matters. Annotations with lower list indexes have greater priority. For example, if a BGP update caused a "low" annotation, and another arrives that causes the "critical" annotation to manifest, the hijack event will be annotated with the annotation of the highest priority. In general, the annotation that comes first order-wise is assigned. The default annotation (if the user has not configured anything in the rule, community-wise), is "NA" (not applicable).

Note the the community annotation can be used in concert with logging customization, by editing the related .env variable HIJACK_LOG_FILTER. As an example:

HIJACK_LOG_FILTER=[{"community_annotation":"critical"},{"community_annotation":"NA"}]

means that all alerts with annotations either "NA" or "critical" will be logged (in the mail, slack or hijack loggers, depending on your local deployment configuration). Alerts with annotations such as "medium", "low" etc. will be filtered and will not be included in the logs. Note that all hijack alerts are displayed in the UI (irrespective of their annotation), with their annotation properly marked.