Local feeds via ExaBGP
Configuration
If not already changed, change the following source mapping from here to:
- ./local_configs/monitor/exabgp.conf:/home/config/exabgp.conf
group r1 {
router-id <PUBLIC_IP>; # the public IP of your ARTEMIS host
process message-logger {
encoder json;
receive {
parsed;
update;
neighbor-changes;
}
run /usr/lib/python2.7.14/bin/python /home/server.py;
}
neighbor <NEIGHBOR_IP> { # the IP of your BGP router/etc.
local-address <LOCAL_LAN_IP>; # the local LAN IP of your ARTEMIS host
local-as <LOCAL_ASN>; # the local (private) exaBGP monitor ASN that you will use for peering
peer-as <PEER_ASN>; # your ASN from which the exaBGP monitor will receive the feed
}
}
docker-compose stop
docker-compose -f docker-compose.yaml -f docker-compose.exabgp.yaml up -d
https://<ARTEMIS_HOST>/admin/system
...
monitors:
...
exabgp:
- ip: exabgp # this will automatically be resolved to the exabgp container's IP
port: 5000 # default port
...
Notes
-
We strongly recommend the use of eBGP instead of iBGP sessions between the exaBGP monitor and the local router(s), in order to have information that can be better used by the detection system.
-
Since the exaBGP container is one layer behind the networking stack of the ARTEMIS host, establishing a successful eBGP connection between your router and exaBGP will require properly setting the ebgp-multihop attribute on your router, e.g.,**
>router bgp <my_as> >neighbor <exabgp_public_ip> ebgp-multihop 2 # if the router is one physical hop away
-
For all options on how to properly configure exaBGP, please visit this page. Some useful options are the following:
# within the neighbor section to set up md5 passwords md5-password <md5-secret>; # within the neighbor section to set up both v4 and v6 advertisements family { ipv4 unicast; ipv6 unicast; } # the following section goes before the neighbor section to add a route refresh capability # needed to retrieve all prefixes from neighbor routers on monitor startup capability { route-refresh enable; }