.nh .TH "FEVER\-RUN" "1" "Jun 2021" "FEVER" "" .SH NAME .PP fever\-run \- start FEVER service .SH SYNOPSIS .PP \fBfever run [flags]\fP .SH DESCRIPTION .PP The 'run' command starts the FEVER service, consuming events from the input and executing all processing components. .SH OPTIONS .PP \fB\-\-active\-rdns\fP[=false] enable active rDNS enrichment for src/dst IPs .PP \fB\-\-active\-rdns\-cache\-expiry\fP=2m0s cache expiry interval for rDNS lookups .PP \fB\-\-active\-rdns\-private\-only\fP[=false] only do active rDNS enrichment for RFC1918 IPs .PP \fB\-\-bloom\-alert\-prefix\fP="BLF" String prefix for Bloom filter alerts .PP \fB\-\-bloom\-blacklist\-iocs\fP=[/,/index.htm,/index.html] Blacklisted strings in Bloom filter (will cause filter to be rejected) .PP \fB\-b\fP, \fB\-\-bloom\-file\fP="" Bloom filter for external indicator screening .PP \fB\-z\fP, \fB\-\-bloom\-zipped\fP[=false] use gzipped Bloom filter file .PP \fB\-c\fP, \fB\-\-chunksize\fP=50000 chunk size for batched event handling (e.g. inserts) .PP \fB\-\-context\-cache\-timeout\fP=1h0m0s time for flow metadata to be kept for uncompleted flows .PP \fB\-\-context\-enable\fP[=false] collect and forward flow context for alerted flows .PP \fB\-\-context\-submission\-exchange\fP="context" Exchange to which flow context events will be submitted .PP \fB\-\-context\-submission\-url\fP="amqp://guest:guest@localhost:5672/" URL to which flow context will be submitted .PP \fB\-d\fP, \fB\-\-db\-database\fP="events" database DB .PP \fB\-\-db\-enable\fP[=false] write events to database .PP \fB\-s\fP, \fB\-\-db\-host\fP="localhost:5432" database host .PP \fB\-\-db\-maxtablesize\fP=500 Maximum allowed cumulative table size in GB .PP \fB\-m\fP, \fB\-\-db\-mongo\fP[=false] use MongoDB .PP \fB\-p\fP, \fB\-\-db\-password\fP="sensor" database password .PP \fB\-\-db\-rotate\fP=1h0m0s time interval for database table rotations .PP \fB\-u\fP, \fB\-\-db\-user\fP="sensor" database user .PP \fB\-\-dummy\fP[=false] log locally instead of sending home .PP \fB\-\-flowextract\-bloom\-selector\fP="" IP address Bloom filter to select flows to extract .PP \fB\-\-flowextract\-enable\fP[=false] extract and forward flow metadata .PP \fB\-\-flowextract\-submission\-exchange\fP="flows" Exchange to which raw flow events will be submitted .PP \fB\-\-flowextract\-submission\-url\fP="amqp://guest:guest@localhost:5672/" URL to which raw flow events will be submitted .PP \fB\-n\fP, \fB\-\-flowreport\-interval\fP=0s time interval for report submissions .PP \fB\-\-flowreport\-nocompress\fP[=false] send uncompressed flow reports (default is gzip) .PP \fB\-\-flowreport\-submission\-exchange\fP="aggregations" Exchange to which flow reports will be submitted .PP \fB\-\-flowreport\-submission\-url\fP="amqp://guest:guest@localhost:5672/" URL to which flow reports will be submitted .PP \fB\-\-flushcount\fP=100000 maximum number of events in one batch (e.g. for flow extraction) .PP \fB\-f\fP, \fB\-\-flushtime\fP=1m0s time interval for event aggregation .PP \fB\-T\fP, \fB\-\-fwd\-all\-types\fP[=false] forward all event types .PP \fB\-t\fP, \fB\-\-fwd\-event\-types\fP=[alert,stats] event types to forward to socket .PP \fB\-\-heartbeat\-enable\fP[=false] Forward HTTP heartbeat event .PP \fB\-\-heartbeat\-times\fP=[] Times of day to send heartbeat (list of 24h HH:MM strings) .PP \fB\-h\fP, \fB\-\-help\fP[=false] help for run .PP \fB\-\-in\-buffer\-drop\fP[=true] drop incoming events on FEVER side instead of blocking the input socket .PP \fB\-\-in\-buffer\-length\fP=500000 input buffer length (counted in EVE objects) .PP \fB\-r\fP, \fB\-\-in\-redis\fP="" Redis input server (assumes "suricata" list key, no pwd) .PP \fB\-\-in\-redis\-nopipe\fP[=false] do not use Redis pipelining .PP \fB\-i\fP, \fB\-\-in\-socket\fP="/tmp/suri.sock" filename of input socket (accepts EVE JSON) .PP \fB\-\-ip\-alert\-prefix\fP="IP\-BLACKLIST" String prefix for IP blacklist alerts .PP \fB\-\-ip\-blacklist\fP="" List with IP ranges to alert on .PP \fB\-\-logfile\fP="" Path to log file .PP \fB\-\-logjson\fP[=false] Output logs in JSON format .PP \fB\-\-metrics\-enable\fP[=false] submit performance metrics to central sink .PP \fB\-\-metrics\-submission\-exchange\fP="metrics" Exchange to which metrics will be submitted .PP \fB\-\-metrics\-submission\-url\fP="amqp://guest:guest@localhost:5672/" URL to which metrics will be submitted .PP \fB\-o\fP, \fB\-\-out\-socket\fP="/tmp/suri\-forward.sock" path to output socket (to forwarder), empty string disables forwarding .PP \fB\-\-pdns\-enable\fP[=false] collect and forward aggregated passive DNS data .PP \fB\-\-pdns\-submission\-exchange\fP="pdns" Exchange to which passive DNS events will be submitted .PP \fB\-\-pdns\-submission\-url\fP="amqp://guest:guest@localhost:5672/" URL to which passive DNS events will be submitted .PP \fB\-\-profile\fP="" enable runtime profiling to given file .PP \fB\-\-reconnect\-retries\fP=0 number of retries connecting to socket or sink, 0 = no retry limit .PP \fB\-\-stenosis\-cache\-expiry\fP=30m0s alert cache expiry timeout .PP \fB\-\-stenosis\-client\-chain\-file\fP="stenosis.crt" certificate file for Stenosis TLS connection .PP \fB\-\-stenosis\-client\-key\-file\fP="stenosis.key" key file for Stenosis TLS connection .PP \fB\-\-stenosis\-enable\fP[=false] notify Stenosis instance on alert .PP \fB\-\-stenosis\-interface\fP="*" interface to watch events for .PP \fB\-\-stenosis\-root\-cas\fP=[root.crt] root certificate(s) for TLS connection to stenosis .PP \fB\-\-stenosis\-skipverify\fP[=false] skip TLS certificate verification .PP \fB\-\-stenosis\-submission\-timeout\fP=5s timeout for connecting to Stenosis .PP \fB\-\-stenosis\-submission\-url\fP="http://localhost:19205" URL to which Stenosis requests will be submitted .PP \fB\-\-stenosis\-tls\fP[=false] use TLS for Stenosis .PP \fB\-\-toolname\fP="fever" set toolname .PP \fB\-v\fP, \fB\-\-verbose\fP[=false] enable verbose logging (debug log level) .SH OPTIONS INHERITED FROM PARENT COMMANDS .PP \fB\-\-config\fP="" config file (default is $HOME/.fever.yaml) .SH SEE ALSO .PP \fBfever(1)\fP .SH HISTORY .PP 25\-Jun\-2021 Auto generated by spf13/cobra