-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathcheck_ddos.pl
executable file
·113 lines (98 loc) · 2.99 KB
/
check_ddos.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#!/usr/bin/perl -w
#
# check_ddos
# Check DDOS attack plugin for Nagios
#
# Nicolas Hennion (aka Nicolargo)
#
# History:
# - 0.4: correct sort (thx to Zorgh)
# - 0.3: add the -t option to netstat
#
#==================================================
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Library General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor Boston, MA 02110-1301, USA
#
# http://www.gnu.org/licenses/gpl.txt
#
#==================================================
my $program_name = "check_ddos.pl";
my $program_version = "0.4";
my $program_date = "02/2011";
# Libraries
#----------
use strict;
use lib "/usr/local/nagios/libexec";
use Getopt::Std;
# Globals variables
#------------------
my $netstat = '/bin/netstat -ant';
my %ERRORS = ('UNKNOWN' , '3',
'OK' , '0',
'WARNING', '1',
'CRITICAL', '2' );
my $state = "UNKNOWN";
my $answer = "";
my $warning;
my $critical;
# Programs argument management
#-----------------------------
my %opts = ();
getopts("hvw:c:", \%opts);
if ($opts{v}) {
# Display the version
print "$program_name $program_version ($program_date)\n";
exit(-1);
}
if ($opts{h} || (!$opts{w} || !$opts{c})) {
# Help
print "$program_name $program_version\n";
print "usage: ", $program_name," [options]\n";
print " -h: Print the command line help\n";
print " -v: Print the program version\n";
print " -w <int>: Warning value (number of SYN_RECV)\n";
print " -c <int>: Critical value (number of SYN_RECV)\n";
exit (-1);
}
# Get the warning value
if ($opts{w}) {
$warning = $opts{w};
}
# Get the warning value
if ($opts{c}) {
$critical = $opts{c};
}
# Main program
#-------------
system("$netstat > /tmp/check_ddos.res") == 0
or die "$state: $netstat failed ($?)";
my $ddos = `grep SYN_RECV /tmp/check_ddos.res | wc -l`;
chomp $ddos;
# my $output = `grep SYN_RECV /tmp/check_ddos.res | awk {'print \$5'} | cut -f 1 -d ":" | sort | uniq -c | sort -rn | head -10`;
my $output = `grep SYN_RECV /tmp/check_ddos.res | awk {'print \$5'} | cut -f 1 -d ":" | sort | uniq -c | sort -k1,1rn | head -10`;
if ($ddos >= $warning) {
if ($ddos >= $critical) {
$state = "CRITICAL";
} else {
$state = "WARNING";
}
print "DDOS attack.\nTop 10 SYN_RECV sources:\n$output";
} else {
$state = "OK";
print "No DDOS attack detected ($ddos/$warning).\n";
}
system("rm -f /tmp/check_ddos.res") == 0
or die "$state: Can not delete /tmp/check_ddos.res ($?)";
exit $ERRORS{$state};
# The end...