Automatyczny TCPDUMP podczas ataku DDOS

Anonymous | 2016-08-15 11:09:29 UTC | #1

Witam,

Przeszukując internet znalazłem skrypt automatycznego zapisywania logów do pliku .cap przy pomocy tcpdumpa.
Może się wam przyda :)

Autor : http://xnite.org/

[code]<?php

DDoS Detection & Packet Capture Script

Written by Robert ‘xnite’ Whitney

Website: http://xnite.org

Email: [email protected]

Run script as root via crontab every 5 to 10 minutes

Ensure all dependences are satisfied before running this script (ifstat, tcpdump, php)

This script will only allow a single tcpdump process to run at once

Configuration

$CONFIG = [
‘device’ => ‘eth0’, //Usually eth0, if you are unsure, you can find the device name by running ifconfig.
‘reportspeed’ => ‘15’, //MBps that you want to start tracking at.
‘packets2capture’ => ‘1000’, //Number of packets to capture in pcap dump.
‘saveto’ => ‘/var/log/ddos’ //Path to save ddos pcap logs to without the trailing /.
];

Do not edit below this line!

exec(“/usr/bin/ifstat .5 1 | /bin/grep -o ‘[0-9]{1,9}.[0-9]{1,9}‘“, $iospeed);
$reportspeed = $CONFIG[‘reportspeed’]1024;
$ts = date(‘U’);
$folder = $CONFIG[‘saveto’];
$interface = $CONFIG[‘device’];
$packnum = $CONFIG[‘packets2capture’];
if($iospeed[0]+$iospeed[1] >= $CONFIG[‘reportspeed’]1024) {
echo $iospeed[0]+$iospeed[1].” is equal to or greater than $reportspeed.\n”;
echo “Capturing tcpdump.\nPackets: $packnum\nInterface: $interface\n Saving to: $folder/$ts.ddos.pcap\n”;
exec(“/usr/bin/pkill -9 tcpdump”);
exec(“/usr/sbin/tcpdump -nn -i $interface -s 0 -c $packnum -w $folder/$ts.ddos.pcap”);
} else {
echo $iospeed[0]+$iospeed[1].” is less than $reportspeed.\n”;
}

?>[/code]

SystemZ | 2016-08-15 12:14:46 UTC | #2

Bardzo fajna sprawa, ma też spory potencjał do przeróbek i innego użycia.

Aylin | 2018-06-21 11:36:55 UTC | #3