2013-04-09 13:47:50 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
# -*- sh -*-
|
|
|
|
|
|
|
|
|
|
: << =cut
|
|
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
|
|
|
|
|
psad - Plugin to monitor the number of port scans detected by psad.
|
|
|
|
|
|
|
|
|
|
=head1 CONFIGURATION
|
|
|
|
|
|
|
|
|
|
The following environment variables are used by this plugin
|
|
|
|
|
|
|
|
|
|
psad - Path to psad binary - defaults to psad in PATH
|
|
|
|
|
psad_log - Path to the log where psad entries are logged. defaults to /var/log/messages
|
|
|
|
|
wc - wc program to use
|
|
|
|
|
awk - awk program to use
|
|
|
|
|
|
|
|
|
|
=head1 APPLICABLE SYSTEMS
|
|
|
|
|
|
|
|
|
|
Any system using psad for intrusion detection.
|
|
|
|
|
psad is a port scan detection tool. Using this plugin will allow munin to
|
|
|
|
|
graph its effectiveness for you so you can easily track network security
|
|
|
|
|
compromise or other trends.
|
|
|
|
|
|
|
|
|
|
=head2 CONFIGURATION EXAMPLES
|
|
|
|
|
|
|
|
|
|
There should be no configuration needed for a standard install.
|
|
|
|
|
|
|
|
|
|
For the sake of example, the following configuration could be used
|
|
|
|
|
for psad installation with non-standard logfile location (/var/log/psad/psad.log):
|
|
|
|
|
|
|
|
|
|
[psad]
|
|
|
|
|
env.psad_log /var/log/psad/psad.log
|
|
|
|
|
|
|
|
|
|
=head1 AUTHOR
|
|
|
|
|
|
|
|
|
|
Copyright (C) 2013 Dave Driesen <dave.driesen@honeypot.pandemonium.be>
|
|
|
|
|
|
|
|
|
|
=head1 LICENSE
|
|
|
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation; version 2 dated June, 1991.
|
|
|
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful, but
|
|
|
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
|
General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with this program; if not, write to the Free Software
|
|
|
|
|
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
|
|
|
02110-1301 USA.
|
|
|
|
|
|
|
|
|
|
=head1 MAGIC MARKERS
|
|
|
|
|
|
|
|
|
|
#%# family=auto contrib
|
|
|
|
|
#%# capabilities=autoconf
|
|
|
|
|
|
|
|
|
|
=cut
|
|
|
|
|
|
|
|
|
|
psad_log_default=/var/log/messages
|
|
|
|
|
|
|
|
|
|
[ $awk ] || awk="awk"
|
|
|
|
|
[ $wc ] || wc="wc"
|
|
|
|
|
[ $psad ] || psad="psad"
|
|
|
|
|
[ $psad_log ] || psad_log="$psad_log_default"
|
|
|
|
|
|
|
|
|
|
case $1 in
|
|
|
|
|
autoconf)
|
|
|
|
|
if [ -f ${psad} ] ; then
|
|
|
|
|
echo yes
|
|
|
|
|
else
|
|
|
|
|
echo no
|
|
|
|
|
fi
|
|
|
|
|
exit 0;;
|
|
|
|
|
|
|
|
|
|
config)
|
|
|
|
|
cat <<'EOM'
|
|
|
|
|
graph_title Port scans detected
|
|
|
|
|
graph_vlabel Events per hour
|
|
|
|
|
graph_info This graph shows the number of port scans detected per hour
|
|
|
|
|
graph_category network
|
|
|
|
|
graph_period minute
|
|
|
|
|
|
|
|
|
|
attacks_logged.label Scans detected per hour
|
|
|
|
|
attacks_logged.draw LINE1
|
|
|
|
|
attacks_logged.warning 10
|
|
|
|
|
attacks_logged.critical 20
|
2013-04-25 15:38:51 +02:00
|
|
|
attacks_logged.type DERIVE
|
|
|
|
|
attacks_logged.min 0
|
2013-04-09 13:47:50 +02:00
|
|
|
attacks_logged.cdef attacks_logged,12,*
|
|
|
|
|
|
|
|
|
|
autoblocks_logged.label Auto-blocks per hour
|
|
|
|
|
autoblocks_logged.draw LINE1
|
2013-04-25 15:38:51 +02:00
|
|
|
autoblocks_logged.type DERIVE
|
|
|
|
|
autoblocks_logged.min 0
|
2013-04-09 13:47:50 +02:00
|
|
|
autoblocks_logged.cdef autoblocks_logged,12,*
|
|
|
|
|
|
|
|
|
|
EOM
|
|
|
|
|
exit 0;;
|
|
|
|
|
esac
|
|
|
|
|
|
|
|
|
|
grep "psad: scan detected" "$psad_log" | $wc -l | $awk '{
|
|
|
|
|
print "attacks_logged.value " $1
|
|
|
|
|
}'
|
|
|
|
|
|
|
|
|
|
grep "psad: added iptables auto-block against " "$psad_log" | $wc -l | $awk '{
|
|
|
|
|
print "autoblocks_logged.value " $1
|
|
|
|
|
}'
|
