2
0
mirror of https://github.com/munin-monitoring/contrib.git synced 2018-11-08 00:59:34 +01:00
contrib-munin/plugins/network/psad
Dave Driesen b5ce1d0022 Add port scan detection plugin (psad)
psad is a cyber defense tool that monitors for incoming port scans
and can optionally blacklist/block attackers.

Both these options can be charted with this plugin.

- Port scans detected (per hour)
- Attackers blocked (per hour)
2013-04-09 13:47:50 +02:00

110 lines
2.8 KiB
Bash
Executable File

#!/bin/sh
# -*- sh -*-
: << =cut
=head1 NAME
psad - Plugin to monitor the number of port scans detected by psad.
=head1 CONFIGURATION
The following environment variables are used by this plugin
psad - Path to psad binary - defaults to psad in PATH
psad_log - Path to the log where psad entries are logged. defaults to /var/log/messages
wc - wc program to use
awk - awk program to use
=head1 APPLICABLE SYSTEMS
Any system using psad for intrusion detection.
psad is a port scan detection tool. Using this plugin will allow munin to
graph its effectiveness for you so you can easily track network security
compromise or other trends.
=head2 CONFIGURATION EXAMPLES
There should be no configuration needed for a standard install.
For the sake of example, the following configuration could be used
for psad installation with non-standard logfile location (/var/log/psad/psad.log):
[psad]
env.psad_log /var/log/psad/psad.log
=head1 AUTHOR
Copyright (C) 2013 Dave Driesen <dave.driesen@honeypot.pandemonium.be>
=head1 LICENSE
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 dated June, 1991.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA.
=head1 MAGIC MARKERS
#%# family=auto contrib
#%# capabilities=autoconf
=cut
psad_log_default=/var/log/messages
[ $awk ] || awk="awk"
[ $wc ] || wc="wc"
[ $psad ] || psad="psad"
[ $psad_log ] || psad_log="$psad_log_default"
case $1 in
autoconf)
if [ -f ${psad} ] ; then
echo yes
else
echo no
fi
exit 0;;
config)
cat <<'EOM'
graph_title Port scans detected
graph_vlabel Events per hour
graph_info This graph shows the number of port scans detected per hour
graph_category network
graph_period minute
attacks_logged.label Scans detected per hour
attacks_logged.draw LINE1
attacks_logged.warning 10
attacks_logged.critical 20
attacks_logged.type COUNTER
attacks_logged.cdef attacks_logged,12,*
autoblocks_logged.label Auto-blocks per hour
autoblocks_logged.draw LINE1
autoblocks_logged.type COUNTER
autoblocks_logged.cdef autoblocks_logged,12,*
EOM
exit 0;;
esac
grep "psad: scan detected" "$psad_log" | $wc -l | $awk '{
print "attacks_logged.value " $1
}'
grep "psad: added iptables auto-block against " "$psad_log" | $wc -l | $awk '{
print "autoblocks_logged.value " $1
}'