-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathddos.pm
96 lines (72 loc) · 2.57 KB
/
ddos.pm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
package ddos;
use strict;
use Email::MIME;
use Email::Sender::Simple qw(sendmail);
use Sys::Syslog;
use Sys::Syslog qw(:standard :macros);
use Email::Sender::Simple qw(sendmail);
use Email::Simple;
use Email::Simple::Creator;
our $VERSION = 100;
sub Init {
return 1;
}
sub run {
my $argref = shift;
my $profile = $$argref{'profile'};
my $profilegroup = $$argref{'profilegroup'};
my $timeslot = $$argref{'timeslot'};
my $profilepath = NfProfile::ProfilePath($profile, $profilegroup);
my %profileinfo = NfProfile::ReadProfile($profile, $profilegroup);
my $all_sources = join ':', keys %{$profileinfo{'channel'}};
my $netflow_sources = "$NfConf::PROFILEDATADIR/$profilepath/$all_sources";
system("$NfConf::PREFIX/nfdump -M $netflow_sources ....");
my $year = substr $timeslot, 0, 4;
my $month = substr $timeslot, 4, 2;
my $day = substr $timeslot, 6, 2;
my $nfdump_command = "$NfConf::PREFIX/nfdump -M $netflow_sources -r ${year}/${month}/${day}/nfcapd.${timeslot} -a -q -A srcip,dstip -T -o \"fmt:%sa %da %opkt %ipkt\" \"flags SA\"";
my @nfdump_output = `$nfdump_command`;
my $total_time = 5 * 60;
my $alarm_threshold = 2 * $total_time;
my $warning_threshold = 1 * $total_time;
my @alarms = ();
my @warnings = ();
my $to_send_message = 0;
foreach my $a_line (@nfdump_output) {
my @splitted_line = split("\\s+", $a_line);
next if scalar @splitted_line != 6;
my $source_ip = $splitted_line[1];
my $destination_ip = $splitted_line[3];
my $in_packets = $splitted_line[4];
my $out_packets = $splitted_line[5];
if ($in_packets >= $alarm_threshold or
$out_packets >= $alarm_threshold ) {
my $alarm_text = "\nSource: $source_ip\nDestination: $destination_ip\nTimeslot: $timeslot \nIn Packets: $in_packets \nOut Packets: $out_packets";
push (@alarms, $alarm_text);
$to_send_message = 1;
} elsif ( $in_packets >= $warning_threshold or
$out_packets >= $warning_threshold) {
my $alarm_text = "\nSource: $source_ip\nDestination: $destination_ip\nTimeslot: $timeslot \nIn Packets: $in_packets \nOut Packets: $out_packets";
push (@warnings, $alarm_text);
$to_send_message = 1;
}
}
if ($to_send_message) {
my $all_alarms = join("\n", @alarms);
my $all_warnings = join("\n", @warnings);
my $message = "$all_alarms $all_warnings";
my $email = Email::Simple->create(
header => [
From => '"NFSEN DDoS service" <[email protected]>',
To => '"Phen AI" <phen@localhost>',
Subject => "DDoS happening",
],
body => "$message",
);
return;
sendmail($email);
}
}
sub Cleanup {
}
1;