Alert DoS

Rodolfo Pilas rodolfo at pilas.net
Tue Nov 25 01:06:43 CET 2008


Is there are any way that I can alert when a IP establish more than X
connections with my host?

I use this line to obtain port 80 connections:

netstat -tan | egrep 170.53.[0-9]*.[0-9]*:80 | grep -v TIME_WAIT | \
cut -c 45-66 | cut -d : -f 1 | sort -n | uniq -c | sort -n

and obtain output like this:

      1 191.78.192.30
      1 209.125.58.188
      2 170.51.33.42
      2 193.108.7.164
      2 193.134.36.229
      2 193.134.39.89
      5 193.132.83.232
      8 193.134.162.85

My strart point was:

PORT "LOCAL=%([.:]80)$" "REMOTE=*"(uniq -c) state=(ESTABLISHED|SYN_RECV)
min=0 max=20 

Thank you for any help.

Regards,
Rodolfo Pilas


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Esta parte del mensaje está firmada	digitalmente
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20081124/5bfbf5e2/attachment.sig>


More information about the Xymon mailing list