Alert DoS
Rodolfo Pilas
rodolfo at pilas.net
Tue Nov 25 01:06:43 CET 2008
Is there are any way that I can alert when a IP establish more than X
connections with my host?
I use this line to obtain port 80 connections:
netstat -tan | egrep 170.53.[0-9]*.[0-9]*:80 | grep -v TIME_WAIT | \
cut -c 45-66 | cut -d : -f 1 | sort -n | uniq -c | sort -n
and obtain output like this:
1 191.78.192.30
1 209.125.58.188
2 170.51.33.42
2 193.108.7.164
2 193.134.36.229
2 193.134.39.89
5 193.132.83.232
8 193.134.162.85
My strart point was:
PORT "LOCAL=%([.:]80)$" "REMOTE=*"(uniq -c) state=(ESTABLISHED|SYN_RECV)
min=0 max=20
Thank you for any help.
Regards,
Rodolfo Pilas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Esta parte del mensaje está firmada digitalmente
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20081124/5bfbf5e2/attachment.sig>
More information about the Xymon
mailing list