How to configure check_ddos.py plugin

An open discussion forum for obtaining help with Nagios Core. Nagios Core users of all experience levels are welcome here. Subforum have been created for the discussion of Nagios Core and Nagios Plugin development.

NOTE: The SourceForge.net mailing lists have been deprecated in favor of this forum in order to expedite support and provide additional features not available on the old mailing list.

How to configure check_ddos.py plugin

Postby jlb4350 » Fri Oct 25, 2019 11:15 am

Hello all. I have installed a plugin called check_ddos.py to help us get notified of SYN attacks on our network. I installed it and ran the check. It works to show the connections of the local Nagios server, but how can I configure this to monitor SYN attacks on our firewall? I have the service set up like this:

Command: $USER1$/check_ddos.py $ARG1$ $ARG2$
arg1: -c 300
arg2: -w 200

The problem is I don't know which host to choose. Do i need to create a host for our firewall and apply that? When I check the command above in putty, it shows 7 connections, but I believe it's monitoring the local server on which Nagios is installed...not the firewall SYN attacks.

Thank you for any help you can provide. I can't seem to find any information on this that was able to get me anywhere.
jlb4350
 
Posts: 4
Joined: Fri Oct 25, 2019 11:05 am

Re: How to configure check_ddos.py plugin

Postby mcapra » Fri Oct 25, 2019 12:42 pm

I'll assume this is the plugin you're referring to:
https://exchange.nagios.org/directory/P ... os/details

All this plugin does under the hood is run a netstat command and parse the output:
Code: Select all
netstat -antu | grep SYN_RECV | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l


It won't work on anything but a Linux system really. If you have a pfsense, DD-WRT, or some other Linux driven firewall, that's all fine and dandy -- run this plugin there via an agent like NCPA. If you're trying to detect SYN floods on like a Cisco or Barracuda device, this isn't really the plugin for you.

What sort of device are you trying to detect SYN floods on?
Former Nagios employee
http://www.mcapra.com/
User avatar
mcapra
 
Posts: 3584
Joined: Thu May 05, 2016 3:54 pm

Re: How to configure check_ddos.py plugin

Postby jlb4350 » Fri Oct 25, 2019 12:49 pm

Thank you for the reply. I was thinking it would monitor the firewall, but since it needs to be linux, we have BigIP F5s. Would it work to monitor new connections on that?

Thanks again!
jlb4350
 
Posts: 4
Joined: Fri Oct 25, 2019 11:05 am

Re: How to configure check_ddos.py plugin

Postby benjaminsmith » Fri Oct 25, 2019 2:43 pm

Hello,

I did some quick research and it looks like the BIG-IP Series is an embedded Linux product. As mentioned, the plugin would have to run on the remote host, it will require nestat and python.

You could also set this check up over SSH instead of using an agent.

Monitoring Hosts Using SSH
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
benjaminsmith
 
Posts: 1836
Joined: Wed Aug 22, 2018 4:39 pm
Location: saint paul

Re: How to configure check_ddos.py plugin

Postby jlb4350 » Mon Oct 28, 2019 6:23 am

Ok thank you for your help and time. I might have to research a plugin (if one exists) on measuring SYN attacks on our cisco asa, that's ultimately what we are trying to achieve. Thank you again!
jlb4350
 
Posts: 4
Joined: Fri Oct 25, 2019 11:05 am

Re: How to configure check_ddos.py plugin

Postby benjaminsmith » Mon Oct 28, 2019 4:24 pm

Hello,

No problem. Did you have any other questions or may we close this thread?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
benjaminsmith
 
Posts: 1836
Joined: Wed Aug 22, 2018 4:39 pm
Location: saint paul

Re: How to configure check_ddos.py plugin

Postby jlb4350 » Tue Oct 29, 2019 6:50 am

benjaminsmith wrote:Hello,

No problem. Did you have any other questions or may we close this thread?


No more questions. Thank you to all who participated. I'll continue searching for a resolution.
jlb4350
 
Posts: 4
Joined: Fri Oct 25, 2019 11:05 am

Re: How to configure check_ddos.py plugin

Postby benjaminsmith » Tue Oct 29, 2019 2:53 pm

No more questions. Thank you to all who participated. I'll continue searching for a resolution.

Sounds good. Closing.

Thank you for using the Nagios Support Forum.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
benjaminsmith
 
Posts: 1836
Joined: Wed Aug 22, 2018 4:39 pm
Location: saint paul


Return to Nagios Core

Who is online

Users browsing this forum: No registered users and 19 guests

cron