Nagios Support Forum

Hello all. I have installed a plugin called check_ddos.py to help us get notified of SYN attacks on our network. I installed it and ran the check. It works to show the connections of the local Nagios server, but how can I configure this to monitor SYN attacks on our firewall? I have the service set up like this:

Command: $USER1$/check_ddos.py $ARG1$ $ARG2$
arg1: -c 300
arg2: -w 200

The problem is I don't know which host to choose. Do i need to create a host for our firewall and apply that? When I check the command above in putty, it shows 7 connections, but I believe it's monitoring the local server on which Nagios is installed...not the firewall SYN attacks.

Thank you for any help you can provide. I can't seem to find any information on this that was able to get me anywhere.

I'll assume this is the plugin you're referring to:
https://exchange.nagios.org/directory/P ... os/details

All this plugin does under the hood is run a netstat command and parse the output: It won't work on anything but a Linux system really. If you have a pfsense, DD-WRT, or some other Linux driven firewall, that's all fine and dandy -- run this plugin there via an agent like NCPA. If you're trying to detect SYN floods on like a Cisco or Barracuda device, this isn't really the plugin for you.

What sort of device are you trying to detect SYN floods on?

Thank you for the reply. I was thinking it would monitor the firewall, but since it needs to be linux, we have BigIP F5s. Would it work to monitor new connections on that?

Thanks again!

Hello,

I did some quick research and it looks like the BIG-IP Series is an embedded Linux product. As mentioned, the plugin would have to run on the remote host, it will require nestat and python.

You could also set this check up over SSH instead of using an agent.

Monitoring Hosts Using SSH

Ok thank you for your help and time. I might have to research a plugin (if one exists) on measuring SYN attacks on our cisco asa, that's ultimately what we are trying to achieve. Thank you again!

Hello,

No problem. Did you have any other questions or may we close this thread?

benjaminsmith wrote:Hello,

No problem. Did you have any other questions or may we close this thread?

No more questions. Thank you to all who participated. I'll continue searching for a resolution.

No more questions. Thank you to all who participated. I'll continue searching for a resolution.

Sounds good. Closing.

Thank you for using the Nagios Support Forum.