Nagios Support Forum

Currently, I'm writing a dissertation for Nagios plugin to monitor detect denial
of service attack by DOS. Who have tee tutorial help me, thanks very much.

You can probably start by reviewing this:

http://nagiosplug.sourceforge.net/devel ... lines.html

This link says too general. You can specify the steps to help my own? Thank you very much.

A Nagios plugin is just a normal unix executable which exits with a particular exit code and outputs text to stdout in a particular format. The guidelines linked earlier cover the specifics. There is no step-by-step guide because it is expected that you know how to program already. You could try reading the source of a plugin or two if you're still confused; they're usually very short and simple.

I will learn the techniques, Thanks very much for your reply ^^.

You're welcome. Good luck!

I have the code write about attack detect DoS with Nagios. Please you can see and explain mechanism of action for me?
my $program_name = "check_ddos.pl";
my $program_version = "0.4";
my $program_date = "02/2011";

# Libraries
#----------

use strict;
use lib "/usr/local/nagios/libexec";
use Getopt::Std;

# Globals variables
#------------------

my $netstat = '/bin/netstat -ant';
my %ERRORS = ('UNKNOWN' , '3',
'OK' , '0',
'WARNING', '1',
'CRITICAL', '2' );
my $state = "UNKNOWN";
my $answer = "";
my $warning;
my $critical;

# Programs argument management
#-----------------------------

my %opts = ();
getopts("hvw:c:", \%opts);
if ($opts{v}) {
# Display the version
print "$program_name $program_version ($program_date)\n";
exit(-1);
}
if ($opts{h} || (!$opts{w} || !$opts{c})) {
# Help
print "$program_name $program_version\n";
print "usage: ", $program_name," [options]\n";
print " -h: Print the command line help\n";
print " -v: Print the program version\n";
print " -w <int>: Warning value (number of SYN_RECV)\n";
print " -c <int>: Critical value (number of SYN_RECV)\n";
exit (-1);
}

# Get the warning value
if ($opts{w}) {
$warning = $opts{w};
}

# Get the warning value
if ($opts{c}) {
$critical = $opts{c};
}

# Main program
#-------------

system("$netstat > /tmp/check_ddos.res") == 0
or die "$state: $netstat failed ($?)";

my $ddos = `grep SYN_RECV /tmp/check_ddos.res | wc -l`;
chomp $ddos;
# my $output = `grep SYN_RECV /tmp/check_ddos.res | awk {'print \$5'} | cut -f 1 -d ":" | sort | uniq -c | sort -rn | head -10`;
my $output = `grep SYN_RECV /tmp/check_ddos.res | awk {'print \$5'} | cut -f 1 -d ":" | sort | uniq -c | sort -k1,1rn | head -10`;

if ($ddos >= $warning) {
if ($ddos >= $critical) {
$state = "CRITICAL";
} else {
$state = "WARNING";
}
print "DDOS attack.\nTop 10 SYN_RECV sources:\n$output";
} else {
$state = "OK";
print "No DDOS attack detected ($ddos/$warning).\n";
}

system("rm -f /tmp/check_ddos.res") == 0
or die "$state: Can not delete /tmp/check_ddos.res ($?)";

exit $ERRORS{$state};

# The end...

Sorry, but I'm not sure what you're asking. What do you mean by mechanism of action?