- Repository
- Munin (contrib)
- Last change
- 2013-04-25
- Graph Categories
- Family
- auto contrib
- Capabilities
- Keywords
- Language
- Shell
- Authors
psad
Name
psad - Plugin to monitor the number of port scans detected by psad.
Configuration
The following environment variables are used by this plugin
psad - Path to psad binary - defaults to psad in PATH
psad_log - Path to the log where psad entries are logged. defaults to /var/log/messages
wc - wc program to use
awk - awk program to use
Applicable Systems
Any system using psad for intrusion detection. psad is a port scan detection tool. Using this plugin will allow munin to graph its effectiveness for you so you can easily track network security compromise or other trends.
Configuration Examples
There should be no configuration needed for a standard install.
For the sake of example, the following configuration could be used for psad installation with non-standard logfile location (/var/log/psad/psad.log):
[psad]
env.psad_log /var/log/psad/psad.log
Author
Copyright (C) 2013 Dave Driesen dave.driesen@honeypot.pandemonium.be
License
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 dated June, 1991.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Magic Markers
#%# family=auto contrib
#%# capabilities=autoconf
#!/bin/sh
# -*- sh -*-
: << =cut
=head1 NAME
psad - Plugin to monitor the number of port scans detected by psad.
=head1 CONFIGURATION
The following environment variables are used by this plugin
psad - Path to psad binary - defaults to psad in PATH
psad_log - Path to the log where psad entries are logged. defaults to /var/log/messages
wc - wc program to use
awk - awk program to use
=head1 APPLICABLE SYSTEMS
Any system using psad for intrusion detection.
psad is a port scan detection tool. Using this plugin will allow munin to
graph its effectiveness for you so you can easily track network security
compromise or other trends.
=head2 CONFIGURATION EXAMPLES
There should be no configuration needed for a standard install.
For the sake of example, the following configuration could be used
for psad installation with non-standard logfile location (/var/log/psad/psad.log):
[psad]
env.psad_log /var/log/psad/psad.log
=head1 AUTHOR
Copyright (C) 2013 Dave Driesen <dave.driesen@honeypot.pandemonium.be>
=head1 LICENSE
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 dated June, 1991.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA.
=head1 MAGIC MARKERS
#%# family=auto contrib
#%# capabilities=autoconf
=cut
psad_log_default=/var/log/messages
[ $awk ] || awk="awk"
[ $wc ] || wc="wc"
[ $psad ] || psad="psad"
[ $psad_log ] || psad_log="$psad_log_default"
case $1 in
autoconf)
if [ -f ${psad} ] ; then
echo yes
else
echo no
fi
exit 0;;
config)
cat <<'EOM'
graph_title Port scans detected
graph_vlabel Events per hour
graph_info This graph shows the number of port scans detected per hour
graph_category network
graph_period minute
attacks_logged.label Scans detected per hour
attacks_logged.draw LINE1
attacks_logged.warning 10
attacks_logged.critical 20
attacks_logged.type DERIVE
attacks_logged.min 0
attacks_logged.cdef attacks_logged,12,*
autoblocks_logged.label Auto-blocks per hour
autoblocks_logged.draw LINE1
autoblocks_logged.type DERIVE
autoblocks_logged.min 0
autoblocks_logged.cdef autoblocks_logged,12,*
EOM
exit 0;;
esac
grep "psad: scan detected" "$psad_log" | $wc -l | $awk '{
print "attacks_logged.value " $1
}'
grep "psad: added iptables auto-block against " "$psad_log" | $wc -l | $awk '{
print "autoblocks_logged.value " $1
}'