检测被攻击bash脚本

检测原理:in的包数大于6万且比out的大2倍。

#!/bin/bash

packets1_in=$(cat /proc/net/dev|sed ‘s/:/ /’|awk ‘/bond1/{print $3}’)

packets1_out=$(cat /proc/net/dev|sed ‘s/:/ /’|awk ‘/bond1/{print $11}’)

sleep 5

packets2_in=$(cat /proc/net/dev|sed ‘s/:/ /’|awk ‘/bond1/{print $3}’)

packets2_out=$(cat /proc/net/dev|sed ‘s/:/ /’|awk ‘/bond1/{print $11}’)

packets_in_diff=`expr $packets2_in / 5 – $packets1_in / 5`
packets_in=`expr ( $packets2_in – $packets1_in ) / 5`

packets_out=`expr ( $packets2_out – $packets1_out ) / 5`

packets_in_out=`expr $packets_in / $packets_out`

 

if [ $packets_in_diff -gt 60000 ] && [ $packets_in_out -gt 2 ]; then

echo “$packets_in packets in,$packets_out packets out,in/out(packets) > 2″

else

echo “stat=ok”

fi

发表评论

电子邮件地址不会被公开。 必填项已用*标注

您可以使用这些HTML标签和属性: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>