tiru: i do sounds like an alien
<?php
/*
wursti 3-2012 wegen getstatus flood
wird betrieben per "tcpdump -n -X 'udp and len <= 60' | php getstatusflood.php"
die kiste snifft q3 getstatuspakete und speichert/reagiert 1x pro sekunde.
Kontrolle MySQL auf mileva über "tcpdump "host 192.168.9.5 and tcp port 3306" -n -X"
error_reporting(E_ERROR | E_WARNING | E_PARSE);
*/
$dbhost='***.***.***.***';
$dbusername='********';
$dbuserpass='********';;
$dbname='mydb';
// $now = time();
$in = fopen("php://stdin", "r");
while (!feof($in)) {
$textline = fgets($in);
if (preg_match("/ IP /", $textline)) { //IP Line, 4rd from here must contain getstatus string
$line = 1;
$packetinfo = str_word_count($textline, 1, '1234567890.');
$src = $packetinfo['4'];
// (thats btw lan IP :P) $dst = $packetinfo['5'];
}
if ($line == 4) {
if (preg_match("/getstatus/i", $textline)) { //we found a getstatus packet, lets go cummulate...
$now = time();
$src = explode('.',$src);
$src = $src['0'].".".$src['1'].".".$src['2'].".".$src['3'];
$array[$src]++ ;
if ($last != $now) { //we have a new second!
//echo time()."\n";
echo ".";
//add new IPs to MySQL DB and update existing records
foreach ($array as $src => $count) {
if ($count > 50 && $src != ''){
mysql_connect($dbhost, $dbusername, $dbuserpass) or die(mysql_error());
mysql_select_db($dbname) or die('Cannot select database');
unset ($sql_upsert);
$sql_upsert ="INSERT INTO nat1_flooding_hosts2 (ip,pps_avg,active_sec,last_seen)\n";
$sql_upsert .="VALUES ('$src', '$count', '1', '')\n";
$sql_upsert .="ON DUPLICATE KEY UPDATE active_sec=active_sec+1, pps_avg=((pps_avg * active_sec) + $count)/(active_sec + 1),last_seen=now();\n";
//echo $sql_upsert;
mysql_query($sql_upsert);
//find out wether we have a new record in DB (without SQLing again)
if (mysql_affected_rows()){
if (mysql_affected_rows() == '1'){//on update we have *2* affected rows lol
system("easyrule block wan $src", $return);
echo "$return\n";
}
else { //ausmerzen bei update verdammt :P
system("pfctl -k $src", $states);
system("pfctl -K $src", $srcnodes);
echo "$states\n$srcnodes\n";
}
}
mysql_close();
// $fw_check ="SELECT ip FROM nat1_flooding_hosts2";
// $fw_check .="WHERE active_sec = 1 AND ip = $src";
// $fw_check .=";";
// $result = mysql_query($fw_check, $db);
// echo mysql_result($result, 0);
echo "$src - $count\n";
}
}
//echo ".\n\n";
//unset($src); unset($count); unset($return); unset($states); unset($srcnodes);
unset($array);
}
// echo $src."\n";
$last = $now;
}
}
$line++;
}
?>
Wusrti sows fear.
Who is onlineUsers browsing this forum: No registered users and 40 guests |
Misc
|