Run shell script on the event of "possible SYN flooding"

Question

I'd like to write a script that gets all the stats I need (top IPs, used memory, netstat, etc) at the time I got an SYN flooding, and write to a report file.

So, is it possible to trigger a script/command when the kernel alerts for "possible SYN flooding on port XXX" ?

Jun 27 22:12:21 xxxx kernel: [xxxx.xxxx] possible SYN flooding on port 443. Sending cookies. Jun 27 22:13:22 xxxx kernel: [xxxx.xxxx] possible SYN flooding on port 443. Sending cookies. Jun 27 22:14:25 xxxx kernel: [xxxx.xxxx] possible SYN flooding on port 443. Sending cookies.

score 2 · Accepted Answer · edited Aug 18 '18 at 08:25

2

In short: yes!

But that depends a bit in the syslog daemon you're running.

Syslog-ng allows that with the program() destination.

Rsyslog offers actions.

edited Aug 18 '18 at 08:25

Colt

1,939
6
20
25

answered Jun 29 '16 at 22:12

HBruijn

72,524
21
127
192

Thank you very much. I have succeeded in running a script on the event of SYN Flooding. I use "rsyslog". Very kind regards! – Nuno Jul 02 '16 at 08:35

Run shell script on the event of "possible SYN flooding"

1 Answers1