mirror of
https://github.com/ut-dacs/ios-ddos-detect.git
synced 2025-02-12 10:01:51 +00:00
95 lines
3.2 KiB
Tcl
95 lines
3.2 KiB
Tcl
::cisco::eem::event_register_timer watchdog time 2.5 maxrun 1.9
|
|
|
|
namespace import ::cisco::eem::*
|
|
namespace import ::cisco::lib::*
|
|
|
|
array set flow_savedata [list]
|
|
|
|
#
|
|
# Flows in cache
|
|
#
|
|
|
|
# fetch all previous data
|
|
if { [catch {context_retrieve "DDOSDET2" "flow_savedata"} result] } {
|
|
array set oldsavedata [list]
|
|
} else {
|
|
array set oldsavedata $result
|
|
}
|
|
|
|
# fetch flows in cache
|
|
array set snmp_res [sys_reqinfo_snmp oid 1.3.6.1.4.1.9.9.97.1.4.1.1.5 get_type next]
|
|
|
|
if {$_cerrno != 0} {
|
|
set result [format "component=%s; subsys err=%s; posix err=%s;\n%s" \
|
|
$_cerr_sub_num $_cerr_sub_err $_cerr_posix_err $_cerr_str]
|
|
action_syslog priority warning msg $result
|
|
error $result
|
|
}
|
|
|
|
#set array with data
|
|
set flowcount(count) $snmp_res(value)
|
|
|
|
if { ![string match "1.3.6.1.4.1.9.9.97.1.4.1.1.5.*" $snmp_res(oid)] } {
|
|
# read wrong SNMP object
|
|
set flow_savedata(flowcount) $oldsavedata(flowcount)
|
|
set flow_savedata(flowcreations) $oldsavedata(flowcreations)
|
|
set flow_savedata(inter) $oldsavedata(inter)
|
|
catch { context_save DDOSDET2 flow_savedata }
|
|
action_syslog priority warning msg "SNMP returned wrong OID!"
|
|
} else {
|
|
|
|
# A sort of hack to prevent issues with weird SNMP behaviour.
|
|
# This is used to test SNMP does not return the previous OID again.
|
|
# We use GETNEXT so that shouldnt happen ...
|
|
set old_oid "false"
|
|
|
|
# This loop is used to query the information for all available modules
|
|
while {[string match "1.3.6.1.4.1.9.9.97.1.4.1.1.5.*" $snmp_res(oid)] && ![string equal $old_oid $snmp_res(oid)]} {
|
|
# action_syslog msg "Flow cache entries: $snmp_res(oid) : $snmp_res(value)"
|
|
set flowcount(count) [expr { $flowcount(count) + $snmp_res(value)}]
|
|
set old_oid $snmp_res(oid)
|
|
array set snmp_res [sys_reqinfo_snmp oid $snmp_res(oid) get_type next]
|
|
}
|
|
|
|
#save array
|
|
set flow_savedata(flowcount) $flowcount(count)
|
|
|
|
# calculate the difference
|
|
if {[info exists oldsavedata(flowcount)]} {
|
|
|
|
# initialize some variables, either from memory or if not available from constants
|
|
if {[info exists oldsavedata(flowcreations)]} {
|
|
set flowcreations $oldsavedata(flowcreations)
|
|
} else {
|
|
set flowcreations 0
|
|
}
|
|
if {[info exists oldsavedata(inter)]} {
|
|
set inter $oldsavedata(inter)
|
|
} else {
|
|
set inter 0
|
|
}
|
|
|
|
# the actual difference
|
|
set diff [expr {$flowcount(count) - $oldsavedata(flowcount)}]
|
|
|
|
# Branch based on the sign
|
|
if {[expr {$diff > 0}]} {
|
|
# If its positive, we can just use it
|
|
set flow_savedata(flowcreations) [expr {$flowcreations + $diff}]
|
|
set flow_savedata(inter) [expr {0.65 * $inter + 0.35 * $diff}]
|
|
} else {
|
|
# If its negative, a lot of flows have been exported, and to counter this we use an
|
|
# inter-/extrapolated value
|
|
set flow_savedata(inter) $inter
|
|
set flow_savedata(flowcreations) [expr {$flowcreations + $inter}]
|
|
}
|
|
|
|
} else {
|
|
set flow_savedata(flowcreations) $flowcount(count)
|
|
set flow_savedata(inter) 0
|
|
}
|
|
|
|
# save actual save data
|
|
catch { context_save DDOSDET2 flow_savedata }
|
|
}
|
|
|