zQueal/ddos.php

## ddos.php
<?php

# DDoS Detection & Packet Capture Script
# Written by Robert 'xnite' Whitney
# Website: http://xnite.org
# Email:   xnite@xnite.org

# Run script as root via crontab every 5 to 10 minutes
# Ensure all dependences are satisfied before running this script (ifstat, tcpdump, php)
# This script will only allow a single tcpdump process to run at once

# Configuration
$CONFIG = [
'device'                => 'eth0', //Usually eth0, if you are unsure, you can find the device name by running ifconfig.
'report_speed'          => '15', //MBps that you want to start tracking at.
'packets2capture'       => '1000', //Number of packets to capture in pcap dump.
'save_to'               => '/var/log/ddos' //Path to save ddos pcap logs to without the trailing /.
];

# Do not edit below this line!
exec("/usr/bin/ifstat .5 1 | /bin/grep -o '[0-9]\{1,9\}\.[0-9]\{1,9\}'", $iospeed);
$report_speed = $CONFIG['report_speed']*1024;
$ts = date('U');
$folder = $CONFIG['save_to'];
$interface = $CONFIG['device'];
$packnum = $CONFIG['packets2capture'];

if($iospeed[0]+$iospeed[1] >= $CONFIG['report_speed']*1024) {
        echo $iospeed[0]+$iospeed[1]." is equal to or greater than $report_speed.\n";
        echo "Capturing tcpdump.\nPackets: $packnum\nInterface: $interface\n Saving to: $folder/$ts.ddos.pcap\n";
        exec("/usr/bin/pkill -9 tcpdump");
        exec("/usr/sbin/tcpdump -nn -i $interface -s 0 -c $packnum -w $folder/$ts.ddos.pcap");
} else {
        echo $iospeed[0]+$iospeed[1]." is less than $report_speed.\n";
}

?>
	<?php

	# DDoS Detection & Packet Capture Script
	# Written by Robert 'xnite' Whitney
	# Website: http://xnite.org
	# Email: xnite@xnite.org

	# Run script as root via crontab every 5 to 10 minutes
	# Ensure all dependences are satisfied before running this script (ifstat, tcpdump, php)
	# This script will only allow a single tcpdump process to run at once

	# Configuration
	$CONFIG = [
	'device' => 'eth0', //Usually eth0, if you are unsure, you can find the device name by running ifconfig.
	'report_speed' => '15', //MBps that you want to start tracking at.
	'packets2capture' => '1000', //Number of packets to capture in pcap dump.
	'save_to' => '/var/log/ddos' //Path to save ddos pcap logs to without the trailing /.
	];

	# Do not edit below this line!
	exec("/usr/bin/ifstat .5 1 \| /bin/grep -o '[0-9]\{1,9\}\.[0-9]\{1,9\}'", $iospeed);
	$report_speed = $CONFIG['report_speed']*1024;
	$ts = date('U');
	$folder = $CONFIG['save_to'];
	$interface = $CONFIG['device'];
	$packnum = $CONFIG['packets2capture'];

	if($iospeed[0]+$iospeed[1] >= $CONFIG['report_speed']*1024) {
	echo $iospeed[0]+$iospeed[1]." is equal to or greater than $report_speed.\n";
	echo "Capturing tcpdump.\nPackets: $packnum\nInterface: $interface\n Saving to: $folder/$ts.ddos.pcap\n";
	exec("/usr/bin/pkill -9 tcpdump");
	exec("/usr/sbin/tcpdump -nn -i $interface -s 0 -c $packnum -w $folder/$ts.ddos.pcap");
	} else {
	echo $iospeed[0]+$iospeed[1]." is less than $report_speed.\n";
	}

	?>