Hi
i'm using collectd 4.10.1-1+squeeze2 even on my gateway.
sometimes i realize syn-flood attacks on the gateway identified by lot of
packages on the external interface and of course i collect these data by
collectd and transfer them by using the network plugin to a defined
collectd-server.
I'd like to be able to react directly on the gateway in the moment the
syn-attack starts, cause these attacks are often really short, less than a
minute
for instance, i'd like to dump packages by using tcpdump
so i have read something about collectd thresholds, notifications,
NotificationsExec and Chains + Targets.
The question is:
which configuration would be the best solution to fix the problem, for
instance:
if i define a threshold configuration, i don't want to get a notification,
but rather execute a script to dump the packages
<Plugin "interfaces">
<Type "if_packets">
Instance "eth0"
DataSource "rx"
FailureMax 100000
</Type>
</Plugin>
any suggestions ?!
lftgl
_______________________________________________
collectd mailing list
[email protected]
http://mailman.verplant.org/listinfo/collectd
