Untitled

<?php

# DDoS Detection & Packet Capture Script
# Written by Robert 'xnite' Whitney
# Website: http://xnite.org
# Email:   xnite@xnite.org

# Run script as root via crontab every 5 to 10 minutes
# Ensure all dependences are satisfied before running this script (ifstat, tcpdump, php)
# This script will only allow a single tcpdump process to run at once

# Configuration
$CONFIG = [
    'device'                => 'eth0', //Usually eth0, if you are unsure, you can find the device name by running ifconfig.
    'report_speed'          => '15', //MBps that you want to start tracking at.
    'packets2capture'       => '1000', //Number of packets to capture in pcap dump.
    'save_to'               => '/var/log/ddos' //Path to save ddos pcap logs to without the trailing /.
];

while (true){
    # Do not edit below this line!
    exec("/usr/bin/ifstat .5 1 | /bin/grep -o '[0-9]\{1,9\}\.[0-9]\{1,9\}'", $iospeed);
    $report_speed = $CONFIG['report_speed']*1024;
    $ts = date('U');
    $folder = $CONFIG['save_to'];
    $interface = $CONFIG['device'];
    $packnum = $CONFIG['packets2capture'];
    if($iospeed[0]+$iospeed[1] >= $CONFIG['report_speed']*1024) {
        echo $iospeed[0]+$iospeed[1]." is equal to or greater than $report_speed.\n";
        echo "Capturing tcpdump.\nPackets: $packnum\nInterface: $interface\n Saving to: $folder/$ts.ddos.pcap\n";
        exec("/usr/bin/pkill -9 tcpdump");
        exec("/usr/sbin/tcpdump -nn -i $interface -s 0 -c $packnum -w $folder/$ts.ddos.pcap");
    } else {
        echo $iospeed[0]+$iospeed[1]." is less than $report_speed.\n";
    }

    sleep(1);
}


?>