Community discussions

MikroTik App
  4. RouterOS
  5. Scripting

ICMP script

Post Reply
 
User avatar
tjohnson
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Thu Aug 12, 2004 7:01 am

ICMP script

Sun Sep 30, 2007 5:18 am

Hi,

I need a script that will watch for ICMP packets per second on an interface and if it exceeds 100pps, it will send an email listing the source and destination IP's for the offending connection.

thanks,

Travis
Top
 
User avatar
sariao
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Thu Jul 08, 2004 10:55 am
Location: Saudi Arabia

Re: ICMP script

Fri Oct 12, 2007 8:26 pm

you can do such thing:
Code: Select all
/ip fire filter
add chain=output 
add chain=input protocol=icmp limit=100/1s,2 comment="Allow limited pings" 
add chain=input action=add-src-to-address-list protocol=icmp address-list=ICMP_blacklist address-list-timeout=4d comment="list excess pings"
this script will list any ip exceed the ping limit for 4 days so you can send them by email, i did not test the script anyway
Top
 
User avatar
tjohnson
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Thu Aug 12, 2004 7:01 am

Re: ICMP script

Fri Oct 12, 2007 9:46 pm

This needs to be for icmp packets going thru the router... but when I change to a "forward" rule, anytime total ICMP traffic goes over 100, it lists every single IP that has ICMP, not just the ones that are over.
Top
 
User avatar
sariao
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Thu Jul 08, 2004 10:55 am
Location: Saudi Arabia

Re: ICMP script

Sat Oct 13, 2007 3:10 am

Thats True, ok i have wrote this script install it and try it.

1- add this code to a script and name it "icmp_scan"
Code: Select all
:local last
:foreach ip in [/ip fire filter find chain=icmp_chk comm=icmp_chk] do {:if([/ip firewall address-list find address=[/ip firewall filter get $ip src-address]]="") do {/ip fire filter rem $ip}}
:foreach address in [/ip firewall address-list find list=icmp_temp] do {:if([/ip firewall filter find src-address=[/ip fire address-list get $address address]]="") do {/ip firewall filter add chain=icmp_chk src-address=[/ip fire address-list get $address address] protocol=icmp limit=100/1s,2 comm=icmp_chk}}
:set last [/ip fire filter find chain=icmp_chk comm=last]
:if($last!="") do {/ip fire fil rem $last}
/ip fire filter add chain=icmp_chk comm=last action=add-src-to-address-list protocol=icmp address-list=ICMP_Blacklist address-list-timeout=4d
2- run these lines:
Code: Select all
/system scheduler add name="icmp_scan" on-event=icmp_scan interval=30s comment="Scan ICMP Lists" disabled=no
/ip fire filter add chain=forward protocol=icmp action=add-src-to-address-list protocol=icmp address-list=icmp_temp address-list-timeout=1m comm="List ICMP Packets"
/ip fire filter add chain=forward protocol=icmp action=jump jump-target=icmp_chk comm="Scan ICMP Traffic per host"
This code will dynamically add each src-ip trying to access icmp protocol to filter list and remove it once it stop, the script will run every 30s,you can adjust this interval in the scheduler
This code can be developed to monitor almost anything not only icmp, with some minor changes ofcourse.
This code has been tested.
Top
 
User avatar
tjohnson
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Thu Aug 12, 2004 7:01 am

Re: ICMP script

Sun Oct 14, 2007 5:58 am

This still puts every single IP address that has any icmp packets into the address list, not just over the 100pps limit.
Top
 
User avatar
sariao
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Thu Jul 08, 2004 10:55 am
Location: Saudi Arabia

Re: ICMP script

Sun Oct 14, 2007 1:51 pm

Dear
have you test the script?
in the address list there is two lists, one called "icmp_temp" which used for temporary scaning but the final list is "icmp_Blacklist" which have all ips exeed the 100pps

dont try to follow up the code, test it in your router and then let me know.
Top
 
User avatar
sariao
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Thu Jul 08, 2004 10:55 am
Location: Saudi Arabia

Re: ICMP script

Tue Oct 16, 2007 8:55 pm

yes there was a minor bug. how ever i have update the code, try it and let me know

1- add this code to a script and name it "icmp_scan"
Code: Select all
:foreach ip in [/ip fire filter find chain=icmp_chk comm=icmp_chk] do {:if([/ip firewall address-list find list="icmp_temp" address=[/ip firewall filter get $ip src-address]]="") do {/ip fire filter rem $ip}}
:foreach address in [/ip firewall address-list find list=icmp_temp] do {
:if([/ip firewall filter find src-address=[/ip fire address-list get $address address]]="") do {
/ip firewall filter add chain=icmp_chk src-address=[/ip fire address-list get $address address] protocol=icmp limit=100/1s,2 comm=icmp_chk
/ip firewall filter add chain=icmp_chk src-address=[/ip fire address-list get $address address] comm=icmp_chk action=add-src-to-address-list protocol=icmp address-list=ICMP_Blacklist address-list-timeout=4d
}
}
2- run these lines:
Code: Select all
/system scheduler add name="icmp_scan" on-event=icmp_scan interval=30s comment="Scan ICMP Lists" disabled=no
/ip fire filter add chain=forward protocol=icmp action=add-src-to-address-list address-list=icmp_temp address-list-timeout=1m comm="List ICMP Packets"
/ip fire filter add chain=forward protocol=icmp action=jump jump-target=icmp_chk comm="Scan ICMP Traffic per host"
and one more thing about the 100pps i think to make it practical you have to adjust this value to be even less than 100 or more than 1s

Regards.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 36 guests
  4. RouterOS
  5. Scripting