Introduction
This example explains how to easily generate alerts in Nagios for port scan that are detected by Psionic Software's Portsentry software. These directions assume that the host which you are generating alerts for (i.e. the host you are running Portsentry on) is not the same host on which Nagios is running. If you want to generate alerts on the same host that Nagios is running you will need to make a few modifications to the examples I provide. Also, I am assuming that you having installed the nsca daemon on your monitoring server and the nsca client (send_nsca) on the machine that you are running Portsentry on.
Defining The Service
First off you're going to have to define a service in your object configuration file for the port scan alerts. Assuming that the host that the alerts are originating from is called firestorm, a sample service definition might look something like this:
define service{
host_name firestorm
service_description Port Scans
is_volatile 1
active_checks_enabled 0
passive_checks_enabled 1
max_check_attempts 1
contact_groups security-admins
notification_interval 120
notification_period 24x7
notification_options w,u,c,r
check_command check_none
}
Important things to note are the fact that this service has the volatile option enabled. We want this option enabled because we want a notification to be generated for every alert that comes in. Also of note is the fact that active checks are disabled for the service. The command used in the check_command option is not really used at all - its just there to keep Nagios from complaining. Passive checks are enabled however, as all port scan alert information will have to be sent in passively by the nsca client from the firestorm host.
Configuring Portsentry
In order to get Portsentry to send an alert to your monitoring box when it detects a port scan, you'll need to define a command for the KILL_RUN_CMD option in the Portsentry config file (portsentry.conf). It should look something like the following:
KILL_RUN_CMD="/usr/local/nagios/libexec/eventhandlers/handle_port_scan $TARGET$ $PORT$"
This line assumes that there is a script called handle_port_scan in the /usr/local/nagios/libexec/eventhandlers/ directory on firestorm. The directory and script name can be changed to whatever you want.
Writing The Script
The last thing you need to do is write the handle_port_scan script on firestorm that will send the alert back to the monitoring host. It might look something like this:
#!/bin/sh
# Arguments:
# $1 = target
# $2 = port
# Submit port scan to Nagios
/usr/local/nagios/libexec/eventhandlers/submit_check_result firestorm "Port Scans" 2 "Port scan from $1 on port $2. Host has been firewalled."
Notice that the handle_port_scan script calls the submit_check_result to actually send the alert back to the monitoring host. Assuming your monitoring host is called monitor, the submit check_result script might look like this (you'll have to modify this to specify the proper location of the send_nsca program on firestorm):
#!/bin/sh
# Arguments
# $1 = name of host in service definition
# $2 = name/description of service in service definition
# $3 = return code
# $4 = output
/bin/echo -e "$1\t$2\t$3\t$4\n" | /usr/local/nagios/bin/send_nsca monitor -c /usr/local/nagios/etc/send_nsca.cfg
Finishing Up
You've now configured everything you need to, so all you have to do is restart the portsentry process on firestorm and restart Nagios on your monitoring server. That's it! When the Portsentry software on firestorm detects a port scan, you should be getting alerts in Nagios. The plugin output for the alert will look something like the following:
Port scan from 24.24.137.131 on port 21. Host has been firewalled.