#! /usr/bin/perl -w
#
# check_netscreen_ids - nagios plugin
#
# Description: plugin to query a netscreen firewall and report
# the number of attacks as counted by the internal netscreen ids
#
##
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
#
#
# Report bugs to: ssugar@proserveit.com
#
# This plugin is based on existing work from lots of users.
# No liability

use POSIX;
use strict;
# Update the following value to reflect your install
use lib "/usr/local/nagios/libexec"  ;
use utils qw($TIMEOUT %ERRORS &print_revision &support);

use Net::SNMP;
use Getopt::Long;
&Getopt::Long::config('bundling');

my $PROGNAME = "check_netscreen_ids";
my $status;

my $state = "UNKNOWN";
my $answer = "";
my $snmpkey = 0;
my $community = "public";
my $port = 161;
my @snmpoids;
my $snmpnsIdsAddrSpoofAttk = '.1.3.6.1.4.1.3224.3.2.1.7.2';
my $snmpnsIdsIcmpFloodAttk = '.1.3.6.1.4.1.3224.3.2.1.9.2';
my $snmpnsIdsLandAttk = '.1.3.6.1.4.1.3224.3.2.1.8.2';
my $snmpnsIdsPingOfDeathAttk = '.1.3.6.1.4.1.3224.3.2.1.6.2';
my $snmpnsIdsPortScanAttk = '.1.3.6.1.4.1.3224.3.2.1.12.2';
my $snmpnsIdsSourceRouteAttk = '.1.3.6.1.4.1.3224.3.2.1.5.2';
my $snmpnsIdsSyncAttk = '.1.3.6.1.4.1.3224.3.2.1.3.2';
my $snmpnsIdsTearDropAttk = '.1.3.6.1.4.1.3224.3.2.1.4.2';
my $snmpnsIdsUdpFloodAttk = '.1.3.6.1.4.1.3224.3.2.1.10.2';
my $snmpnsIdsWinNukeAttk = '.1.3.6.1.4.1.3224.3.2.1.11.2';

my $hostname;
my $memory;
my $error;
my $response;
my $snmp_version = 1 ;
my $opt_h ;
my $opt_w = 9999;
my $opt_c = 1;
my $opt_V ;
my $attacks = "All";
my $PortScanAttk = 0;
my $PingOfDeathAttk = 0;

# Just in case of problems, let's not hang Nagios
$SIG{'ALRM'} = sub {
     print ("ERROR: No snmp response from $hostname (alarm)\n");
     exit $ERRORS{"UNKNOWN"};
};
alarm($TIMEOUT);


$status = GetOptions(
			"V"   => \$opt_V, "version"    => \$opt_V,
			"w=i"   => \$opt_w, "warning=i"    => \$opt_w,
			"c=i"   => \$opt_c, "critical=i"    => \$opt_c,
			"h"   => \$opt_h, "help"       => \$opt_h,
			"v=i" => \$snmp_version, "snmp_version=i"  => \$snmp_version,
			"C=s" =>\$community, "community=s" => \$community,
			"p=i" =>\$port,  "port=i",\$port,
			"H=s" => \$hostname, "hostname=s" => \$hostname,
			"a=s" => \$attacks, "type=s" => \$attacks);



if ($status == 0)
{
	print_help();
	exit $ERRORS{'OK'};
}

if ($opt_V) {
	print_revision($PROGNAME,'$Revision: 0.5b $ ');
	exit $ERRORS{'OK'};
}

if ($opt_h) {
	print_help();
	exit $ERRORS{'OK'};
}

if (! utils::is_hostname($hostname)){
	usage();
	exit $ERRORS{"UNKNOWN"};
}


if ( $snmp_version =~ /[12]/ ) {
   ($memory, $error) = Net::SNMP->session(
		-hostname  => $hostname,
		-community => $community,
		-port      => $port,
		-version	=> $snmp_version
	);

	if (!defined($memory)) {
		$state='UNKNOWN';
		$answer=$error;
		print ("$state: $answer");
		exit $ERRORS{$state};
	}
}elsif ( $snmp_version =~ /3/ ) {
	$state='UNKNOWN';
	print ("$state: No support for SNMP v3 yet\n");
	exit $ERRORS{$state};
}else{
	$state='UNKNOWN';
	print ("$state: No support for SNMP v$snmp_version yet\n");
	exit $ERRORS{$state};
}

push(@snmpoids,$snmpnsIdsAddrSpoofAttk);
push(@snmpoids,$snmpnsIdsIcmpFloodAttk);
push(@snmpoids,$snmpnsIdsLandAttk);
push(@snmpoids,$snmpnsIdsPingOfDeathAttk);
push(@snmpoids,$snmpnsIdsPortScanAttk);
push(@snmpoids,$snmpnsIdsSourceRouteAttk);
push(@snmpoids,$snmpnsIdsSyncAttk);
push(@snmpoids,$snmpnsIdsTearDropAttk);
push(@snmpoids,$snmpnsIdsUdpFloodAttk);
push(@snmpoids,$snmpnsIdsWinNukeAttk);

   if (!defined($response = $memory->get_request(@snmpoids))) {
      print ("$memory->error\n");
      $answer=$memory->error;
      $memory->close;
      $state = 'CRITICAL';
      print ("$state: $answer\n");
      exit $ERRORS{$state};
   }

if ($attacks =~ "All"){
                $answer = sprintf("host '%s', IDS Monitor : Address Spoof Attempts: %s, ICMP Floods: %s, Land Attacks: %s, Ping of Death Attacks: %s, Port Scans: %s, Source Route Attacks: %s, Sync Attacks: %s, Tear Drop Attacks: %s, UDP Floods: %s, Win Nuke Attacks: %s\n",
                        $hostname,
                        $response->{$snmpnsIdsAddrSpoofAttk},
                        $response->{$snmpnsIdsIcmpFloodAttk},
                        $response->{$snmpnsIdsLandAttk},
                        $response->{$snmpnsIdsPingOfDeathAttk},
                        $response->{$snmpnsIdsPortScanAttk},
                        $response->{$snmpnsIdsSourceRouteAttk},
                        $response->{$snmpnsIdsSyncAttk},
                        $response->{$snmpnsIdsTearDropAttk},
                        $response->{$snmpnsIdsUdpFloodAttk},
                        $response->{$snmpnsIdsWinNukeAttk}
	               );
}
else{
	$state='UNKNOWN';
	print ("$state: Only All works for the -a option At this time. Use grep if you want something specific until i finish it.\n");
	exit $ERRORS{$state};
}

$memory->close;

$PortScanAttk = $response->{$snmpnsIdsPortScanAttk};
$PingOfDeathAttk = $response->{$snmpnsIdsPingOfDeathAttk};

$state = 'OK';

if ( $PortScanAttk >= $opt_w ) {
	$state = 'WARNING';
}
elsif ( $PingOfDeathAttk >= $opt_c ) {
	$state = 'CRITICAL';
}


print ("$state: $answer");
exit $ERRORS{$state};


sub usage {
  printf "\nMissing arguments!\n";
  printf "\n";
  printf "usage: \n";
  printf "$PROGNAME -H <HOSTNAME> [-C <community>] [-w warning] [-c critical]\n";
  printf "For help, try: $PROGNAME -h \n";
  printf "Copyright (C) 2005 Scott Sugar\n";
  printf "$PROGNAME comes with ABSOLUTELY NO WARRANTY\n";
  printf "This programm is licensed under the terms of the ";
  printf "GNU General Public License\n(check source code for details)\n";
  printf "\n\n";
  exit $ERRORS{"UNKNOWN"};
}

sub print_help {
	printf "$PROGNAME plugin for Nagios monitors the IDS\n";
  	printf "for a Netscreen Firewall\n";
	printf "\nUsage:\n";
	printf "   -H (--hostname)   Hostname to query - (required)\n";
	printf "   -C (--community)  SNMP read community <- defaults to public,\n";
	printf "                     used with SNMP v1 and v2c\n";
        printf "   -w                Integer Threshold for Port Scan Attacks\n";
        printf "   -c                Integer Threshold for Ping of Death Attacks\n";
	printf "   -a		     What type of attacks to monitor <- only All works in this version\n";
	printf "   -v (--snmp_version)  1 for SNMP v1 (default)\n";
	printf "                        2 for SNMP v2c\n";
	printf "                        SNMP v2c will use get_bulk for less overhead\n";
	printf "                        if monitoring with -d\n";
	printf "   -p (--port)       SNMP port (default 161)\n";
	printf "   -V (--version)    Plugin version\n";
	printf "   -h (--help)       usage help \n\n";
	print_revision($PROGNAME, '$Revision: 0.5b $');
}