tcpdump做的IDS

#!/bin/bash
#
# 这是以tcpdump来做的一个IDS,功能很简单，不过应该够用了
#
#
##############################################

##  防止两个tcpdump在运行  ######
tdpid=`ps aux | grep "/usr/sbin/tcpdump" | grep -v "grep" | awk '{ print $2 }'`
tdpid=${tdpid}1
echo $tdpid
if [ $tdpid -gt 1 ]; then
   echo "the tcpdump is running!!!"
   exit 0;
fi

##   开始记录数据 并让tcpdump在5分钟后再运行 #######

while true; do
meip=211.139.17.62
datelog=`date | awk '{ print $3 $4 }'`
if [ -x /usr/sbin/tcpdump ]; then
    oldtime=`date | awk '{ print $4 }' | awk -F: '{ print $2 }'`
    /usr/sbin/tcpdump -S -vv -i eth0 ! host $meip -w ${datelog}.log -c 1024;
fi

## 从时间上去判断  #######
nowtime=`date | awk '{ print $4 }' | awk -F: '{ print $2 }'`
differtime=$(( nowtime-oldtime))
echo $differtime
if [ ${differtime} -gt 2 ]; then
   echo "the differtime is bigger than 2,and the server is ok";
else
   echo "the differtime is laster than 2,and the server isn't ok";
fi
sleep 300
done