Hello, In the get_botnets_emerging-botcc script change line 20:
my ($ip_list) = $line=~m/alert ip \$HOME_NET any \-\> \[([^\]]+)\]/; to: my ($ip_list) = $line=~m/alert tcp \$HOME_NET any \-\> \[([^\]]+)\]/; Changing "alert ip" to "alert tcp" the script should process the file without problems. Best regards, Jose El 17/10/12 14:48, Nikolaos Milas escribió: > Hello, > > I have problems working with Botnets nfsen plugin. I am running 1.3.6p1 > on Centos 5.8x86_64. > > I have installed Events, Events-mail and Botnets plugins, according to > directions. > > My plugins configuration is at the end of this mail message. > > The Plugins web GUI page only shows an "Events" tab (with a single blank > field and a "filter" button, the page only stating "No events"), but I > guess this is natural, as Botnets and Events-mail plugins do not have a > front-end. > > First problem: I am trying to finish Botnets configuration, so according > to README plugin, I need to define an alert with "Conditions based on > plugin", but this option is unavailable: No plugins are listed and the > radio button is greyed-out. It seems nfsendoes not "see" the available > plugins properly? > > Second problem: The botnet rules conversion process is unsuccessful. The > download link was broken, but I replaced with the correct one (see > below). However, the file processing Perl script does not seem to be > working. Unfortunately, I don't know Perl to check what is wrong with it. > > When I run it, it does not display any error, but it does not produce > any output either - only a blank file. Here is the command: > > # /data/nfsen/var/scripts/get_botnets_emerging-botcc > /data/nfsen/var/tmp/emerging-botcc.rules > > /data/nfsen/var/botlist/filterrules > > The source file is available from the link: > http://rules.emergingthreats.net/blockrules/emerging-botcc.rules(NOT > from http://www.emergingthreats.net/rules/emerging-botcc.rules as stated > in the plugin README file, and as used in the included botnet.cron shell > script). > > Can you please guide me to overcome the above issues? > > Here is the script (as downloaded in plugin tarball): > > -------------------------------- get_botnets_emerging-botcc > ------------------------------------ > #!/usr/bin/perl > > sub get_version ($) { > my ($filename) = @_; > return `stat -t $filename | cut -f 13 -d" "`; > } > > $filename = $ARGV[0]; > > my ($stamp) = get_version($filename); > chomp($stamp); > > # c&c's are timed out one week after the lists age. This means that we > don't accept c&c's from a list that is older than a week > my $expire = $stamp + 86400*7; > > open(BOTNETS, "<$filename"); > > foreach my $line (<BOTNETS>) { > next if ($line =~ /^\s*\#.*$/ || $line =~ /^\s*$/); # skip > empty and comment lines > > my ($ip_list) = $line=~m/alert ip \$HOME_NET any \-\> > \[([^\]]+)\]/; > foreach my $ip (split(/,/,$ip_list)) { > print join('|',$ip, "", "", "emergingthreads", $stamp, > $expire, "")."\n"; > } > } > ------------------------------------------------------------------------------------------------ > > Regards, > Nick > > Addendum: > ===================== nfsen.conf plugins sections ===================== > > @plugins = ( > # profile # module > # [ '*', 'demoplugin' ], > [ "live", 'Events' ], > [ "live", 'Events_mail' ], > [ "!", 'Botnets' ], > ); > > %PluginConf = ( > # For plugin demoplugin > demoplugin => { > # scalar > param2 => 42, > # hash > param1 => { 'key' => 'value' }, > }, > > # for plugin otherplugin > otherplugin => [ > # array > 'mary had a little lamb' > ], > > # Events Plugin > > events => { > db_connection_string => > "DBI:mysql:database=event;host=quadraplex;port=3306", > db_user => "eventdbusr", > db_passwd => "chafF8Ro7wED:", > }, > > # Events_Mail Plugin > > events_mail => { > template_home => "$VARDIR/mail-templates", > mails => [ > { > query => { # send a mail for suspected bots > "Type"=>"[eq]botnet", > "Level"=>"[eq]alarm", > "Notified"=>"[null]", > }, > to => ['sysad...@noa.gr'], > subject => '[Nfsen: botnet] source host: $event{Source} destination > host: $event{Destination}', > template => "botnet_iodef.tp", > action => { # Make sure not to report it again before it times out > "Type"=>"[eq]botnet", > "Level"=>"[eq]alarm", > "Notified"=>["[null]",'[set]#$unix_time#'], > "UpdateTime"=>'[set]#$unix_time#', > }, > }, > ] > }, > > # Botnet Plugin > > botnets => { > import_cmd => "cat /data/nfsen/var/botlist/filterrules", > }, > > ); > ============================================================================ > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_sfd2d_oct > _______________________________________________ > Nfsen-discuss mailing list > Nfsen-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > > -- Jose Manuel Agudo Cuesta (SI-CPD) Unidad de Redes - Seguridad - Telf. +34-923-294400 Ext 1398 Fax +34-923-294594 Edificio Facultad de Derecho Pza. Universidad de Bolonia s/n 37007 SALAMANCA ESPAÑA (SPAIN) ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss