I don't know if anyone else has run into this problem yet, but it caused
quite a bit of painful debugging to finally track it down. Also, unless I
missed something, I didn't see any notification of this change with the
latest release of NfSen.
The change I am referring to is the output of an nfdump search. The last few
lines of a search used to look something like:
Time window: Nov 14 2006 08:37:10 - Jan 03 2007 02:52:23
Flows analysed: 112414 matched: 2, Bytes read: 5493581
Sys: 0.040s flows/second: 2810350.0 Wall: 0.039s flows/second: 2848375.8
We recently upgraded to 1.2.4 and the output now looks something like:
Summary: total flows: 2, total bytes: 522, total packets: 3, avg bps: 0, avg
pps: 0, avg bpp: 174
Time window: 2006-12-20 04:00:08 - 2007-02-07 22:07:30
Total flows processed: 71529, skipped: 0, Bytes read: 3739042
Sys: 0.770s flows/second: 92894.8 Wall: 0.762s flows/second: 93826.2
The reason this is a big deal is that all of the nfsen modules that we
use were written using the demoplugin.pm as a template. And the demo plugin
determines if there are any flows found on a search (which to then send an
email alert) by using the second to last line of the nfdump output.
Here is the code in the demoplugin:
if ( $output[-2] =~ /matched:\s+(\d+)/ ) {
However, once the output changed with version 1.2.4, all the plugins no
longer worked because it no longer matches the correct expression. So the
change that's needed is to modify the above line (in all plugins that have it)
to the following:
if ( $output[-4] =~ /total flows:\s+(\d+)/ ) {
(You'll also want to change the other -2 references to -4 in the modules.)
The reason this caused us so much pain was because along with the NfSen upgrade
we upgraded perl and many of the modules it uses. Then when after a week or
so of realizing that we were not getting any notices, and we started debugging
things, we started thinking it was the perl version or modules that were the
problem. So to make a long story short we finally tested and wrote quick
scripts to test all manner of perl modules, then the NfSen Notification.pm,
then finally worked our way back to the plugins themselves and discovered
the "simple" fix.
So Peter (or any future developers), PLEASE put in a notification somewhere
if this ever changes again.
P.S. The current demoplugin.pm in the 1.2.4 release still needs to be fixed
for the correction above.
--
James J. Barlow <[EMAIL PROTECTED]>
Head of Security Operations and Incident Response
National Center for Supercomputing Applications Voice : (217)244-6403
1205 West Clark Street, Urbana, IL 61801 Cell : (217)840-0601
http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
