-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi James,
Yes - you're right. That changed to make more information available to the user.
I did not think of that. I'm sorry for the inconvenience, this caused to anyone.
I will update the demoplugin to meet this changed.
Again I'm sorry.
- Peter
- --On December 20, 2006 11:35:07 -0600 "James J. Barlow" <[EMAIL PROTECTED]>
wrote:
| I don't know if anyone else has run into this problem yet, but it caused
| quite a bit of painful debugging to finally track it down. Also, unless I
| missed something, I didn't see any notification of this change with the
| latest release of NfSen.
|
| The change I am referring to is the output of an nfdump search. The last few
| lines of a search used to look something like:
|
| Time window: Nov 14 2006 08:37:10 - Jan 03 2007 02:52:23
| Flows analysed: 112414 matched: 2, Bytes read: 5493581
| Sys: 0.040s flows/second: 2810350.0 Wall: 0.039s flows/second: 2848375.8
|
|
| We recently upgraded to 1.2.4 and the output now looks something like:
|
| Summary: total flows: 2, total bytes: 522, total packets: 3, avg bps: 0, avg
pps: 0, avg bpp: 174
| Time window: 2006-12-20 04:00:08 - 2007-02-07 22:07:30
| Total flows processed: 71529, skipped: 0, Bytes read: 3739042
| Sys: 0.770s flows/second: 92894.8 Wall: 0.762s flows/second: 93826.2
|
|
| The reason this is a big deal is that all of the nfsen modules that we
| use were written using the demoplugin.pm as a template. And the demo plugin
| determines if there are any flows found on a search (which to then send an
| email alert) by using the second to last line of the nfdump output.
|
| Here is the code in the demoplugin:
|
| if ( $output[-2] =~ /matched:\s+(\d+)/ ) {
|
| However, once the output changed with version 1.2.4, all the plugins no
| longer worked because it no longer matches the correct expression. So the
| change that's needed is to modify the above line (in all plugins that have it)
| to the following:
|
| if ( $output[-4] =~ /total flows:\s+(\d+)/ ) {
|
| (You'll also want to change the other -2 references to -4 in the modules.)
|
| The reason this caused us so much pain was because along with the NfSen
upgrade
| we upgraded perl and many of the modules it uses. Then when after a week or
| so of realizing that we were not getting any notices, and we started debugging
| things, we started thinking it was the perl version or modules that were the
| problem. So to make a long story short we finally tested and wrote quick
| scripts to test all manner of perl modules, then the NfSen Notification.pm,
| then finally worked our way back to the plugins themselves and discovered
| the "simple" fix.
|
| So Peter (or any future developers), PLEASE put in a notification somewhere
| if this ever changes again.
|
|
| P.S. The current demoplugin.pm in the 1.2.4 release still needs to be fixed
| for the correction above.
|
|
| --
| James J. Barlow <[EMAIL PROTECTED]>
| Head of Security Operations and Incident Response
| National Center for Supercomputing Applications Voice : (217)244-6403
| 1205 West Clark Street, Urbana, IL 61801 Cell : (217)840-0601
| http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987
|
| -------------------------------------------------------------------------
| Take Surveys. Earn Cash. Influence the Future of IT
| Join SourceForge.net's Techsay panel and you'll get the chance to share your
| opinions on IT & business topics through brief surveys - and earn cash
| http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
| _______________________________________________
| Nfsen-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBRYo3Vf5AbZRALNr/AQJ2bgP/WIHva9NTrmLUMeS+AwMzxt/FSjdgJEps
t7KTzrAToIHoHa7+DwxNoyu+8jfY84A2g6rAyN+HYdLyR2ui2IarmW2h6Dew2Eas
5w9OXKhcYdbmdFuxCp79O1mLuvQ+fqPA7dmijhtUa0q2GUKYbzNYcaYufsnailIv
+fQ1Rv7i/ts=
=qQwy
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
