-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --On December 21, 2006 17:18:13 +0100 Chelo Malagon <[EMAIL PROTECTED]> wrote:
| Hello,
| If I am not wrong this problem hasn't anything to do with the nfsen
| version but with the nfdump version. It seems nfdump -1.5.2 changed the
| way the output is shown as you described.
yes - that's correct. but when you upgrade from an old NfSen version, this also
requires
to update nfdump. So it sliped in.
- Peter
|
| Cheers,
| Chelo
|
|
| James J. Barlow wrote:
|
| > I don't know if anyone else has run into this problem yet, but it caused
| > quite a bit of painful debugging to finally track it down. Also, unless I
| > missed something, I didn't see any notification of this change with the
| > latest release of NfSen.
| >
| > The change I am referring to is the output of an nfdump search. The last
few
| > lines of a search used to look something like:
| >
| > Time window: Nov 14 2006 08:37:10 - Jan 03 2007 02:52:23
| > Flows analysed: 112414 matched: 2, Bytes read: 5493581
| > Sys: 0.040s flows/second: 2810350.0 Wall: 0.039s flows/second: 2848375.8
| >
| >
| > We recently upgraded to 1.2.4 and the output now looks something like:
| >
| > Summary: total flows: 2, total bytes: 522, total packets: 3, avg bps: 0,
avg pps: 0, avg bpp: 174
| > Time window: 2006-12-20 04:00:08 - 2007-02-07 22:07:30
| > Total flows processed: 71529, skipped: 0, Bytes read: 3739042
| > Sys: 0.770s flows/second: 92894.8 Wall: 0.762s flows/second: 93826.2
| >
| >
| > The reason this is a big deal is that all of the nfsen modules that we
| > use were written using the demoplugin.pm as a template. And the demo plugin
| > determines if there are any flows found on a search (which to then send an
| > email alert) by using the second to last line of the nfdump output.
| >
| > Here is the code in the demoplugin:
| >
| > if ( $output[-2] =~ /matched:\s+(\d+)/ ) {
| >
| > However, once the output changed with version 1.2.4, all the plugins no
| > longer worked because it no longer matches the correct expression. So the
| > change that's needed is to modify the above line (in all plugins that have
it)
| > to the following:
| >
| > if ( $output[-4] =~ /total flows:\s+(\d+)/ ) {
| >
| > (You'll also want to change the other -2 references to -4 in the modules.)
| >
| > The reason this caused us so much pain was because along with the NfSen
upgrade
| > we upgraded perl and many of the modules it uses. Then when after a week or
| > so of realizing that we were not getting any notices, and we started
debugging
| > things, we started thinking it was the perl version or modules that were the
| > problem. So to make a long story short we finally tested and wrote quick
| > scripts to test all manner of perl modules, then the NfSen Notification.pm,
| > then finally worked our way back to the plugins themselves and discovered
| > the "simple" fix.
| >
| > So Peter (or any future developers), PLEASE put in a notification somewhere
| > if this ever changes again.
| >
| >
| > P.S. The current demoplugin.pm in the 1.2.4 release still needs to be fixed
| > for the correction above.
| >
| >
| >
| >
|
|
| --
| "Se puede admitir la fuerza bruta, pero la razón bruta es insoportable.".
| Oscar Wilde
|
|
|
| -------------------------------------------------------------------------
| Take Surveys. Earn Cash. Influence the Future of IT
| Join SourceForge.net's Techsay panel and you'll get the chance to share your
| opinions on IT & business topics through brief surveys - and earn cash
| http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
| _______________________________________________
| Nfsen-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBRYuN0f5AbZRALNr/AQJpTwP/Y37de1viPdZgKPsXslKZjEWoEfRojrRr
7HaWts0TvyQXmeYpL1wmMzVmCVYLOqgmyJu3QVBjjfEMXDNw7cuXmfD6zVE4Vupw
8RkFs36MFfBEBZ8qaafzH9wnhWDVikY2II2YI/nmWMKkW0venRykfmDXsTWTcHbo
lqEV3iNe4eQ=
=X4L/
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
