Hello, I have problems working with Botnets nfsen plugin. I am running 1.3.6p1 on Centos 5.8x86_64.
I have installed Events, Events-mail and Botnets plugins, according to directions. My plugins configuration is at the end of this mail message. The Plugins web GUI page only shows an "Events" tab (with a single blank field and a "filter" button, the page only stating "No events"), but I guess this is natural, as Botnets and Events-mail plugins do not have a front-end. First problem: I am trying to finish Botnets configuration, so according to README plugin, I need to define an alert with "Conditions based on plugin", but this option is unavailable: No plugins are listed and the radio button is greyed-out. It seems nfsendoes not "see" the available plugins properly? Second problem: The botnet rules conversion process is unsuccessful. The download link was broken, but I replaced with the correct one (see below). However, the file processing Perl script does not seem to be working. Unfortunately, I don't know Perl to check what is wrong with it. When I run it, it does not display any error, but it does not produce any output either - only a blank file. Here is the command: # /data/nfsen/var/scripts/get_botnets_emerging-botcc /data/nfsen/var/tmp/emerging-botcc.rules > /data/nfsen/var/botlist/filterrules The source file is available from the link: http://rules.emergingthreats.net/blockrules/emerging-botcc.rules(NOT from http://www.emergingthreats.net/rules/emerging-botcc.rules as stated in the plugin README file, and as used in the included botnet.cron shell script). Can you please guide me to overcome the above issues? Here is the script (as downloaded in plugin tarball): -------------------------------- get_botnets_emerging-botcc ------------------------------------ #!/usr/bin/perl sub get_version ($) { my ($filename) = @_; return `stat -t $filename | cut -f 13 -d" "`; } $filename = $ARGV[0]; my ($stamp) = get_version($filename); chomp($stamp); # c&c's are timed out one week after the lists age. This means that we don't accept c&c's from a list that is older than a week my $expire = $stamp + 86400*7; open(BOTNETS, "<$filename"); foreach my $line (<BOTNETS>) { next if ($line =~ /^\s*\#.*$/ || $line =~ /^\s*$/); # skip empty and comment lines my ($ip_list) = $line=~m/alert ip \$HOME_NET any \-\> \[([^\]]+)\]/; foreach my $ip (split(/,/,$ip_list)) { print join('|',$ip, "", "", "emergingthreads", $stamp, $expire, "")."\n"; } } ------------------------------------------------------------------------------------------------ Regards, Nick Addendum: ===================== nfsen.conf plugins sections ===================== @plugins = ( # profile # module # [ '*', 'demoplugin' ], [ "live", 'Events' ], [ "live", 'Events_mail' ], [ "!", 'Botnets' ], ); %PluginConf = ( # For plugin demoplugin demoplugin => { # scalar param2 => 42, # hash param1 => { 'key' => 'value' }, }, # for plugin otherplugin otherplugin => [ # array 'mary had a little lamb' ], # Events Plugin events => { db_connection_string => "DBI:mysql:database=event;host=quadraplex;port=3306", db_user => "eventdbusr", db_passwd => "chafF8Ro7wED:", }, # Events_Mail Plugin events_mail => { template_home => "$VARDIR/mail-templates", mails => [ { query => { # send a mail for suspected bots "Type"=>"[eq]botnet", "Level"=>"[eq]alarm", "Notified"=>"[null]", }, to => ['sysad...@noa.gr'], subject => '[Nfsen: botnet] source host: $event{Source} destination host: $event{Destination}', template => "botnet_iodef.tp", action => { # Make sure not to report it again before it times out "Type"=>"[eq]botnet", "Level"=>"[eq]alarm", "Notified"=>["[null]",'[set]#$unix_time#'], "UpdateTime"=>'[set]#$unix_time#', }, }, ] }, # Botnet Plugin botnets => { import_cmd => "cat /data/nfsen/var/botlist/filterrules", }, ); ============================================================================ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
