OS: Ubuntu Server 8.04
ipaudit version 1.0BETA2 (compiled Jan 16 2005)
libpcap version 0.7.2
ipaudit-web.conf:
<blockquote>#
# Configuration file for Ipaudit-Web
#
# Make changes according to numbered comments below. Make sure
# that there are NO SPACES on either side of equals sign (=)
#
# This config file is read by the following files
# ~/cron/cron30min
# ~/cron/crondaily
# ~/cron/cronweekly
# ~/cron/cronclean
# ~/reports/30min/0traffic/runcron
# ~/reports/30min/graphic/runcron
# ~/reports/daily/server/runcron
# ~/reports/daily/server/runcron
# ~/reports/daily/traffic/runcron
# ~/reports/weekly/traffic/runcron
# ~/reports/monthly/traffic/runcron
# ~/reports/30min/0traffic/MakeReport30
# ~/ipaudit_config.pm
#
# --------------------------------
# REQUIRED CHANGES
# --------------------------------
#
#
# (1) What is your network? Put something like
# "137.99" or "24.50.17"
#
# With multiple networks, use something like
# "204.253.208.0/21:206.66.128.0/21:206.136.16.0/20"
#
# DO NOT use the default. For more information
# see ipaudit man pages. Also see 'OTHERRANGE' below.
# (try 'man ipaudit' or 'man -Mman ipaudit')
#
LOCALRANGE=130.184/192.168
#
#
# (2) This is the interface whose traffic you
# wish to monitor. The default below is 'eth0'.
# You can monitor multiple interfaces using something
# like 'eth0:eth1:eth3'
#
#
# Ethernet interface to watch (cron30min)
#
INTERFACE=eth1
#
#
# (3) We need to know where to find these utilties
# gzip
# zcat
# zgrep
# gnuplot
# if unsure, try running the command 'which gzip', etc
# to find out.
#
#
# These next five are edited automagically by configure.
AWK=/usr/bin/mawk
GZIP=/bin/gzip
ZCAT=/bin/zcat
ZGREP=/bin/zgrep
GNUPLOT="nice -19 /usr/bin/gnuplot"
#
#
# (4) Location of ipaudit cgi-bin directory as expressed
# in URL. Default is '/cgi-bin/ipaudit'.
#
# CGI directory as encoded within web page (MakeReportDaily)
#
CGI_BIN=/~ipaudit/cgi-bin
#
#
# (5) Where is the ipaudit-web home directory? This is primarily
# referenced by the CGI scripts via ipaudit_config.pm.
#
# This is also automagically generated by configure.
IP_DIR=/home/ipaudit
#
# --------------------------------
# OPTIONAL CHANGES
# --------------------------------
#
# (6) (optional) The default "500000,100000" is probably ok.
# For more info, see 'man ipaudit' for the -L option.
#
# Maximum number of packets recorded in time interval
# Helps prevent oversized dump files and memory overflow
# at risk of incomplete data gathering.
#
HostPortLimit="500000,100000"
#
# When using 'HostPortLimit' the following ip addresses are
# used a stand-ins for local/remote addresses when the hostport
# limit is reached. In the following example, the replacement
# local and remote addresses are 137.99.0.0 and 0.0.0.1
# For your installation, use a pair of addresses that will
# be classfied as local and remote according to your LOCALRANGE
# and optional OTHERRANGE.
#
# overflowip=137.99.0.0,0.0.0.1
#
# (7) (optional) Do you want to save raw packets?
#
# By default no raw packets are saved. If you set
# SAVEFILE=default.raw
# then the first PacketLen bytes (see PacketLen below)
# of each packet will be stored in the raw/30min/
# directory in files names like 2001-11-29-13:30.raw.gz
#
# You can save only certain protocol/ports with the
# option saveport. See 'man ipaudit' -p option for
# details of the format. Below are a few examples.
#
# Example: to save all packets
# SAVEFILE=default.raw
# Example: to save telnet, ftp (tcp protocol=6, ports=21,23)
# SAVEFILE=default.raw
# saveport=6,21,23
# Example: to save ICMP and telnet, ftp
# SAVEFILE=1:6,21,23
#
# NOTE - SAVEFILE _must_ be all uppercase
#
#
# (8) (optional) File ages - controls how long data
# files hang around until they are erased.
# Defaults are built into ~/cron/cronclean and
# are 7, 30 and 60 days, same as comments lines
#
# RAW_DAY - how many days for raw packet data files
# DATA_DAY - how many days for ipaudit summary data
# HTML_DAY - how many days for html reports
#
RAW_DAY=7
DATA_DAY=10
HTML_DAY=180
#
# (9) (optional) Graph Limits - sets maximum Y value
# for graphs
#
#YMAX_TRAFFIC=
#YMAX_LOCAL=15000
#YMAX_REMOTE=150000
#YMAX_REMOTE=60000
#
# These probably don't need changing (?). Consult
# 'man ipaudit' for more information on these options.
#
PidFile=run/ipaudit.pid
WriteTime=yes
IcmpType=yes
PacketLen=128
WritePacketLimit=500000
#
# When tabulating the Daily Traffic report - in particular
# the host and host-pair total byte counts - the limits below
# specify the mininum number of bytes each host or host-pair
# must have.
# a host or a
# Below are the minimum number of incoming + outgoing bytes
# that a host Vor a host-pair can
#
# When tabulating the Daily Remote Host Traffic report it can
# require excessive amounts of memory (in other words, your
# system's memory might be exceeded) to store *every* remote
# host. The same applies to the Daily Host Pair report when
# storing *every* host pair. Since the report only prints the
# Top N hosts, it does not need to know every host, only those
# hosts most like to make the Top N hosts. To address this
# problem a maximum of 100,000 remote hosts (and host-pairs) are kept in memory
# at one time. When this limit is exceeded the oldest hosts
# (and host-pairs) are discarded unless there totla traffic
# exceeds the minimums set below.
#
# You can probably leave these limits alone.
#
DAILY_TRAFFIC_REMOTEHOST_MIN=1024
DAILY_TRAFFIC_HOSTPAIR_MIN=1024
#
# Set the maximum number of local hosts, remote hosts and host pairs
# set in the 30min Traffic report. This help prevent excessive memory
# usage if there are an excessive number of hosts or host pairs.
MAX_REMOTE_HOST_CNT=500000
MAX_LOCAL_HOST_CNT=100000
MAX_HOST_PAIR_CNT=1000000
#
# Do you have a range of IP address which you want to treat as
# neither local nor remote? Configure that address range here
# as 'other' addresses. When assigned ip addresses to a
# range the 'local' network range takes precedence, then the
# 'other' network range. Addresses which match neither are
# assigned 'remote'. The following value sets all multicast
# traffic as 'other'.
OTHERRANGE=224.0.0.0/8</blockquote>
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Well I deleted the ipaudit user, uninstalled ipaudit and removed all the files and started over from scratch. Im not sure what I did differently this time, but it's working now.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This is Prahallad Installed Ipaduit couple of days back.. when i browse the IP Audit, i get this message…
Please guide me…
OS clear OS enterprise and centOS 5.7. and ipaudit-web-1.0BETA9
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, root@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Apache/2.2.3 (ClearOS) Server at 192.168.149.133 Port 80
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2012-10-04
Hi,
I had the same problem when limit access to the web reports (IPAudit Guide - Step 20 and next - URL: http://www.ahrenstorff.us/articles/ipaudit.html).
Delete .htaccess and passwd and later limit access to all the web (looking in Google, ;-D)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm getting the following errors in my logs:
apache2/error.log:
[Tue May 06 16:10:21 2008] [error] suexec policy violation: see suexec log for more details, referer: http://ipaudit1/~ipaudit/index.html
[Tue May 06 16:10:21 2008] [error] Premature end of script headers: ipahttp, referer: http://ipaudit1/~ipaudit/index.html
apache2/suexec.log:
[2008-05-06 16:10:21]: uid: (1001/ipaudit) gid: (1001/1001) cmd: ipahttp
[2008-05-06 16:10:21]: target uid/gid (1001/1001) mismatch with directory (1001/100) or program (1001/100)
I have tried many things but am more than willing to listen to any advice.
Some other info:
OS: Ubuntu Server 8.04
ipaudit version 1.0BETA2 (compiled Jan 16 2005)
libpcap version 0.7.2
ipaudit-web.conf:
<blockquote>#
# Configuration file for Ipaudit-Web
#
# Make changes according to numbered comments below. Make sure
# that there are NO SPACES on either side of equals sign (=)
#
# This config file is read by the following files
# ~/cron/cron30min
# ~/cron/crondaily
# ~/cron/cronweekly
# ~/cron/cronclean
# ~/reports/30min/0traffic/runcron
# ~/reports/30min/graphic/runcron
# ~/reports/daily/server/runcron
# ~/reports/daily/server/runcron
# ~/reports/daily/traffic/runcron
# ~/reports/weekly/traffic/runcron
# ~/reports/monthly/traffic/runcron
# ~/reports/30min/0traffic/MakeReport30
# ~/ipaudit_config.pm
#
# --------------------------------
# REQUIRED CHANGES
# --------------------------------
#
#
# (1) What is your network? Put something like
# "137.99" or "24.50.17"
#
# With multiple networks, use something like
# "204.253.208.0/21:206.66.128.0/21:206.136.16.0/20"
#
# DO NOT use the default. For more information
# see ipaudit man pages. Also see 'OTHERRANGE' below.
# (try 'man ipaudit' or 'man -Mman ipaudit')
#
LOCALRANGE=130.184/192.168
#
#
# (2) This is the interface whose traffic you
# wish to monitor. The default below is 'eth0'.
# You can monitor multiple interfaces using something
# like 'eth0:eth1:eth3'
#
#
# Ethernet interface to watch (cron30min)
#
INTERFACE=eth1
#
#
# (3) We need to know where to find these utilties
# gzip
# zcat
# zgrep
# gnuplot
# if unsure, try running the command 'which gzip', etc
# to find out.
#
#
# These next five are edited automagically by configure.
AWK=/usr/bin/mawk
GZIP=/bin/gzip
ZCAT=/bin/zcat
ZGREP=/bin/zgrep
GNUPLOT="nice -19 /usr/bin/gnuplot"
#
#
# (4) Location of ipaudit cgi-bin directory as expressed
# in URL. Default is '/cgi-bin/ipaudit'.
#
# CGI directory as encoded within web page (MakeReportDaily)
#
CGI_BIN=/~ipaudit/cgi-bin
#
#
# (5) Where is the ipaudit-web home directory? This is primarily
# referenced by the CGI scripts via ipaudit_config.pm.
#
# This is also automagically generated by configure.
IP_DIR=/home/ipaudit
#
# --------------------------------
# OPTIONAL CHANGES
# --------------------------------
#
# (6) (optional) The default "500000,100000" is probably ok.
# For more info, see 'man ipaudit' for the -L option.
#
# Maximum number of packets recorded in time interval
# Helps prevent oversized dump files and memory overflow
# at risk of incomplete data gathering.
#
HostPortLimit="500000,100000"
#
# When using 'HostPortLimit' the following ip addresses are
# used a stand-ins for local/remote addresses when the hostport
# limit is reached. In the following example, the replacement
# local and remote addresses are 137.99.0.0 and 0.0.0.1
# For your installation, use a pair of addresses that will
# be classfied as local and remote according to your LOCALRANGE
# and optional OTHERRANGE.
#
# overflowip=137.99.0.0,0.0.0.1
#
# (7) (optional) Do you want to save raw packets?
#
# By default no raw packets are saved. If you set
# SAVEFILE=default.raw
# then the first PacketLen bytes (see PacketLen below)
# of each packet will be stored in the raw/30min/
# directory in files names like 2001-11-29-13:30.raw.gz
#
# You can save only certain protocol/ports with the
# option saveport. See 'man ipaudit' -p option for
# details of the format. Below are a few examples.
#
# Example: to save all packets
# SAVEFILE=default.raw
# Example: to save telnet, ftp (tcp protocol=6, ports=21,23)
# SAVEFILE=default.raw
# saveport=6,21,23
# Example: to save ICMP and telnet, ftp
# SAVEFILE=1:6,21,23
#
# NOTE - SAVEFILE _must_ be all uppercase
#
#
# (8) (optional) File ages - controls how long data
# files hang around until they are erased.
# Defaults are built into ~/cron/cronclean and
# are 7, 30 and 60 days, same as comments lines
#
# RAW_DAY - how many days for raw packet data files
# DATA_DAY - how many days for ipaudit summary data
# HTML_DAY - how many days for html reports
#
RAW_DAY=7
DATA_DAY=10
HTML_DAY=180
#
# (9) (optional) Graph Limits - sets maximum Y value
# for graphs
#
#YMAX_TRAFFIC=
#YMAX_LOCAL=15000
#YMAX_REMOTE=150000
#YMAX_REMOTE=60000
#
# These probably don't need changing (?). Consult
# 'man ipaudit' for more information on these options.
#
PidFile=run/ipaudit.pid
WriteTime=yes
IcmpType=yes
PacketLen=128
WritePacketLimit=500000
#
# When tabulating the Daily Traffic report - in particular
# the host and host-pair total byte counts - the limits below
# specify the mininum number of bytes each host or host-pair
# must have.
# a host or a
# Below are the minimum number of incoming + outgoing bytes
# that a host Vor a host-pair can
#
# When tabulating the Daily Remote Host Traffic report it can
# require excessive amounts of memory (in other words, your
# system's memory might be exceeded) to store *every* remote
# host. The same applies to the Daily Host Pair report when
# storing *every* host pair. Since the report only prints the
# Top N hosts, it does not need to know every host, only those
# hosts most like to make the Top N hosts. To address this
# problem a maximum of 100,000 remote hosts (and host-pairs) are kept in memory
# at one time. When this limit is exceeded the oldest hosts
# (and host-pairs) are discarded unless there totla traffic
# exceeds the minimums set below.
#
# You can probably leave these limits alone.
#
DAILY_TRAFFIC_REMOTEHOST_MIN=1024
DAILY_TRAFFIC_HOSTPAIR_MIN=1024
#
# Set the maximum number of local hosts, remote hosts and host pairs
# set in the 30min Traffic report. This help prevent excessive memory
# usage if there are an excessive number of hosts or host pairs.
MAX_REMOTE_HOST_CNT=500000
MAX_LOCAL_HOST_CNT=100000
MAX_HOST_PAIR_CNT=1000000
#
# Do you have a range of IP address which you want to treat as
# neither local nor remote? Configure that address range here
# as 'other' addresses. When assigned ip addresses to a
# range the 'local' network range takes precedence, then the
# 'other' network range. Addresses which match neither are
# assigned 'remote'. The following value sets all multicast
# traffic as 'other'.
OTHERRANGE=224.0.0.0/8</blockquote>
I don't think this is related to the errors with suexec, but your local networks statement in your config looks off to me. You have:
LOCALRANGE=130.184/192.168
But I think it should be:
LOCALRANGE=130.184.0.0/16:/192.168.0.0/16
As for the suexec error, I'd suspect a permissions issue with the account attempting to execute scripts in /home/ipaudit.
Whoops. I have an extra slash in there. Meant to type:
LOCALRANGE=130.184.0.0/16:192.168.0.0/16
Well I deleted the ipaudit user, uninstalled ipaudit and removed all the files and started over from scratch. Im not sure what I did differently this time, but it's working now.
Thanks for the info on the range Jason.
type the next command:
sudo chmod 777 /home/ipaudit/ -R
bye!
Hi,
This is Prahallad Installed Ipaduit couple of days back.. when i browse the IP Audit, i get this message…
Please guide me…
OS clear OS enterprise and centOS 5.7. and ipaudit-web-1.0BETA9
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, root@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Apache/2.2.3 (ClearOS) Server at 192.168.149.133 Port 80
Hi,
I had the same problem when limit access to the web reports (IPAudit Guide - Step 20 and next - URL: http://www.ahrenstorff.us/articles/ipaudit.html).
Delete .htaccess and passwd and later limit access to all the web (looking in Google, ;-D)