nfsen-plugins-discuss

Re: [Nfsen-plugins-discuss] Botnets 0.3 and Events 0.3 .. How do I test them?

[Donnelly, M. (OFT) <Mic...@ci...>]

Running with debug flags turned on in nfsend I see the following errors from the Events.pm

Use of uninitialized value in concatenation (.) or string at /usr/local/nfsen/plugins/Events.pm line 182, <STDIN> line 5.
Use of uninitialized value in concatenation (.) or string at /usr/local/nfsen/plugins/Events.pm line 182, <STDIN> line 5.
Use of uninitialized value in numeric eq (==) at /usr/local/nfsen/plugins/Events.pm line 195, <STDIN> line 5.
Use of uninitialized value in string gt at /usr/local/nfsen/plugins/Events.pm line 539, <STDIN> line 5.
Use of uninitialized value in string eq at /usr/local/nfsen/plugins/Events.pm line 555, <STDIN> line 5.
Use of uninitialized value in string eq at /usr/local/nfsen/plugins/Events.pm line 555, <STDIN> line 5.
Use of uninitialized value in string eq at /usr/local/nfsen/plugins/Events.pm line 555, <STDIN> line 5.
Use of uninitialized value in string eq at /usr/local/nfsen/plugins/Events.pm line 555, <STDIN> line 5.
Use of uninitialized value in string eq at /usr/local/nfsen/plugins/Events.pm line 555, <STDIN> line 5.
Use of uninitialized value in numeric eq (==) at /usr/local/nfsen/plugins/Events.pm line 195, <STDIN> line 5.



From: Donnelly, Michael (OFT)
Sent: Thursday, July 30, 2009 1:34 PM
To: Donnelly, Michael (OFT); nfs...@li...
Subject: RE: [Nfsen-plugins-discuss] Botnets 0.3 and Events 0.3 .. How do I test them?

Still looking to test this .. Shouldn't outbound traffic towards a host listed in the botnets filter
 trigger the plugin  and an attempt to update the database?

Im my case I walk the botnet list and feed the addresses into wget.
  That doesnt trigger an alert.

A little guidance would be very welcome.



From: Donnelly, Michael (OFT) [mailto:Mic...@ci...]
Sent: Tuesday, July 07, 2009 12:09 PM
To: nfs...@li...
Subject: [Nfsen-plugins-discuss] Botnets 0.3 and Events 0.3 .. How do I test them?

I've installed the Botnets and Events plugins as per the documentation ..
 I have the  definition files  downloading via cron.. Now how do I go about
 testing the botnets plugins? The events DB events table is empty at the
 moment..


I have

Thanks .. MikeD



________________________________
This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.

Re: [Nfsen-plugins-discuss] Botnets 0.3 and Events 0.3 .. How do I test them?

[Donnelly, M. (OFT) <Mic...@ci...>]

Still looking to test this .. Shouldn't outbound traffic towards a host listed in the botnets filter
 trigger the plugin  and an attempt to update the database?

Im my case I walk the botnet list and feed the addresses into wget.
  That doesnt trigger an alert.

A little guidance would be very welcome.



From: Donnelly, Michael (OFT) [mailto:Mic...@ci...]
Sent: Tuesday, July 07, 2009 12:09 PM
To: nfs...@li...
Subject: [Nfsen-plugins-discuss] Botnets 0.3 and Events 0.3 .. How do I test them?

I've installed the Botnets and Events plugins as per the documentation ..
 I have the  definition files  downloading via cron.. Now how do I go about
 testing the botnets plugins? The events DB events table is empty at the
 moment..


I have

Thanks .. MikeD



________________________________
This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.

[Nfsen-plugins-discuss] Botnets 0.3 and Events 0.3 .. How do I test them?

[Donnelly, M. (OFT) <Mic...@ci...>]

I've installed the Botnets and Events plugins as per the documentation ..
 I have the  definition files  downloading via cron.. Now how do I go about
 testing the botnets plugins? The events DB events table is empty at the
 moment..


I have

Thanks .. MikeD



________________________________
This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.

[Nfsen-plugins-discuss] botnet 0.3 and events 0.3

[Werner S. <Wer...@su...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I updated the botnet plugin with the bugfixes from Nicolas Macia. I
tagged this version as 0.3, which is available for download.

I also updated the events plugin. Rauno Tuul pointed out a serious
performance problem due to some badly formed sql queries. Rauno proposed
a solution which I included with some slight adaptations. I also
included an option to periodically delete events from the database. An
example of the needed configuration for this is included in the README
file. I tagged this version as 0.3, which is also available for
download. If you decide to upgrade, be sure to read the UPGRADE file,
which includes instruction for adding an extra index to the events
database, which has a serious impact on the performance of the database.

Thanks go out to Nicolas Macia (botnet bugfixes), Rauno Tuul (for fixing
the events plugin performance issue) and Jose Manuel Agudo Cuesta (for
pointing out an extra dependency for the events plugin).

Regards,
Werner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkki8ScACgkQ3ULkMS4OADn9fACgjq7Fb14GfRHbLTKIda1Sdwv7
rtcAoIQy2j+ZQ7plrzbsWmUNm3IRzbAm
=aBpz
-----END PGP SIGNATURE-----

Re: [Nfsen-plugins-discuss] Plugin: Port Tracker (tips on compiling?)

[Jake Z. <jak...@ci...>]

Nevermind...found it in archives...

The fix is easy, add "$NFDUMP/minilzo.o" to NFDUMP_OBJ definition in
do_compile file:

On 21-Oct-08, at 3:39 PM, Jake Zack wrote:

> monitor# ./do_compile
> + NFDUMP=../../../nfdump-1.5.7
> + RRDINCLUDE=/usr/local/include
> + LIBRRD=/usr/local/lib
> + NFDUMP_OBJ=../../../nfdump-1.5.7/util.o ../../../nfdump-1.5.7/ 
> nftree.o ../../../nfdump-1.5.7/grammar.o ../../../nfdump-1.5.7/ 
> scanner.o ../../../nfdump-1.5.7/nffile.o ../../../nfdump-1.5.7/ 
> flist.o ../../../nfdump-1.5.7/nf_common.o ../../../nfdump-1.5.7/ 
> panonymizer.o ../../../nfdump-1.5.7/rijndael.o ../../../ 
> nfdump-1.5.7/ipconv.o+ [ -f ../../../nfdump-1.5.7/fts_compat.o ]+  
> INCLUDES=-I ../../../nfdump-1.5.7 -I/usr/local/include+ CC=gcc -c - 
> D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g - 
> O2+ gcc -c -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE - 
> D_FILE_OFFSET_BITS=64 -g -O2 -c -I ../../../nfdump-1.5.7 -I/usr/ 
> local/include nftrack.c+ gcc -c -D_LARGEFILE_SOURCE - 
> D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -c -I ../../../ 
> nfdump-1.5.7 -I/usr/local/include nftrack_rrd.c+ gcc -c - 
> D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g - 
> O2 -c -I ../../../nfdump-1.5.7 -I/usr/local/include nftrack_stat.c+  
> gcc -o nftrack nftrack.o nftrack_rrd.o nftrack_stat.o ../../../ 
> nfdump-1.5.7/util.o ../../../nfdump-1.5.7/nftree.o ../../../ 
> nfdump-1.5.7/grammar.o ../../../nfdump-1.5.7/scanner.o ../../../ 
> nfdump-1.5.7/nffile.o ../../../nfdump-1.5.7/flist.o ../../../ 
> nfdump-1.5.7/nf_common.o ../../../nfdump-1.5.7/ 
> panonymizer.o ../../../nfdump-1.5.7/rijndael.o ../../../ 
> nfdump-1.5.7/ipconv.o -L/usr/local/lib -lrrd -L/usr/X11R6/lib -L/ 
> usr/local/lib../../../nfdump-1.5.7/nffile.o(.text+0x1ce): In  
> function `LZO_initialize':/usr/local/newstuff/nfdump-1.5.7/nffile.c: 
> 163: undefined reference to `__lzo_init_v2'../../../nfdump-1.5.7/ 
> nffile.o(.text+0xbee): In function `ReadBlock':/usr/local/newstuff/ 
> nfdump-1.5.7/nffile.c:533: undefined reference to  
> `lzo1x_decompress'../../../nfdump-1.5.7/nffile.o(.text+0xc1b):/usr/ 
> local/newstuff/nfdump-1.5.7/nffile.c:592: undefined reference to  
> `lzo1x_decompress'../../../nfdump-1.5.7/nffile.o(.text+0xcba): In  
> function `WriteBlock':/usr/local/newstuff/nfdump-1.5.7/nffile.c: 
> 628: undefined reference to `lzo1x_1_compress'
>
> nfsen and nfdump are both compiled and working...it's just this  
> plugin that won't compile.
>
> This is FreeBSD 6.3.
>
> do_compile is failing to create 'nftrack' binary.

[Nfsen-plugins-discuss] Plugin: Port Tracker (tips on compiling?)

[Jake Z. <jak...@ci...>]

monitor# ./do_compile
+ NFDUMP=../../../nfdump-1.5.7
+ RRDINCLUDE=/usr/local/include
+ LIBRRD=/usr/local/lib
+ NFDUMP_OBJ=../../../nfdump-1.5.7/util.o ../../../nfdump-1.5.7/ 
nftree.o ../../../nfdump-1.5.7/grammar.o ../../../nfdump-1.5.7/ 
scanner.o ../../../nfdump-1.5.7/nffile.o ../../../nfdump-1.5.7/ 
flist.o ../../../nfdump-1.5.7/nf_common.o ../../../nfdump-1.5.7/ 
panonymizer.o ../../../nfdump-1.5.7/rijndael.o ../../../nfdump-1.5.7/ 
ipconv.o+ [ -f ../../../nfdump-1.5.7/fts_compat.o ]+ INCLUDES=- 
I ../../../nfdump-1.5.7 -I/usr/local/include+ CC=gcc -c - 
D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 
+ gcc -c -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE - 
D_FILE_OFFSET_BITS=64 -g -O2 -c -I ../../../nfdump-1.5.7 -I/usr/local/ 
include nftrack.c+ gcc -c -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE - 
D_FILE_OFFSET_BITS=64 -g -O2 -c -I ../../../nfdump-1.5.7 -I/usr/local/ 
include nftrack_rrd.c+ gcc -c -D_LARGEFILE_SOURCE - 
D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -c -I ../../../ 
nfdump-1.5.7 -I/usr/local/include nftrack_stat.c+ gcc -o nftrack  
nftrack.o nftrack_rrd.o nftrack_stat.o ../../../nfdump-1.5.7/ 
util.o ../../../nfdump-1.5.7/nftree.o ../../../nfdump-1.5.7/ 
grammar.o ../../../nfdump-1.5.7/scanner.o ../../../nfdump-1.5.7/ 
nffile.o ../../../nfdump-1.5.7/flist.o ../../../nfdump-1.5.7/ 
nf_common.o ../../../nfdump-1.5.7/panonymizer.o ../../../nfdump-1.5.7/ 
rijndael.o ../../../nfdump-1.5.7/ipconv.o -L/usr/local/lib -lrrd -L/ 
usr/X11R6/lib -L/usr/local/lib../../../nfdump-1.5.7/nffile.o(.text 
+0x1ce): In function `LZO_initialize':/usr/local/newstuff/ 
nfdump-1.5.7/nffile.c:163: undefined reference to  
`__lzo_init_v2'../../../nfdump-1.5.7/nffile.o(.text+0xbee): In  
function `ReadBlock':/usr/local/newstuff/nfdump-1.5.7/nffile.c:533:  
undefined reference to `lzo1x_decompress'../../../nfdump-1.5.7/ 
nffile.o(.text+0xc1b):/usr/local/newstuff/nfdump-1.5.7/nffile.c:592:  
undefined reference to `lzo1x_decompress'../../../nfdump-1.5.7/ 
nffile.o(.text+0xcba): In function `WriteBlock':/usr/local/newstuff/ 
nfdump-1.5.7/nffile.c:628: undefined reference to `lzo1x_1_compress'

nfsen and nfdump are both compiled and working...it's just this  
plugin that won't compile.

This is FreeBSD 6.3.

do_compile is failing to create 'nftrack' binary.

[Nfsen-plugins-discuss] needed patch to svn version

[Nicolás M. <nm...@ce...>]

Hello, I am not sure if this patches are needed but in order to get
running botnet plugin I had to:

// this I needed because continuos download of file emerging-botcc.rules
take a new name like emerging-botcc.rules.X where X is an incremental
number.

blackdog:/opt/nfsen/svn/botnet# diff emergingthreads_example/botnet.cron
/usr/local/bin/botnet.cron
6a7
> rm emerging-botcc.rules



// This I need to pass the correct file as argument and to strip "\n"
from the stamp. I see a lots or logging telling me
Oct  7 20:00:26 blackdog nfsen[12224]: Botnets: 89.149.210.96, , ,
emergingthreads, 1223352363 , ,  is timed out
Oct  7 20:00:26 blackdog nfsen[12224]: Botnets: , 1223957163,  , , , ,
is timed out
Oct  7 20:00:26 blackdog nfsen[12224]: Botnets: 89.149.237.242, , ,
emergingthreads, 1223352363 , ,  is timed out
Oct  7 20:00:26 blackdog nfsen[12224]: Botnets: , 1223957163,  , , , ,
is timed out
Oct  7 20:00:26 blackdog nfsen[12224]: Botnets: 89.149.250.227, , ,
emergingthreads, 1223352363 , ,  is timed out
Oct  7 20:00:26 blackdog nfsen[12224]: Botnets: , 1223957163,  , , , ,
is timed out

so the patch is:

blackdog:/opt/nfsen/svn/botnet# diff emergingthreads_example/
/usr/local/bin/botnet.cron
botnet.cron                 get_botnets_emerging-botcc  .svn/

blackdog:/opt/nfsen/svn/botnet# diff
emergingthreads_example/get_botnets_emerging-botcc
/usr/local/bin/get_botnets_emerging-botcc
8c8
< $filename = $ARGV[1];
---
> $filename = $ARGV[0];
10a11,13
>
> chomp($stamp);
>


Nicolas Macia

[Nfsen-plugins-discuss] botnet plugin from subversion

[Nicolás M. <nm...@ce...>]

Hello, i am new on this list. I download the last plugins for detect
botnets.

I think the file get_botnets_emerging-botcc from svn shoud say

$filename = $ARGV[0];

instead of $filename = $ARGV[1];

Nicolas Macia

Re: [Nfsen-plugins-discuss] The results of your email commands

[Donnelly, M. (OFT) <Mic...@of...>]

I'm about to re-attempt the events plugin . Can someone
please confirm what versions of perl, php and mysql are
being used sucessfully with the events plugin? It gave 
me major database related headaches on my last attempt.
              Thanks !
                   Mike D
--------------------------------------------------------
This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments.  Please notify the sender immediately by reply e-mail and delete the e-mail from your system.