Re: [Nfsen-discuss] nfsen consult
Netflow visualisation and investigation tool
Brought to you by:
phaag
Menu
▾
▴
Re: [Nfsen-discuss] nfsen consult
|
From: <ma...@ar...> - 2006-04-07 20:09:17
|
*OK, but could you sent me an example of the **configuration of that=20
plugins so that I can test them.*
*Looking forward to your answer.*
*Thank you very much.*
Peter Haag escribi=C3=B3:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>Hi Marcos,
>
>- --On April 7, 2006 0:47:59 -0300 marcos <ma...@ar...> wrote:
>
>| I write to you in order to ask about the instalation of the "demoplugi=
ns".
>| I=C2=B4ve been trying to install them, but it always appears the follo=
wing
>| error:
>
>| ----------------------------------------
>| WARNING: Warning set by demo plugin!!
>| ERROR: Error set by demo plugin!!
>| Hello I'm the demo plugin with id
>| ----------------------------------------
>| I would really apreciate if you could give me any solution.
>
>Well - that's what the demo plugin does: It shows you how to display
>warnings and errors, and says 'hello' to you. And it looks like this wor=
ks
>perfectly well on your system. It's a - demo plugin.
>
> - Peter
>
>|
>| Here you have the structure of my directory:
>| localhost# pwd
>| /usr/local/nfsen
>| localhost# ls
>| bin etc libexec plugins profil=
es
>| var
>|
>| I also send you my configurations:
>| cat nfsen.conf
>|
>| ##############################
>| #
>| # NfSen master config file
>| #
>| # $Id: nfsen-dist.conf 34 2005-07-18 12:53:55Z peter $
>| #
>| # Configuration of NfSen:
>| # Set all the values to fit your NfSen setup and run the 'install.pl'
>| # script from the nfsen distribution directory.
>| #
>| # You should not need to changes anything after NfSen is installed,
>| # besides the NfSen plugins at the bottom.
>| # When you make any changes in the plugins section, run 'nfsen reload'
>| # to make sure nfsen-run gets notified about your plugins.
>| #
>| # Do not change any other settings after NfSen is installed.
>| # otherwise you must rerun the install.pl script.
>| #
>| # The syntax must conform to Perl syntax.
>| #
>| ##############################
>| #
>| # NfSen default layout:
>| # Any scripts, modules or profiles are installed by default under $BAS=
EDIR.
>| # However, you may change any of these settings to fit your requested =
layout.
>|
>| #
>| # Required for default layout
>| $BASEDIR =3D "/usr/local/nfsen";
>| #
>| # Where to install the NfSen binaries
>| $BINDIR=3D"${BASEDIR}/bin";
>|
>| #
>| # Where to install the NfSen Perl modules
>| $LIBEXECDIR=3D"${BASEDIR}/libexec";
>|
>| #
>| # Where to install the config files
>| $CONFDIR=3D"${BASEDIR}/etc";
>|
>| #
>| # NfSen html pages directory:
>| # All php scripts will be installed here.
>| # URL: Entry point for nfsen: http://<webserver>/nfsen/nfsen.php
>| $HTMLDIR =3D "/usr/local/www/nfsen/";
>|
>| #
>| # Where to install the docs
>| $DOCDIR=3D"${HTMLDIR}/doc";
>|
>| #
>| # Var space for NfSen
>| $VARDIR=3D"${BASEDIR}/var";
>|
>| #
>| # The Profiles stat directory, where all profile information
>| # RRD DBs and gif pictures of the profile are stored
>| $PROFILESTATDIR=3D"${BASEDIR}/profiles";
>|
>| #
>| # The Profiles directory, where all netflow data is stored
>| $PROFILEDATADIR=3D"/usr/data";
>|
>| #
>| # Where go all the backend plugins
>| $BACKEND_PLUGINDIR=3D"${BASEDIR}/plugins";
>|
>| #
>| # Where go all the frontend plugins
>| $FRONTEND_PLUGINDIR=3D"${HTMLDIR}/plugins";
>|
>| #
>| # nfdump tools path
>| $PREFIX =3D '/usr/local/bin';
>|
>| #
>| # BASEDIR unrelated vars:
>| #
>| # Run nfcapd as this user
>| # This may be a different or the same uid than your web server.
>| # Note: This user must be in group $WWWGROUP, otherwise nfcapd
>| # is not able to write data files!
>| $USER =3D "www";
>|
>| # user and group of the web server process
>| # All netflow processing will be done with this user
>| $WWWUSER =3D "www";
>| $WWWGROUP =3D "www";
>|
>| # Receive buffer size for nfcapd - see man page nfcapd(1)
>| $BUFFLEN =3D 200000;
>|
>| # Netflow sources
>| # Define an ident string, port and colour per netflow source
>| # ident identifies this netflow source. e.g. the router name,
>| # Upstream provider name etc.
>| # port nfcapd listens on this port for netflow data for this sou=
rce
>| # col colour in nfsen graphs for this source
>| #
>| # Syntax:
>| # 'ident' =3D> { 'port' =3D> '<portnum>', 'col' =3D> =
'<colour>' }
>| # Ident strings must be 1 to 19 characters long only, containing
>| characters [a-zA-Z0-9_].
>|
>| %sources =3D (
>| 'sl' =3D> { 'port' =3D> '23455', 'col' =3D> '#0000ff' },
>| 'fl' =3D> { 'port' =3D> '23458', 'col' =3D> '#ff0000' },
>| );
>|
>| #
>| # Low water mark: When expiring files, delete files until
>| # size =3D max size * low water mark
>| # typically 0.9
>| $low_water =3D 0.9;
>|
>| #
>| # syslog facility for periodic jobs
>| # nfsen uses level 'debug', 'info', 'warning' and 'err'
>| # Note: nfsen is very chatty for level 'debug' and 'info'
>| # For normal operation, you may set the logging level in syslog.conf
>| # to warning or error unless you want to debug NfSen
>| $syslog_facility =3D 'local3';
>|
>| #
>| # plugins
>| # plugins are run for each timeslot, after the roll over of new dat=
a
>| files.
>| # A plugin may run for any profile or for a specific profile only.
>| # Syntax: [ 'profile', 'module' ]
>| # profile: ',' separated list of profiles, or "*' for a=
ny
>| profile
>| # module: Module name.
>| # The module follows the standard Perl module conventions, with at
>| least two
>| # additional functions: Init() and run(). See demoplugin.pm for a
>| simple template.
>| # Plugins are installed under
>| #
>| # $BACKEND_PLUGINDIR and $FRONTEND_PLUGINDIR
>|
>| # @plugins =3D (
>| # profile # module
>| # [ 'live', 'PortTracker'],
>|
>| # );
>|
>| @plugins =3D (
>| # profile # module
>| [ 'live', 'demoplugin' ],
>| );
>|
>| #
>| # Notification module
>| # The Notification module is an optional module. If you want your plug=
ins to
>| # notify any result by email, use this module.
>| # Make sure you have installed Mail::Internet before using the module
>| #
>| # Use this from address
>| $MAIL_FROM =3D 'yo...@fr...';
>|
>| # Use these recipients
>| $RCPT_TO =3D 'an...@ex..., an...@ex...';
>|
>| # Use this SMTP server
>| $SMTP_SERVER =3D 'localhost';
>|
>| 1;
>|
>| cat demoplugin.pm
>|
>| # !/usr/bin/perl
>| #
>| # Copyright (c) 2004, SWITCH - Teleinformatikdienste fuer Lehre und
>| Forschung
>| # All rights reserved.
>| #
>| # Redistribution and use in source and binary forms, with or without
>| # modification, are permitted provided that the following conditions =
are
>| met:
>| #
>| # * Redistributions of source code must retain the above copyright n=
otice,
>| # this list of conditions and the following disclaimer.
>| # * Redistributions in binary form must reproduce the above copyrigh=
t
>| notice,
>| # this list of conditions and the following disclaimer in the
>| documentation
>| # and/or other materials provided with the distribution.
>| # * Neither the name of SWITCH nor the names of its contributors may=
be
>| # used to endorse or promote products derived from this software w=
ithout
>| # specific prior written permission.
>| #
>| # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS=
"AS
>| IS"
>| # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED T=
O, THE
>| # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR =
PURPOSE
>| # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTO=
RS BE
>| # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
>| # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT O=
F
>| # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUS=
INESS
>| # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHE=
R IN
>| # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERW=
ISE)
>| # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED=
OF THE
>| # POSSIBILITY OF SUCH DAMAGE.
>| #
>| # $Author: peter $
>| #
>| # $Id: demoplugin.pm 27 2005-04-20 13:50:06Z peter $
>| #
>| # $LastChangedRevision: 27 $
>|
>| # Demo plugin for NfSen
>| #
>| # This plugin demonstrates the use of plugins
>| # It searches for flows > 500000 packets and sends the output
>| # using the Notification module
>|
>| package demoplugin;
>|
>| use strict;
>| use NfSen;
>| use NfConf;
>|
>| #
>| # The plugin may send any messages to syslog
>| # Do not initialize syslog, as this is done by
>| # the main process nfsen-run
>| use Sys::Syslog;
>| Sys::Syslog::setlogsock('unix');
>|
>| # Use the optional Notification module
>| use Notification;
>| my ( $nfdump, $PROFILEDIR );
>|
>| #
>| # Define a nice filter:
>| # We like to see flows containing more than 500000 packets
>| my $nf_filter =3D 'packets > 500000';
>|
>| #
>| # Periodic function
>| # input: profilename
>| # timeslot. Format yyyymmddHHMM e.g. 2005030312=
00
>| sub run {
>| my $profile =3D shift;
>| my $timeslot =3D shift;
>|
>| syslog('debug', "demoplugin run: Profile: $profile, Time:
>| $timeslot");
>|
>| my %profileinfo =3D NfSen::ReadProfile($profile);
>| my $netflow_sources =3D
>| "$PROFILEDIR/$profile/$profileinfo{'sourcelist'}";
>|
>| #
>| # process all sources of this profile at once
>| my @output =3D `$nfdump -M $netflow_sources -r nfcapd.$timeslo=
t
>| '$nf_filter'`;
>|
>| #
>| # Process the output and notify the duty team
>|
>| # The 2nd but last line contains the stat info of the processe=
d flow:
>| # e.g. Flows analysed: 61 matched: 61, Bytes read: 3168
>| if ( $output[-2] =3D~ /matched:\s+(\d+)/ ) {
>| my $matched =3D $1;
>| syslog('debug', "demoplugin run: $matched flows");
>| if ( $matched ) {
>| notify("Packets > 500000: Profile $profile,
>| Timeslot $timeslot",
>| \@output );
>| }
>| } else {
>| syslog('err', "Unparsable output line '$output[-2]'");
>| }
>|
>| # .... more to come
>|
>| }
>|
>| sub Init {
>| syslog("info", "demoplugin: Init");
>|
>| # Init some vars
>| $nfdump =3D "$NfConf::PREFIX/nfdump";
>| $PROFILEDIR =3D "$NfConf::PROFILEDIR";
>|
>| return 1;
>| }
>|
>| sub BEGIN {
>| syslog("info", "demoplugin BEGIN");
>| # Standard BEGIN Perl function - See Perl documentation
>| # not used here
>| }
>|
>| sub END {
>| syslog("info", "demoplugin END");
>| # Standard END Perl function - See Perl documentation
>| # not used here
>| }
>|
>| 1;
>| ------- End of Forwarded Message -------
>| ------- End of Forwarded Message -------
>|
>|
>|
>| -------------------------------------------------------
>| This SF.Net email is sponsored by xPML, a groundbreaking scripting lan=
guage
>| that extends applications into web and mobile media. Attend the live w=
ebcast
>| and join the prime developer group breaking into this new coding terri=
tory!
>| http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=110944&bid$1720&dat=1216=
42
>| _______________________________________________
>| Nfsen-discuss mailing list
>| Nfs...@li...
>| https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>|
>
>
>
>- --
>_______ SWITCH - The Swiss Education and Research Network ______
>Peter Haag, Security Engineer, Member of SWITCH CERT
>PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
>SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland
>E-mail: pet...@sw... Web: http://www.switch.ch/
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.4 (Darwin)
>
>iQCVAwUBRDYIif5AbZRALNr/AQG4CwP+JoaehsbcYmmkUnHpIjj8wStk5WUS4Jsm
>r2pSRmjLZUvg2bkJWGQ6WaTGf+fFI5SqLNeVuspi3ENO9Uh5+uqbJ77WcT4cMOId
>+i/p315uze4rOaIxzm67XIa3m9ucGep+0ddpXol/AEroAnk9ma74laQMRINzsjCU
>0zpSqVfLCAE=3D
>=3D6UCH
>-----END PGP SIGNATURE-----
>
>
>
> =20
>
|
