[patch] net-mgmt/flowviewer and security/silktools patches
Chad Gross
avatar4d at gmail.com
Tue Feb 18 18:57:47 UTC 2014
On Tue, Feb 18, 2014 at 10:33 AM, Chad Gross <avatar4d at gmail.com> wrote:
> I managed to configure net-mgmt/flowviewer with security/silktools, but
> had to make some modifications to get it working. FlowViewer is configured
> by defaut to pass the $silk_data_dir + $device_name as the root data
> directory to the rwfilter tool, when the root directory should be the same
> as $silk_data_dir. I've confirmed it is still the configured this way in
> the latest version (4.3, released 2/11/14) so I could be misconfiguring
> something, but I don't see how since I following the documentation (
> http://sourceforge.net/projects/flowviewer/files/FlowViewer.pdf/download).
> I also manually ran the commands out of working/DEBUG_VIEWER and it
> produced nothing until I updated --data-rootdir=/data/flows/S0 to
> --data-rootdir=/data/flows.
>
> Here are patches for the 4 affected files:
>
>
> --- FlowGrapher_Main.cgi.orig 2014-02-18 08:49:42.000000000 -0500
>
> +++ FlowGrapher_Main.cgi 2014-02-18 09:09:58.000000000 -0500
>
> @@ -535,7 +535,7 @@
>
> $silk_flow_type =~ s/\s+//g;
>
> }
>
>
>
> - $data_root_dir = $silk_data_directory ."/". $device_name;
>
> + $data_root_dir = $silk_data_directory;
>
>
>
> # Prepare rwfilter start and end time parameters, filter criteria
> and window type
>
>
> --- FlowTracker_Recreate.orig 2014-02-16 15:50:35.000000000 -0500
>
> +++ FlowTracker_Recreate 2014-02-18 09:09:58.000000000 -0500
>
> @@ -245,7 +245,7 @@
>
> $cat_start =
> epoch_to_date($cat_start_epoch,"LOCAL");
>
> $cat_end = epoch_to_date($cat_end_epoch,"LOCAL");
>
>
>
> - $data_root_dir = $silk_data_directory ."/".
> $device_name;
>
> + $data_root_dir = $silk_data_directory;
>
>
>
> $silk_flow_type = "";
>
>
>
> --- FlowTracker_Collector.orig 2014-02-18 08:48:54.000000000 -0500
>
> +++ FlowTracker_Collector 2014-02-18 09:09:58.000000000 -0500
>
> @@ -303,7 +303,7 @@
>
>
>
> # Set up silk data sources
>
>
>
> - $data_root_dir = $silk_data_directory ."/".
> $device_name;
>
> + $data_root_dir = $silk_data_directory;
>
>
>
> $silk_flow_type = "";
>
>
>
> --- FlowViewer_Main.cgi.orig 2014-02-18 08:52:30.000000000 -0500
>
> +++ FlowViewer_Main.cgi 2014-02-18 09:09:58.000000000 -0500
>
> @@ -431,7 +431,7 @@
>
> $silk_flow_type =~ s/\s+//g;
>
> }
>
>
>
> - $data_root_dir = $silk_data_directory ."/". $device_name;
>
> + $data_root_dir = $silk_data_directory;
>
>
>
> # Prepare rwfilter start and end time parameters
>
>
>
>
> I also found that security/silktools uses UTC by default, but has a
> configuration option to enable localtime (
> https://tools.netsa.cert.org/silk/faq.html#timestamp-mismatch).
>
> Here is a patch to the Makefile containing a config option for localtime:
>
>
> --- /usr/ports/silktools/Makefile.orig 2014-02-18 09:29:28.000000000 -0500
>
> +++ /usr/ports/silktools/Makefile 2014-02-18 09:41:48.000000000 -0500
>
> @@ -23,6 +23,11 @@
>
> USES= perl5
>
> USE_PERL5= build
>
>
> +HAS_CONFIGURE= yes
>
> +OPTIONS_DEFINE= LOCALTIME
>
> +LOCALTIME_DESC= Use localtime instead of UTC
>
> +
>
> +
>
> MAN1= mapsid.1 num2dot.1 rwaddrcount.1 rwappend.1 \
>
> rwbag.1 rwbagbuild.1 rwbagcat.1 rwbagtool.1 \
>
> rwcat.1 rwcount.1 rwcut.1 rwdedupe.1 rwfglob.1 \
>
> @@ -51,6 +56,13 @@
>
> rwsender.8
>
>
> NO_STAGE= yes
>
> +
>
> +.include <bsd.port.options.mk>
>
> +
>
> +.if ${PORT_OPTIONS:MLOCALTIME}
>
> +CONFIGURE_ARGS+=--enable-localtime
>
> +.endif
>
> +
>
> post-patch:
>
> @${REINPLACE_CMD} -e 's|echo aout|echo elf|' ${WRKSRC}/configure
>
>
>
> Thanks,
>
>
> Chad
>
Here is another patch for net-mgmt/flowview so sensor filtering works. I am
not sure why, but this file is originally trying to use the exporter as the
sensor for SiLK devices. This is interesting since the PDF above indicated
that the @exporter array was only used for flow-tools, not SiLK but alas
here it is using it. If anything I think it would make more sense to use
the "device" as the sensor, especially since @ipfix_devices is already
defined as a sensor per the documentation. To make matters worse it is
grepping for the probes and not the sensors in order to populate the
--sensors= flag.
--- FlowViewer_Utilities.pm.orig 2014-02-18 12:52:42.000000000 -0500
+++ FlowViewer_Utilities.pm 2014-02-18 13:50:09.000000000 -0500
@@ -2339,50 +2339,50 @@
# Set up exporter address filtering, if any
- if ($exporter ne "") {
+ if ($device_name ne "") {
- $exporter =~ s/\s+//g;
- $num_include_probe = 0;
- @valid_probes = ();
+ $device_name =~ s/\s+//g;
+ $num_include_sensor = 0;
+ @valid_sensors = ();
- # Get valid probes (exporters) from the sensor.conf file
+ # Get valid sensors (device_names) from the sensor.conf file
- $probe_command = "cat $sensor_config_directory/sensor.conf | grep probe >
$work_directory/valid_probes_$suffix";
- system ($probe_command);
+ $sensor_command = "cat $sensor_config_directory/sensor.conf | grep sensor
> $work_directory/valid_sensors_$suffix";
+ system ($sensor_command);
- open (PROBES,"<$work_directory/valid_probes_$suffix");
+ open (PROBES,"<$work_directory/valid_sensors_$suffix");
while (<PROBES>) {
- ($probe_label,$probe) = split(/\s+/,$_);
- if ($probe_label eq "probe") { push (@valid_probes,$probe); }
+ ($sensor_label,$sensor) = split(/\s+/,$_);
+ if ($sensor_label eq "sensor") { push (@valid_sensors,$sensor); }
}
while ($still_more) {
- ($exporter_name) = split(/,/,$exporter);
- $start_char = length($exporter_name) + 1;
- $exporter = substr($exporter,$start_char);
+ ($device_name_name) = split(/,/,$device_name);
+ $start_char = length($device_name_name) + 1;
+ $device_name = substr($device_name,$start_char);
- if (substr($exporter_name,0,1) eq "-") {
- &print_error("SiLK software does not support exclusion of Exporters
(Sensors) at this time: -$exporter_name"); last;
+ if (substr($device_name_name,0,1) eq "-") {
+ &print_error("SiLK software does not support exclusion of Exporters
(Sensors) at this time: -$device_name_name"); last;
} else {
- foreach $probe (@valid_probes) {
- if ($exporter_name eq $probe) {
- $num_include_probe++;
- if ($num_include_probe < 2) {
- $sensor_field .= $exporter_name;
+ foreach $sensor (@valid_sensors) {
+ if ($device_name_name eq $sensor) {
+ $num_include_sensor++;
+ if ($num_include_sensor < 2) {
+ $sensor_field .= $device_name_name;
} else {
- $sensor_field .= "," . $exporter_name;
+ $sensor_field .= "," . $device_name_name;
}
}
}
}
- if ($exporter eq "") { last; }
+ if ($device_name eq "") { last; }
}
$sensor_field = " --sensors=" . $sensor_field;
- $save_file .= "_" . $exporter_name;
+ $save_file .= "_" . $device_name;
}
# Set up Next Hop IP filtering, if any
More information about the freebsd-ports
mailing list