From owner-freebsd-ports@FreeBSD.ORG Mon Mar 3 02:21:39 2014 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1893B8DC for ; Mon, 3 Mar 2014 02:21:39 +0000 (UTC) Received: from mail-qg0-x232.google.com (mail-qg0-x232.google.com [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id BE3FC13AB for ; Mon, 3 Mar 2014 02:21:38 +0000 (UTC) Received: by mail-qg0-f50.google.com with SMTP id z60so9706661qgd.9 for ; Sun, 02 Mar 2014 18:21:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=3RgAfomOfS/hOHmVCsZ4qKe5cz6hoTP+bD6v4pf/Hok=; b=cUYWRPYbSKqPQwz/XavXUzOSAulcAjjmTGNDTOXwX52NtJoPodSZGKCYkQQ73onYct Tjom6K7+9EmN8PvqGtaT8er865X+kO2q+UYVSmFdzconaCkrhNpytEacwtOjiTX36UUH o2REwON2KAqIL5n9bASOTWDuh6ohy0cplq0Vj3e4XNTjPlYrLlqxvUncMfrj25v8T1kL 4CcP+ANFJzOG1GVduUJW7iWQtlL13S0spHknNUBx7KY+sXGSMpRKgklLe0Gq6CC+Ln9l FgT5AJ36rUcXyFpb0nC3dkX6VoFi3jIagDSuAsDUG/W3IgYjvL+ZjonZnqydw0Kx9VpR TjbA== X-Received: by 10.224.125.4 with SMTP id w4mr20593104qar.68.1393813297884; Sun, 02 Mar 2014 18:21:37 -0800 (PST) MIME-Version: 1.0 Received: by 10.229.64.68 with HTTP; Sun, 2 Mar 2014 18:21:17 -0800 (PST) In-Reply-To: References: From: Chad Gross Date: Sun, 2 Mar 2014 21:21:17 -0500 Message-ID: Subject: Re: [patch] net-mgmt/flowviewer and security/silktools patches To: freebsd-ports@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: 5u623l20@gmail.com, Alex Samorukov X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 02:21:39 -0000 On Tue, Feb 18, 2014 at 1:57 PM, Chad Gross wrote: > On Tue, Feb 18, 2014 at 10:33 AM, Chad Gross wrote: > >> I managed to configure net-mgmt/flowviewer with security/silktools, but >> had to make some modifications to get it working. FlowViewer is configured >> by defaut to pass the $silk_data_dir + $device_name as the root data >> directory to the rwfilter tool, when the root directory should be the same >> as $silk_data_dir. I've confirmed it is still the configured this way in >> the latest version (4.3, released 2/11/14) so I could be misconfiguring >> something, but I don't see how since I following the documentation ( >> http://sourceforge.net/projects/flowviewer/files/FlowViewer.pdf/download). >> I also manually ran the commands out of working/DEBUG_VIEWER and it >> produced nothing until I updated --data-rootdir=/data/flows/S0 to >> --data-rootdir=/data/flows. >> >> Here are patches for the 4 affected files: >> >> >> --- FlowGrapher_Main.cgi.orig 2014-02-18 08:49:42.000000000 -0500 >> >> +++ FlowGrapher_Main.cgi 2014-02-18 09:09:58.000000000 -0500 >> >> @@ -535,7 +535,7 @@ >> >> $silk_flow_type =~ s/\s+//g; >> >> } >> >> >> >> - $data_root_dir = $silk_data_directory ."/". $device_name; >> >> + $data_root_dir = $silk_data_directory; >> >> >> >> # Prepare rwfilter start and end time parameters, filter criteria >> and window type >> >> >> --- FlowTracker_Recreate.orig 2014-02-16 15:50:35.000000000 -0500 >> >> +++ FlowTracker_Recreate 2014-02-18 09:09:58.000000000 -0500 >> >> @@ -245,7 +245,7 @@ >> >> $cat_start = >> epoch_to_date($cat_start_epoch,"LOCAL"); >> >> $cat_end = >> epoch_to_date($cat_end_epoch,"LOCAL"); >> >> >> >> - $data_root_dir = $silk_data_directory ."/". >> $device_name; >> >> + $data_root_dir = $silk_data_directory; >> >> >> >> $silk_flow_type = ""; >> >> >> >> --- FlowTracker_Collector.orig 2014-02-18 08:48:54.000000000 -0500 >> >> +++ FlowTracker_Collector 2014-02-18 09:09:58.000000000 -0500 >> >> @@ -303,7 +303,7 @@ >> >> >> >> # Set up silk data sources >> >> >> >> - $data_root_dir = $silk_data_directory ."/". >> $device_name; >> >> + $data_root_dir = $silk_data_directory; >> >> >> >> $silk_flow_type = ""; >> >> >> >> --- FlowViewer_Main.cgi.orig 2014-02-18 08:52:30.000000000 -0500 >> >> +++ FlowViewer_Main.cgi 2014-02-18 09:09:58.000000000 -0500 >> >> @@ -431,7 +431,7 @@ >> >> $silk_flow_type =~ s/\s+//g; >> >> } >> >> >> >> - $data_root_dir = $silk_data_directory ."/". $device_name; >> >> + $data_root_dir = $silk_data_directory; >> >> >> >> # Prepare rwfilter start and end time parameters >> >> >> >> >> I also found that security/silktools uses UTC by default, but has a >> configuration option to enable localtime ( >> https://tools.netsa.cert.org/silk/faq.html#timestamp-mismatch). >> >> Here is a patch to the Makefile containing a config option for localtime: >> >> >> --- /usr/ports/silktools/Makefile.orig 2014-02-18 09:29:28.000000000 >> -0500 >> >> +++ /usr/ports/silktools/Makefile 2014-02-18 09:41:48.000000000 >> -0500 >> >> @@ -23,6 +23,11 @@ >> >> USES= perl5 >> >> USE_PERL5= build >> >> >> +HAS_CONFIGURE= yes >> >> +OPTIONS_DEFINE= LOCALTIME >> >> +LOCALTIME_DESC= Use localtime instead of UTC >> >> + >> >> + >> >> MAN1= mapsid.1 num2dot.1 rwaddrcount.1 rwappend.1 \ >> >> rwbag.1 rwbagbuild.1 rwbagcat.1 rwbagtool.1 \ >> >> rwcat.1 rwcount.1 rwcut.1 rwdedupe.1 rwfglob.1 \ >> >> @@ -51,6 +56,13 @@ >> >> rwsender.8 >> >> >> NO_STAGE= yes >> >> + >> >> +.include >> >> + >> >> +.if ${PORT_OPTIONS:MLOCALTIME} >> >> +CONFIGURE_ARGS+=--enable-localtime >> >> +.endif >> >> + >> >> post-patch: >> >> @${REINPLACE_CMD} -e 's|echo aout|echo elf|' ${WRKSRC}/configure >> >> >> >> Thanks, >> >> >> Chad >> > > > > Here is another patch for net-mgmt/flowview so sensor filtering works. I > am not sure why, but this file is originally trying to use the exporter as > the sensor for SiLK devices. This is interesting since the PDF above > indicated that the @exporter array was only used for flow-tools, not SiLK > but alas here it is using it. If anything I think it would make more sense > to use the "device" as the sensor, especially since @ipfix_devices is > already defined as a sensor per the documentation. To make matters worse it > is grepping for the probes and not the sensors in order to populate the > --sensors= flag. > > > > --- FlowViewer_Utilities.pm.orig 2014-02-18 12:52:42.000000000 -0500 > > +++ FlowViewer_Utilities.pm 2014-02-18 13:50:09.000000000 -0500 > > @@ -2339,50 +2339,50 @@ > > > > # Set up exporter address filtering, if any > > > > - if ($exporter ne "") { > > + if ($device_name ne "") { > > > > - $exporter =~ s/\s+//g; > > - $num_include_probe = 0; > > - @valid_probes = (); > > + $device_name =~ s/\s+//g; > > + $num_include_sensor = 0; > > + @valid_sensors = (); > > > > - # Get valid probes (exporters) from the sensor.conf file > > + # Get valid sensors (device_names) from the sensor.conf file > > > > - $probe_command = "cat $sensor_config_directory/sensor.conf | grep probe > > $work_directory/valid_probes_$suffix"; > > - system ($probe_command); > > + $sensor_command = "cat $sensor_config_directory/sensor.conf | grep > sensor > $work_directory/valid_sensors_$suffix"; > > + system ($sensor_command); > > > > - open (PROBES,"<$work_directory/valid_probes_$suffix"); > > + open (PROBES,"<$work_directory/valid_sensors_$suffix"); > > while () { > > - ($probe_label,$probe) = split(/\s+/,$_); > > - if ($probe_label eq "probe") { push (@valid_probes,$probe); } > > + ($sensor_label,$sensor) = split(/\s+/,$_); > > + if ($sensor_label eq "sensor") { push (@valid_sensors,$sensor); } > > } > > > > while ($still_more) { > > > > - ($exporter_name) = split(/,/,$exporter); > > - $start_char = length($exporter_name) + 1; > > - $exporter = substr($exporter,$start_char); > > + ($device_name_name) = split(/,/,$device_name); > > + $start_char = length($device_name_name) + 1; > > + $device_name = substr($device_name,$start_char); > > > > - if (substr($exporter_name,0,1) eq "-") { > > - &print_error("SiLK software does not support exclusion of Exporters > (Sensors) at this time: -$exporter_name"); last; > > + if (substr($device_name_name,0,1) eq "-") { > > + &print_error("SiLK software does not support exclusion of Exporters > (Sensors) at this time: -$device_name_name"); last; > > } else { > > - foreach $probe (@valid_probes) { > > - if ($exporter_name eq $probe) { > > - $num_include_probe++; > > - if ($num_include_probe < 2) { > > - $sensor_field .= $exporter_name; > > + foreach $sensor (@valid_sensors) { > > + if ($device_name_name eq $sensor) { > > + $num_include_sensor++; > > + if ($num_include_sensor < 2) { > > + $sensor_field .= $device_name_name; > > } else { > > - $sensor_field .= "," . $exporter_name; > > + $sensor_field .= "," . $device_name_name; > > } > > } > > } > > } > > > > - if ($exporter eq "") { last; } > > + if ($device_name eq "") { last; } > > } > > > > $sensor_field = " --sensors=" . $sensor_field; > > > > - $save_file .= "_" . $exporter_name; > > + $save_file .= "_" . $device_name; > > } > > > > # Set up Next Hop IP filtering, if any > > Not only are these previously patches I submitted needed, but the startup scripts (e.g. tools/flowtracker_restart) that make the tracker useful are not patched nor are they installed in /usr/local/etc/rc.d. So far I have noticed incorrect paths and linux-isms in the su command. I don't have time to fix and patch these now, but thought I would pass this info along since this port will not work for anyone looking to set this up.