Could you generate a E-mail with the IP origin and destination that generated the traffic ICMP??
Any feedback will be apreciated. [Description: Description: logo transtelco 3]<http://www.transtelco.net/> Francisco Lopez | Engineering MX: +52 (656) 257 - 1106 | US: +1 (915) 217 - 2235 From: Landon Stewart [mailto:[email protected]] Sent: Thursday, May 26, 2011 1:48 PM To: nfsen-discuss Subject: [Nfsen-discuss] Not all variables are being passed to alert_action as I expect them to when using a module as an alert_module. Hi Guys, I took a combination of the demoplugin.pm<http://demoplugin.pm> and my own periodic plugin that I use for something else to attempt to pull some data out of nfdump on an alert. I have several alerts and I'd like them to all use the same alert plugin so the variables are important. I'd like them to use the profile used for the alert etc so they are dynamic. For example I have an ICMP profile and an alert on that file to trigger if the ICMP traffic exceeds a certain % more than the 30 minute average. I also have a botnet profile, TCP profile and Botnet C&C profile. My "alert_action" looks like this: sub alert_action { my $argref = shift; my $profile = $$argref{'profile'}; my $profilegroup = $$argref{'profilegroup'}; my $timeslot = $$argref{'timeslot'}; syslog('debug', "alertdump run: Profilegroup: $profilegroup, Profile: $profile, Time: $timeslot"); my %profileinfo = NfProfile::ReadProfile($profile, $profilegroup); my $profilepath = NfProfile::ProfilePath($profile, $profilegroup); my $all_sources = join ':', keys %{$profileinfo{'channel'}}; my $netflow_sources = "$PROFILEDIR/$profilepath/$all_sources"; syslog('debug', "alertdump args: '$netflow_sources'"); # # process all sources of this profile at once my $nfdcmd = "$nfdump -M $netflow_sources -T -r nfcapd.$timeslot -n 10 -s ip/bytes '$nf_filter'"; syslog('err', "alertdump run: ".$nfdcmd); my @output = `$nfdcmd`; # # Process the output and notify the duty team my ($matched) = $output[-4] =~ /Summary: total flows: (\d+)/; if ( defined $matched ) { syslog('debug', "alertdump run: $matched aggregated flows"); } else { syslog('err', "alertdump: Unparsable output line '$output[-4]'"); } return 1; } What ends up getting logged by the syslog('err', "alertdump run: ".$nfdcmd); line is: May 26 19:36:32 sonar nfsen[23543]: alertdump run: /usr/local/bin/nfdump -M /opt/nfsen/profiles-data// -T -r nfcapd.201105261930 -n 10 -s ip/bytes '' May 26 19:36:32 sonar nfsen[23543]: alertdump: Unparsable output line '' If I run this manually I get: # /usr/local/bin/nfdump -M /opt/nfsen/profiles-data// -T -r nfcapd.201105261930 -n 10 -s ip/bytes '' stat() error '/opt/nfsen/profiles-data///nfcapd.201105261930': File not found! It seems the stuff that builds "$netflow_sources" isn't being passed to alert_action as it is had this been a run {} subroutine. Am I going about this wrong? Should I be generating output with the run {} routine every 5 minutes and then report on it with alert_action {} maybe? Any ideas or brainstorms on this are welcome. On or off list is fine with me although other people may benefit from on-list responses of course. -- Landon Stewart <[email protected]<mailto:[email protected]>> SuperbHosting.Net by Superb Internet Corp. Toll Free (US/Canada): 888-354-6128 x 4199 Direct: 206-438-5879 Web hosting and more "Ahead of the Rest": http://www.superbhosting.net
<<inline: image001.gif>>
------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
