security/hatchet broken???

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

security/hatchet broken???

Sevan / Venture37-2
Hi Guys
I've been trying to get hatchet up & running with little success, so far
I have tested it on -CURRENT, 4.4 & 4.3 (backported) on i386, amd64 &
sparc64.

The testing process has gone as follows: fresh install of openbsd,
config pf, build & install hatchet via ports,follow the instructions
bundled with hatchet (/var/www/hatchet/doc/README.OpenBSD) to enable
mod_perl, configure apache, create db & setup crontab entries.
Visiting the site after the cron jobs have had a change to run produces
the folowing:
http://img241.imageshack.us/img241/6885/picture6so0.png
No data is shown, however the graphs for all hosts & ports all are
generated.
The cronjobs seem to be working ok as I'm constantly reminded about
Regex updates every 15 minutes & the pflog.db database is growing in
size yet no information is shown on the main hatchet page.

Any ideas?


pf.conf:
ext_if="em0"
tcp_services="{80, 22}"

set skip on lo

scrub in

block in log all
pass out log
antispoof quick for lo

pass in log on $ext_if proto icmp to ($ext_if)
pass in log on $ext_if inet proto tcp to ($ext_if) port $tcp_services


pkg_info output from 4.4:
autoconf-2.13p1     automatically configure source code on many Un*x
platforms
autoconf-2.61p3     automatically configure source code on many Un*x
platforms
gd-2.0.35           library for dynamic creation of images
gperf-3.0.1         perfect hash functions, to help write parsers
hatchet-0.9.1       PF firewall log analysis
help2man-1.29p0     GNU help2man
jpeg-6bp3           IJG's JPEG compression utilities
libiconv-1.12       character set conversion library
libltdl-1.5.26      GNU libtool system independent dlopen wrapper
libtool-1.5.26p0    generic shared library support script
metaauto-0.9        wrapper for gnu auto*
mod_perl-1.30p2     module that embeds a Perl interpreter into Apache
p5-DBD-Chart-0.82   DBI driver abstraction for rendering charts and graphs
p5-DBD-SQLite-1.14v0 SQLite drivers for the Perl DBI
p5-DBI-1.604        unified perl interface for database access
p5-GD-2.30p2        module to interface with the GD graphics library
p5-GD-TextUtil-0.86p0 text utilities for use with GD drawing package
p5-HTML-Template-2.9 use HTML Templates from CGI scripts
p5-Net-Daemon-0.43  extension for portable daemons
p5-PlRPC-0.2018p0   module for writing rpc servers and clients
png-1.2.28          library for manipulating PNG images
sqlite3-3.5.9p0     embedded SQL implementation
tcl-8.4.7p6         Tool Command Language


Sevan / Venture37


Reply | Threaded
Open this post in threaded view
|

Re: security/hatchet broken???

giovanni-19
maybe this is the fix...

--- hatchet.orig        Fri Nov  7 08:23:37 2008
+++ hatchet     Fri Nov 28 12:57:35 2008
@@ -214,7 +214,7 @@
 sub insert_table {
        my ($date, $points, $rulenum, $action, $interface, $src_host,
$src_port, $dst_host, $dst_port, $proto) = @_;
        $date =~ /^(\w+) (\d+) (\d+)\:(\d+)\:(\d+)$/;
-       my ($month, $mday, $hour, $min, $sec, $year) = ($1, $2, $3,
$4, $5, [split(/ /,localtime)]->[5]);
+       my ($month, $mday, $hour, $min, $sec, $year) = ($1, $2, $3,
$4, $5, [localtime]->[5]);
        my %months = qw( Jan 0 Feb 1 Mar 2 Apr 3 May 4 Jun 5 Jul 6 Aug
7 Sep 8 Oct 9 Nov 10 Dec 11 );
        my $epoch = timelocal_nocheck($sec, $min, $hour, $mday,
$months{$month}, $year);
        unless ($existing->{"$epoch $points"}) {

--
see ya,
giovanni

Reply | Threaded
Open this post in threaded view
|

Re: security/hatchet broken???

fuzzyping
On Fri, Nov 28, 2008 at 04:23:44PM +0100, giovanni wrote:

> maybe this is the fix...
>
> --- hatchet.orig        Fri Nov  7 08:23:37 2008
> +++ hatchet     Fri Nov 28 12:57:35 2008
> @@ -214,7 +214,7 @@
>  sub insert_table {
>         my ($date, $points, $rulenum, $action, $interface, $src_host,
> $src_port, $dst_host, $dst_port, $proto) = @_;
>         $date =~ /^(\w+) (\d+) (\d+)\:(\d+)\:(\d+)$/;
> -       my ($month, $mday, $hour, $min, $sec, $year) = ($1, $2, $3,
> $4, $5, [split(/ /,localtime)]->[5]);
> +       my ($month, $mday, $hour, $min, $sec, $year) = ($1, $2, $3,
> $4, $5, [localtime]->[5]);
>         my %months = qw( Jan 0 Feb 1 Mar 2 Apr 3 May 4 Jun 5 Jul 6 Aug
> 7 Sep 8 Oct 9 Nov 10 Dec 11 );
>         my $epoch = timelocal_nocheck($sec, $min, $hour, $mday,
> $months{$month}, $year);
>         unless ($existing->{"$epoch $points"}) {

Yes, this was committed months ago but I apparently forgot to roll an
update to the port.  I'll update it this weekend.

http://code.google.com/p/hatchet/source/detail?r=26

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Reply | Threaded
Open this post in threaded view
|

Re: security/hatchet broken???

Sevan / Venture37-2
In reply to this post by giovanni-19
giovanni wrote:

> maybe this is the fix...
>
> --- hatchet.orig        Fri Nov  7 08:23:37 2008
> +++ hatchet     Fri Nov 28 12:57:35 2008
> @@ -214,7 +214,7 @@
>  sub insert_table {
>         my ($date, $points, $rulenum, $action, $interface, $src_host,
> $src_port, $dst_host, $dst_port, $proto) = @_;
>         $date =~ /^(\w+) (\d+) (\d+)\:(\d+)\:(\d+)$/;
> -       my ($month, $mday, $hour, $min, $sec, $year) = ($1, $2, $3,
> $4, $5, [split(/ /,localtime)]->[5]);
> +       my ($month, $mday, $hour, $min, $sec, $year) = ($1, $2, $3,
> $4, $5, [localtime]->[5]);
>         my %months = qw( Jan 0 Feb 1 Mar 2 Apr 3 May 4 Jun 5 Jul 6 Aug
> 7 Sep 8 Oct 9 Nov 10 Dec 11 );
>         my $epoch = timelocal_nocheck($sec, $min, $hour, $mday,
> $months{$month}, $year);
>         unless ($existing->{"$epoch $points"}) {
>

Perfect, that did the trick nicely!!!!
Thank you very much! :)


Sevan / Venture37

Reply | Threaded
Open this post in threaded view
|

Re: security/hatchet broken???

fuzzyping
On Fri, Nov 28, 2008 at 06:59:34PM +0000, Sevan / Venture37 wrote:

> giovanni wrote:
>> maybe this is the fix...
>>
>> --- hatchet.orig        Fri Nov  7 08:23:37 2008
>> +++ hatchet     Fri Nov 28 12:57:35 2008
>> @@ -214,7 +214,7 @@
>>  sub insert_table {
>>         my ($date, $points, $rulenum, $action, $interface, $src_host,
>> $src_port, $dst_host, $dst_port, $proto) = @_;
>>         $date =~ /^(\w+) (\d+) (\d+)\:(\d+)\:(\d+)$/;
>> -       my ($month, $mday, $hour, $min, $sec, $year) = ($1, $2, $3,
>> $4, $5, [split(/ /,localtime)]->[5]);
>> +       my ($month, $mday, $hour, $min, $sec, $year) = ($1, $2, $3,
>> $4, $5, [localtime]->[5]);
>>         my %months = qw( Jan 0 Feb 1 Mar 2 Apr 3 May 4 Jun 5 Jul 6 Aug
>> 7 Sep 8 Oct 9 Nov 10 Dec 11 );
>>         my $epoch = timelocal_nocheck($sec, $min, $hour, $mday,
>> $months{$month}, $year);
>>         unless ($existing->{"$epoch $points"}) {
>
> Perfect, that did the trick nicely!!!!
> Thank you very much! :)

I've released 0.9.2 which includes this fix, and updated the port as
well.

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/