You.Could Be.Eligible for A_Scholarship , Pell_Grants Upto.Usd5500 open(ELDUMP,"$eldump $dumpflags|") or die "Unable to run $eldump:$!\n"; TIP: istream& seekg(streamoff, seek_dir); Alan Murray wrote on 2009-11-04: #26 # if transfer happened after logout that worked, thanks die "Unable to open $xferlog:$!\n"; Formatted input functions call ipfx(0), while unformatted input functions call ipfx(1); see below, inwa is an istream_withassign push(@sessions,[@{shift @{$connections{$tty}}},$time]); Byte-Order Independent kill_command = kot7981 An excellent time to populate a database like this is just after a log rotation of a wtmp file has taken place, use FreezeThaw qw(freeze thaw); } -- scanning tcpdlog -- basilisgabri return 1; # Better to dump an extra line than lose a line of data if $files{(split)[8]}++; version = 2,0,s05 > To: $line = $whatline; }; Attempts to back up ins,rdbuf(), c must be the character before ins,rdbuf()'s get pointer, (Unless other activity is modifying ins,rdbuf() this is the last character extracted from ins,) If it is not, the effect is undefined, putback may fail (and set the error state), Although it is a member of istream, putback never extracts characters, so it does not call ipfx, It will, however, return without doing anything if the error state is non-zero, $dumpnow = 1; Bug #467395 delete $connections{$tty} The last test we make before considering a transfer entry to be valid may look a little peculiar: $eldump = 'c:\bin\eldump'; # path to ElDump Calls ipfx(0) and if that returns non-zero, extracts characters from ins and converts them according to the type of x, It stores the converted value in x, Errors are indicated by setting the error state of ins, ios::failbit means that characters in ins were not a representation of the required type, ios::badbit indicates that attempts to extract characters failed, ins is always returned, if (substr($name,1,1) ne "\0" and No $userdb ="userdata"; 0mrlucky0 I've been using 9,10 for half a year without any problems, Today I upgraded to 10,4 beta2, and when I rebooted the laptop after the install and signed in, and this occurred, I had my PCMCIA wifi-card inserted, it found and connected to my home WLAN, and then I got the info about a crash in the application, I tried to submit the automated bug report, but it seems that Launchpad didn't include it when I selected that this is the same bug (the automatic title was exactly the same), ($connectinfo) = thaw($connectdb{$connect}); Description: Ubuntu karmic (development branch) Travis Northrup If we want to limit this script to counting only certain files or directories, we could let the user specify a regular expression as the first argument to this script, For example, adding: $ut_e_exit,$tv_sec,$tv_usec,$ut_session,$ut_syslen,$ut_host)= Also notified But i dont know how too fix it The new method of SyslogScan::DeliveryIterator returns an iterator, essentially a pointer into the file that shuttles forward message delivery by message delivery, By using an iterator, we are spared from the actual work of scanning ahead in the file looking for all of the lines related to a particular message, If we call the next( ) method of that iterator, it will hand us back a delivery object, This object encapsulates the information about that delivery previously spread over several lines in the log, For example, this code: foreach $user (keys %users){ Bug #465207 commit_required = False # get an iterator for this file Sean Robinson If we can't eliminate the easy cases, we need to look through our lists of transfers, We check if each transfer made from the host in question occurred after the session started, but before the session ended, We skip to the next transfer if either of these conditions isn't true, We also avoid testing the other transfers for the host as soon as we've found a transfer that takes place after the session has ended, Remember we mentioned that all of the transfers are added to the data structure in chronological order? Here's where it pays off, Our first step is to load the Win32::EventLog module that contains the glue between Perl and the Win32 event log routines, We then initialize a hash table that will be used to contain the results of our calls to the log-reading routines, Perl would normally take care of this for us, but sometimes it is good to add code like this for the benefit of others who will be reading the program, Finally, we set up a small list of event types that we will use later for printing statistics: [,,,] Bug #414399 reported by Ulsak on 2009-08-16 This code says: if we've seen this user at all, we reconstitute that user's contact records in memory using thaw( ), For each contact, we test to see if we've been asked to ignore the host it came from, If not, we print a line for that contact and record the originating host in the %otherhosts hash, } twager Beats me, no wifi on here, Sun Dec 27 05:52:28 1998 25 kju,hc,congress,ccc,de 269273 /CPAN/doc/FAQs/FAQ/PerlFAQ,html a _ o a mozilla@ ftp 0 * AFTER DELETE We have a list of sessions thanks to this one, very busy line of code, Bug #444141 $users{username} = Tags: apport-crash i386 # data structure $connect = localtime($time); AlexanderFinch wrote on 2009-11-01: #14 My "Perl database format" of choice is the Berkeley DB format, I use quotes around "Perl database format" because, while the support for DB is shipped with the Perl sources, the actually DB libraries must be procured from another source (http://www,sleepycat,com) and installed before the Perl support can be built, Table 9-4 provides a comparison between the different supported database formats, "dumpfile=s" => \$dumpfile); free to fix it, sb is a streambuf& TIP: Srv: 201 next unless /$ARGV[0]/o; $exists = 1; push(@sessions,[@{shift @{$connections{$tty}}},$time]); close(XFERLOG); mv: cannot move `/etc/wifi-radar,conf' to `/etc/wifi-radar,conf,bak': Permission denied Bug #423721 @<<<<<<<< @<<<<<<<<<<<<<< @<<<<<<<<<<<<<<<<<< John ($connecto,$connectfrom) = /(,+):\s+connect from\s+(,+)/; {groupUsage}->getBroadcastVolume( )}; [WPA] Bug #447830 On Tue, Nov 3, 2009 at 5:54 PM, Sean Robinson wrote: Field Name iwconfig_command = /sbin/iwconfig Bug #417531 # if no more connections on the stack for that # if transfer happened before login C de-Avillez wrote on 2010-05-03: #34 foreach $group (sort keys %$bygroup){ Bug #433014 next unless (defined $$transfer[1]); use Fcntl; # for the definition of O_CREAT and O_RDWR did not find /etc/wifi-radar/wifi-radar,conf Formatted input functions (extractors) it should be safe to delete the file, If you want to be extra cautious, # now print out the totals sub FindFiles{ OTHman wrote on 2009-10-18: #4 use Win32::EventLog; Bug #472516 user2 host,ccs,neu Fri Oct 10 22:00:41 Bug #416007 The current position of ios,rdbuf()'s get pointer, See sbuf,pub(C++) for a discussion of positioning, Andre Schild _________________________________________________________________ thanks Binary package hint: wifi-radar $files{(split)[8]}++; Sylvia LV print "-"x30,"\n"; close(WTMP); Kudak Victor wrote on 2009-11-02: #19 re-organized and WR 1,9,9 config files are not read correctly by WR 2,0,s05, See full activity log [,,,] i=&ins,sync() root@host,ccs,neu,edu -> user1@cse,scu,edu insp=&ins,get(c) configuration = /etc/wpa_supplicant,conf > untie %userdb; user2 host,ccs,neu Thu Oct 9 17:44:31 JamS007 Name [[current host, connecting host, connect time], return "\t(no transfers in xferlog)\n"; sztanyoo wrote on 2009-10-30: Re: [Bug 414399] Re: wifi-radar crashed with SyntaxError in read() #8 Windows Live=99 Mail, Flere kontoer p=E5 ett sted, if ($transfers{$rhost}->[0]->[0] > $logout){ No Tomás Reyes # before Franko Fang afwade sub ScanWtmp { next if (defined $ignore and $host =~ /$ignore/o); foreach $contact (@{$userinfo}){ scientific=04000, fixed=010000, subairkm As I am unable to access the original bug to comment there, I will respond to this duplicate, I believe all of these reports are caused by a WR v1,9,9 configuration file being read, The configuration file format changed from v1,9,9 to v2,0,x and it is not backward compatible, As this error message indicates no configured profiles in the config file, delete /etc/wifi-radar/wifi-radar,conf and run WR again, cyrus for (sort {$files{$b} <=> $files{$a}||$a cmp $b} keys %files){ Thank you, Removing the ,conf file and restarting worked, do { Disk (1) 3, expected nothing but quitness ( I haven't used it actively yet) [DHCP] Bug #467218 speak_command = /usr/bin/say $recordsize = length(pack($template,( ))); $firststat[7] != $secondstat[7]) # check sizes Shawn Stewart untie %connectdb; Serial: 175 See original description Tom Pino wrote on 2010-01-08: #31 {groupUsage}->getReceiveVolume( )}; What next? alexander@alexander:~$ wifi-radar MIME-Version: 1,0 push(@sessions,[@{shift @{$connections{$tty}}},$time]); Bug #478138 i8042prt (4) ($bmesg,$bbytes)=@{$bygroup->{$group}-> /^ftp\s/ or /^wtmp\s/; Now that we have all of the parts (initiating host, connection start, and end) of an FTP session in a single list, we can push a reference to that list on to the @sessions lists of lists for future use: Bug #453585 istream& get(unsigned char* ptr, int len, char delim='\n'); 1K 2, save current /etc/wifi-radar,conf: sudo mv /etc/wifi-radar,conf /etc/wifi-radar,conf,saved char*, unsigned char* Are you utilizing WiFi Radar? I believe you are really using Network Manager for your wireless connections, So, you could probably uninstall WiFi Radar, # see perlipc(1) if (-e $dumpfile) { } class ios { 3n!Gma $connectdb ="connectdata"; Bug #470722 NT/2000 Support $template = "A32 A4 A32 l s s2 x2 l2 l x20 s A257 x"; inswa=sb scalar localtime($$session[2]) , } # read line--store line loop) unitbuf=020000, stdio=040000 }; getreminded,com 1 3420 1 3420 0 0 Sun Dec 27 06:15:05 1998 1 rising-sun,media,mit,edu 35993 /CPAN/RECENT,html b _ o a ,,, loglevel = 50 special-action-flag Notice the two open FTP connection records on the same tty (lines 1 and 3), If we just stored a single connection per tty in a plain hash, we'd lose the first connection record when we found the second one, seems to be working, Bug #469861 alexander@alexander:~$ sudo mv /etc/wifi-radar,conf /etc/wifi-radar,conf,bak print DUMPFILE $buffer[$line]; print "-- scanning for first host contacts from $user --\n"; Description print "No logins from that user,\n"; $wtmp = "/var/adm/wtmp"; # location of wtmp > filesize speak_up = False Apport retracing service on 2009-08-19 Bug #470125 No istream& operator>>(float&); The "auto_profile_order = " should be "auto_profile_order = []" if the file is deleted the new created conf file is correct # find any files transferred in this session for ($i=0;$i<$numevents;$i++) { or die "Could not open System log:$^E\n"; vanessa ron Also affects project Also affects distribution Nominate for release args = -D -o -i dhcp_client -t %(timeout)s print "-" x 65,"\n"; ($connectinfo) = thaw($connectdb{$host}); Report another bug about wifi-radar in ubuntu # the hostname at the same place as the wtmp file if we want to unless (seek(WTMP,0,0)); Bug #422705 $dumpflags = '-l system -c ~ -M'; Why use such a complicated data structure to keep track of the open connections? Unfortunately, there isn't a simple "open-close open-close open-close" pairing of lines in wtmp, For instance, take a look at these lines from wtmp (as printed by our first wtmp program earlier in this chapter): Richard Seguin left=02, right=04, internal=010, print $contact->[1] , " -> " , $contact->[0] , NT programs and operating system components log their activities by posting "events" to one of several different event logs, These events are recorded by the OS with basic information like when the event was posted, which program or OS function is posting the event, what kind of event (informational or something more serious) is being posted, etc, No # don't even bother to unpack if record does not begin Jesse Jones " $$session[0]\n"; No Carmine Filomena Do I need to create this directory? $contacts{$host}=$time; user2 host,ccs,neu Wed Oct 22 16:24:12 Rewriting bigbuffy to use a double-buffered, multitasking approach, Instead of using a single storage buffer, two would be employed, Upon receiving the signal, the program would begin to log to a second buffer while a child process or another thread handled the dumping of the first buffer, At the next signal, buffers are swapped again, %month = qw{Jan 0 Feb 1 Mar 2 Apr 3 May 4 Jun 5 Jul 6 user host,ccs,neu Fri Apr 3 13:41:47 [,,,] undef $$transfer[1]; First the program scans through a wtmp file looking for all logins from the compromised user, As it finds them, it compiles a hash of all of the hosts from which these logins took place, It then rolls back to the beginning of the file and scans for connections from that host list, printing matches as it finds them, It would be easy to modify this program to scan all of the files in a directory of rotated wtmp log files, args = -B -i %(interface)s -c %(configuration)s -D %(driver)s -P %(pidfile)s &setup; mike mcneely Bug #468526 ($smesg,$sbytes)=@{$bygroup->{$group}-> And then from here on in, it is a simple loop to read each log entry in turn, The EVENTLOG_SEQUENTIAL_READ flag says "continue reading from the position of the last record read," The EVENTLOG_FORWARDS_READ flag moves us forward in chronological order,[5] The third argument to Read( ) is the record offset, in this case 0, because we want to pick up right where we left off, As we read each record, we record its Source and EventType in a hash table of counters, 'ClosingRecordNumber',NULL, I've made 'sudo chmod 666 /etc/wifi-radar,conf' and NOT work, Sets the conversion base format flag to 10, See ios(C++), prime3end ifup_required = False iefbr14 To: interface = auto_detect foreach $host (keys %otherhosts){ # with ftp, NOTE: this creates a wtmp format dependency (-x "/usr/ucb/last" and $lastex = "/usr/ucb/last"); Mark as duplicate @Sampo Niskanen my($exists); # flag, does the output file exist already? > -- Bug #474356 $buffer[$whatline] = $_; or die "Unable to open $connectdb database for r/w:$!\n"; List open bugs for wifi-radar in ubuntu A program like this can stir up a few interesting implementation issues, logging,FileHandler,__init__(self, filename, mode, encoding, delay) 3, restart wifi-radar (either via the menu, or via 'sudo wifi-radar' Kamran Jan 16 19:48:19 host5 in,ftpd[5131]: connect from user7@host,ccs,neu,edu Yes Let's look at what's going in this code, We read through wtmp one record at a time, If that record begins with ftp, we know that this is an FTP session, As the comment says, the line of code that makes that decision has an implicit assumption about the format of a wtmp record, If tty was not the first field in the record, this test would not work, However, being able to test whether a line is of interest without having to unpack( ) is worth it, That's the way! :) # partial list of event types, i,e,, Type 1 is "Error", Bug #469740 -> /home/dnb/makemod Syntax # print the contents of this object Aug 7 Sep 8 Oct 9 Nov 10 Dec 11}; (-x "/bin/last" and $lastex = "/bin/last") or Bug Description This report is public user2 host,ccs,neu Thu Oct 9 17:06:49 Rune Lillehammer wrote on 2009-11-03: RE: [Bug 414399] Re: wifi-radar crashed with SyntaxError in read() #23 > print STDERR "Scanning $xferlog,,,"; if ($dumpnow) { =20 istream& operator>>(istream& (*)(istream&)); Peter Bullert # convert the transfer time to Unix epoch format Yes Stephan von Krawczynski wrote on 2009-10-31: #10 Bug #443356 direction DistroRelease: Ubuntu 9,10 We use this information as part of our first Read( ) statement, which positions us to the place in the log right before the first record, This is the equivalent of seek( )ing to the beginning of a file: insp=&ins,get(sb,delim) 3 } atapi (2) } print $delivery->{Sender}," -> ", istream& operator>>(unsigned char*); i=ins,gcount() push(@found,"\t",$$transfer[1],"\n"); istream& operator>>(unsigned long&); istream& get(char&); Extracts whitespace characters, next; $reboots++; delete $connections{$tty} unless (@{$connections{$tty}}); # and this is a connection from a user *other* than the Repositions ins,rdbuf()'s get pointer, See sbuf,pub(C++) for a discussion of positioning, > Lauching Wifi-Radar qic117: 2 [DEFAULT] Regular expression crafting is often one of the most important parts of log parsing, Regexps are used like programmatic sieves to extract the interesting data from the non-interesting data in your logs, The regular expressions used in this chapter are very basic, but you'll probably be creating more sophisticated regexps for your own use, You may wish to use the subroutine or compiled regular expression techniques introduced in the previous chapter to use them even more efficiently, inswa=ins public: Yes We read each line of the file, using the name of the file as a hash key and incrementing the value for that key, The name of the file is extracted from each log line using an array index that references a specific element of the list returned by the split( ) function: $buffsize = 200; # default circular buffer size (in lines) Bug #466160 } # find the executable for the last program } 5 EVENTLOG_FORWARDS_READ), unless (length($dumpfile)); filename delim is a char warn "ALERT: dumpfile exists and is not a plain file, next if !/connect from /; # we only care about connections istream& operator>>(int&); $connectdb = "connectdata"; # connection database file Here's a snippet of sample output from the code we're about to assemble, It shows four FTP sessions in March, The first session shows one file being transferred to the machine, The next two show files being transferred from that machine, and the last shows a connection without any transfers: } ifconfig_command = /sbin/ifconfig BaseRotatingHandler,__init__(self, filename, mode, encoding, delay) local($sec,$min,$hours,$mday,$mon,$year); A character is extracted and stored in x, Bug #445527 Shawn Stewart wrote on 2009-11-04: #25 istream& ignore(int len=1,int delim=EOF); gis,net 3 10830 3 10830 1 787 Table 9-4: Comparison of the Supported Perl Database Formats • Take the tour • Read the guide Link to CVE Bug #467635 print "$_: $source{$_}\n"; print "-- scanning for other contacts from those hosts --\n"; # determine the size of a record # for date->Unix time (secs from Epoch) conversion > thanks istream& operator>>(unsigned short&); } # easy case, first transfer we have on record is next if (defined $ignore and $connect->[0] =~ /$ignore/o); <- /home/dnb/lib/emacs19/filladapt,el You may notice that the specific element we reference (8) is different from the 8th field in the xferlog field listing above, This is an unfortunate result of the lack of field delimiters in the original file, We are splitting on whitespace (the default for split( )), so the date field becomes five separate list items, Bug #443012 For each host, we store a list of transfer pairs, each pair recording when a file was transferred and the name of that file, We're choosing to store the time in "seconds since the epoch" for ease of comparison later,[6] The subroutine timelocal( ) from the module Time::Local helps us convert to that standard, Because we're scanning a file transfer log written in chronological order, these lists of pairs are built in chronological order as well, a property that will come in handy later, Declined for Dapper by C de-Avillez } # tie to a database file, creating it (for Read & Write); if unpack($template,$record); ins>>oct if ($name and substr($name,0,1) ne "\0"){ Returns the number of characters extracted by the last unformatted input function, Formatted input functions may call unformatted input functions and thereby reset this number, setiamon } Bug #451050 exists $contacts{$host} and I mentioned earlier that this is a simplified version of bigbuffy, For ease of implementation, especially cross-platform, this version has an unsavory characteristic: while dumping data to disk, it can't continue reading input, During a buffer dump, the program sending output to bigbuffy may be told by the OS to pause operation pending the drain of its output buffer, Luckily, the dump is fast, so the window where this could happen is very small, but this is still less passive than we'd like, --> Event Log Type Totals: } WORKAROUND: This issue seems to be caused by changes from the WR configuration from 1,9,x to 2,x, To bypass: unless (open(DUMPFILE,">>$dumpfile")){ We've loaded the modules we need, taken our input, set a few variables, and tied them to our database files, Now it's time to do some work: Print (8) In the Perl world, if you are trying to write something generally useful, another person may have beat you to it and published their code for the task, This gives you an opportunity to simply feed your data into their module in a prescribed way and receive results without having to know how the task was performed, This is often known as a "black box approach," http://download,live,com/wlmail= $when = $mon," ",$date," ",$time; Gdbm Changed in wifi-radar (Ubuntu): # characters like some wtmp logs, As a result, we need to truncate The opposite extreme of our previous approach, where we passed by the data as fast as possible, is to read it into memory and deal with it after reading, Let's look at a few versions of this strategy, 'Source',NULL, 2009/10/30 Flash : # insert line into data structure warn "Unable to lstat $dumpfile, That worked for me, Thanks route_command = /sbin/route Cdrom (2) 1K (default) The easiest approach is the simple "read-and-count," We read through a stream of log data, looking for interesting data, and increment a counter when we find it, Here's a simple example, which counts the number of times a machine has rebooted based on the contents of a Solaris 2,6 wtmpx file:[4] dec=020, oct=040, hex=0100, print "$types[$_]: $types{$_}\n"; while(){ MIME-Version: 1,0 Bug #469577 # it with a previous open connection record we recorded Alan Murray edu ftp 0 * Let's take a look at another example of the read-remember-process approach using our "breach-finder" program from the previous section, Our earlier code only showed us successful logins from the intruder sites, We have no way of knowing about unsuccessful attempts, For that information, we're going to have to bring in another log file, Bug #450043 Conrad J, Sabatier $connectfrom = substr($connectfrom,0,$hostlen); In the following descriptions assume that Rdr: 12 Here's the hard part, deciding whether a particular login session had any transfers: Repositions ins,rdbuf()'s get pointer, See sbuf,pub(C++) for a discussion of positioning, Apport retracing ,,, print uc($type),"s by source:\n"; Ilya Zakharevich's FreezeThaw module is used to store our complex data structure in a single scalar that can be used as a hash value, FreezeThaw can take an arbitrary Perl data structure and encode it as a string, There are other modules like this, Data::Dumper by Gurusamy Sarathy (shipped with Perl) and Storable by Raphael Manfredi being the most prevalent, FreezeThaw offers the most compact representation of a complex data structure, hence its use here, Each of these modules has its strong points, so be sure to investigate all three if you have a task like ours, Mac Support Bug #487007 $fname = ($direction eq 'i' ? "-> " : "<- ") , $fname; open(WTMP,"/var/adm/wtmpx") or die "Unable to open wtmpx:$!\n"; [,,,] use DB_File; use Fcntl; current-time aliensplicer If two anonymous FTP sessions from the same host overlap in time, we have no way of knowing which session is responsible for initiating a transfer of that file, There is simply no information from either of our logs that can help us make that determination, The best we can do in this case is make up a standard and keep to it, The standard here is "attribute the transfer to the first session possible," This test line above, and the subsequent undefing of the filename value as a flag, enforces that standard, int gcount(); Finding this information will be easy because when we recorded which users logged in to which machines, we also recorded the inverse (i,e,, which machines were logged into by which users) in another database file, We now look at all of the records from the hosts we identified in the previous step, If we are not told to ignore a host, and we have connection records for it, we capture a unique list of users who have logged into that host using the %userseen hash: } # scans the wtmp file and populates the @sessions structure pos=ins,tellg() # month name to number mapping Some system administrators never get past the rotation phase in their relationship with their log files, As long as the necessary information exists on disk when it is needed for debugging, they never put any thought into using their log file information for any other purpose, I'd like to suggest that this is a shortsighted view, and that a little log file analysis can go a long way, We're going to look at a few approaches you can use for performing log file analysis in Perl, starting with the most simple and getting more complex as we go along, print "-- other connects from source machines --\n"; die "Unable to seek to beginning of wtmp:$!\n" if ($exists) { } # in case buffer was not full print DUMPFILE "-",scalar(localtime),("-"x50),"\n"; Bug #469553 $EventLog->Read((EVENTLOG_SEQUENTIAL_READ | enum { skipws=01, Link a related branch }; Total number of events: 2220 # save each record in a hash of list of lists while (){ use SyslogScan::Usage; delete the file /etc/wifi-radar,conf EventLog (5) Regular Expressions eventure # and away we go! (with just a simple 'EventType',NULL, phussey@yahoo,com Bug #468171 Bug #437506 StreamHandler,__init__(self, self,_open()) Darkelvenangel wrote on 2009-10-30: #9 ifup_required = False File "/usr/lib/python2,6/logging/handlers,py", line 59, in __init__ insp=&ins,getline(ptr,len,delim) The push( ) line of Perl in the previous code probably deserves a little explanation, This line creates a hash of lists of lists that looks something like this: user2 host,ccs,neu Wed Oct 15 07:32:50 'Data',NULL,); Bug #414536 /* flags for controlling format */ my %event=('Length',NULL, command = /sbin/dhcpcd timelocal($sec,$min,$hours,$mday,$month{$mon},$year); This bug affects 321 people $userdb = "userdata"; # user database file The result is a report detailing the number and bytes of broadcast, sent, and received messages, Here's an excerpt from some sample output: } Bug #472052 command = /usr/sbin/wpa_supplicant José Alfonso } 11 istreams support interpretation of characters fetched from an associated streambuf, These are commonly referred to as input or extraction operations, The istream member functions and related functions are described below, Hidagawa Most of the examples in this section use Unix log files for demonstration purposes, since the average Unix system has more log files than sample systems from either of the other two operating systems put together, but the approaches offered here are not OS-specific, "new" dbm move the old config file to a new location and restart WiFi Radar, > wifi-radar crashed with SyntaxError in read() Bug #467508 10 use SyslogScan::ByGroup; prints out information like: On Tue, Nov 3, 2009 at 8:11 AM, Tiago Ramos wrote: Error: 493 enum open_mode { in, out, ate, app, trunc, nocreate, noreplace }; ($#found > -1 ? @found : "\t(no transfers in xferlog)\n") } while ($line != $whatline); > You received this bug notification because you are a direct subscriber [,,,] ,,, $userseen{$connect->[1]}=''; Worked for me : Zanaca The final act of this three-step drama has a nice circular flair, We return to our original user database to find all of the connections made by suspect users from suspect machines: Our first step is to drop all of the wtmp data for our machines into a database of some sort, For the purpose of this example, assume that all of the machines in question have direct access to some shared directory via some network file system like NFS, Before we proceed, we need to choose a database format, Extracts characters from ins,rdbuf() and stores them into sb, It stops if it encounters end of file or if a store into sb fails or if it encounters delim (which it leaves in ins), ios::failbit is set if it stops because the store into sb fails, Christophe Myot Ubuntu # dump the circular buffer out to a file, appending to file if globe,com 0 0 0 0 1 2040 ins>>x speak_up = False Using Databases transfer-time (in seconds) print "$_ ($$type{$_})\n"; clevie Unformatted input functions ftpd1833:dnb:ganges,ccs,neu,e:Fri Mar 27 14:04:47 1998 Tom Weiss } > Subject: [Bug 414399] Re: wifi-radar crashed with SyntaxError in read() Sparrow: 5 skipping dump,\n"; # accept the username and hosts to ignore as command-line arguments $recordsize = length(pack($template,( ))); # size of each wtmp entry ($user,$ignore) = @ARGV; Name Bmesg BByytes Smesg SBytes Rmesg Rbytes or die "Unable to open $userdb database for r/w:$!\n"; or die "Unable to open $connectdb database Does no initialization, Bug #448283 assignee: Sean Robinson (seankrobinson) â†' nobody nikonikic42 Note that the places of $a and $b have been switched from their alphabetical order in the first portion, This causes sort to return the items in descending order, thus showing us the more frequently transferred files first, The second portion of the anonymous sort function (||$a cmp $b) assures that we list files with the same number of transfers in a sorted order, if ($firststat[0] != $secondstat[0] or # check dev num Mafait Sean Robinson wrote on 2010-05-12: #37 Bug #465724 push(@sessions,[@{shift @{$connections{$tty}}},$time]); istream& operator>>(unsigned char&); Both approaches are hard to pull off portably in a cross-platform environment, hence the simplified version shown in this book, i, n, len, d, and need are ints Sparrow (2) istream(sb) $hostlen = 16; # max length of the hostname in wtmp Bug #421247 # stats-by-group object Bug #437775 while(){ restart the wifi-radar daemon c is a char& my($transfer,@found); ---------------------------------------- istream& operator=(istream&); my($time,$rhost,$fname,$direction); Content-Transfer-Encoding: quoted-printable Bug #414448 # scans a wu-ftpd transfer log and populates the %transfers int get(); We'll start off by populating the database, For the sake of simplicity and portability, we're calling the last program to avoid having to unpack( ) several different wtmp files ourselves, Here's the code, with an explanation to follow: $iterator = new SyslogScan::DeliveryIterator(syslogList => $maillogs); istream& operator>>(char*); $xferlog = "/var/adm/log/xferlog"; # if we receive a signal, dump the current buffer Hans-Dominik $connectdb{$connect}=freeze($connectinfo); Jan 12 13:16:29 host2 in,rshd[866]: connect from user4@host,ccs,neu,edu [,,,] 4 use SyslogScan::DeliveryIterator; Name Bmesg BByytes Smesg SBytes Rmesg Rbytes tie %userdb, "DB_File",$userdb,O_RDONLY,666,$DB_BTREE Richard Williams Characters are extracted and converted to an integral value according to the conversion specified in ins's format flags, Converted characters are stored in x, The first character may be a sign (+ or -), After that, if ios::oct, ios::dec, or ios::hex is set in ins,flags(), the conversion is octal, decimal, or hexadecimal, respectively, Conversion is terminated by the first ``non-digit,'' which is left in ins, Octal digits are the characters ``0'' to ``7'', Decimal digits are the octal digits plus ``8'' and ``9'', Hexadecimal digits are the decimal digits plus the letters ``a'' through ``f'' (in either upper or lower case), If none of the conversion base format flags is set, then the number is interpreted according to C++ lexical conventions, That is, if the first characters (after the optional sign) are ``0x'' or ``0X'' a hexadecimal conversion is performed on following hexadecimal digits, Otherwise, if the first character is a ``0'', an octal conversion is performed, and in a ll other cases a decimal conversion is performed, ios::failbit is set if there are no digits (not counting the ``0'' in ``0x'' or ``0X'' during hex conversion) available, mssermou: 151 print STDERR "done,\n"; username ($rmesg,$rbytes)=@{$bygroup->{$group}-> Ron Widell wrote on 2009-10-30: #6 sudo rm /etc/wifi-radar,conf showbase=0200, showpoint=0400, Bug #417485 If ios,ipfx(0) returns non-zero, extracts characters from ios and inserts them into sb, Extraction stops when EOF is reached, Always returns ins, To finish the job in our &ScanWtmp subroutine we check if the stack is empty for a tty, i,e,, there are no more open connection requests pending, If this is the case we can delete that tty's entry from the hash, since we know the connection has ended: Srv (82) } ftpd1833:(logout):(logout):Fri Mar 27 14:06:43 1998 next if (length($host) < 4); } Bug #466726 Sets the conversion base format flag to 8, See ios(C++), ahepas # list is (hostname, login, logout) Filters out the lines that are not useful, From: "C de-Avillez" # as a stack below, next if /^reboot\s/ or /^shutdown\s/ or anything yet, as I'm plugged directly into a wired modem, That's okay at $xferlog = "/var/log/xferlog"; # location of transfer log use Sys::Hostname; # to get the current hostname istream& get(char* ptr, int len, char delim='\n'); warn "SECURITY PROBLEM: lstats don't match, Worked for me too, Thanks and Every one !! Vic Parker Yes alexander@alexander:~$ sudo mv /etc/wifi-radar,conf,bak /etc/wifi-radar,conf $group,$bmesg,$bbytes,$smesg,$sbytes,$rmesg,$rbytes stream = open(self,baseFilename, self,mode) Subject: [Bug 414399] Re: wifi-radar crashed with SyntaxError in read() # open the file Once we have this handle, we can use it to retrieve the number of events in the log and the number of the oldest record: linuxgijs print "rebooted ",scalar localtime($tv_sec),"\n"; --------------------------- ----- -------- ------ -------- ------ ------- Not only does the config file not exist on my system, neither does the parent directory (/etc/wifi-radar), Sets the conversion base format flag to 16, See ios(C++), BROWSER: 228 Sean Robinson wrote on 2010-04-12: #33 uppercase=01000, showpos=02000, ------------------------------ (split)[1,2,3,4,6,8,11]; } To AlesanderFinch: istream& operator>>(double&); unless (exists $userdb{$user}){ transfer-type Ubuntu 64, else { # as a trade-off for speed open(WTMP,$wtmp) or die "Unable to open $wtmp:$!\n"; # after this login Temp2264 These functions call ipfx(1) and proceed only if it returns non-zero: > The "auto_profile_order =3D " should be "auto_profile_order =3D []" if th= I'm converting this bug report to be the public parent for the "SyntaxError in read()" error, me, too, deleting /etc/wifi-radar,conf works, # easy case, no transfers in this login EVENTLOG_FORWARDS_READ), Bug #434114 GlenMH Now that we have a database full of data, let's walk through our new improved breach-finder program that uses this information: Greg Norton Content-Type: text/plain; charset="Windows-1252" The %transfers hash is keyed on the name of the host that initiated the transfer, We truncate that name to the largest string size our wtmp can hold as we create each hash entry, $userdb{$user}=freeze $users{$user}; float&, double& $connectdb{$connect}=freeze($connects{$connect}); DioPorco use SyslogScan::DeliveryIterator; Mr, MInhaj One example is the SyslogScan package by Rolf Harold Nelson, Earlier in this chapter we noted that parsing a mail log file from sendmail can be tricky because the lines are stateful, Each line often has one or more sibling lines interspersed with other lines later in the log, The SyslogScan package offers an easy way to refer to each mail delivery without having to manually scan the file and pair up all of the relevant lines, It can filter for certain addresses and keep track of some rudimentary statistics for the messages it has seen, } The log file that will be the most help to us in this endeavor is the one generated through syslog by Wietse Venema's Unix security tool tcpwrappers, tcpwrappers provides gatekeeper programs and libraries that can be used to control access to network services, An individual network service like telnet can be configured so that a tcpwrappers program first handles all network connections to this service, After a connection is made, the tcpwrappers program will syslog the connection attempt and then either pass the connection off to the real service or take some action (like dropping the connection), The choice of whether to let the connection through is based on some simple user-provided rules (e,g,, allow only certain originating hosts), tcpwrappers can also take preliminary precautions to make sure the connection is coming from the place it purports to come from using a DNS reverse-lookup, It can also be configured to log the name of the user who made the connection (via the RFC931 ident protocol) if possible, For a more detailed description of tcpwrappers, see Simson Garfinkel and Gene Spafford's book Practical Unix & Internet Security (O'Reilly), Producing this output turns out to be non-trivial, since we need to pigeonhole stateless data into a stateful log, The xferlog transfer log shows only the time and the host that initiated the transfer, The wtmp log shows the connection and disconnections from other hosts to the server, Let's walk through how to combine the two types of data using a read-remember-process approach, We'll define some variables for the program, and then call the subroutines to perform each task: File "/usr/sbin/wifi-radar", line 3392, in Bug #416532 Ulsak # print session times Paolo TARTARI 6 As promised, here's some sample code that relies on a last-like program to dump the contents of the event log, It uses a program called ElDump by Jesper Lauritsen, downloaded from http://www,ibt,ku,dk/jesper/JespersNTtools,htm, ElDump is similar to DumpEl found in the NT Resource Kit: } Thanks it's working! # close connect to record this as a single session, Constructors and assignment next if (defined $ignore and $contact->[1] =~ /$ignore/o); If we didn't have to append, we could have opened a temporary file with a randomized name (so it couldn't be guessed ahead of time) and renamed the temporary file into place, &ScanWtmp; # scan the wtmp log One subtle trick in this code sample is in the anonymous sort function we use to sort the values: Print: 27 die "USAGE: $0 [--buffsize=] --dumpfile=" istream& operator>>(long&); Overview Branches Bugs Blueprints Translations Answers joadax 9 Tóth GergÅ' BROWSER (80) File "/usr/lib/python2,6/logging/__init__,py", line 819, in __init__ Here's a simplified version of bigbuffy, The code is longer than the examples we've seen so far in this chapter, but it is not very complex, We'll use it in a moment as a springboard for addressing some important issues like input blocking and security: print STDERR "Reading system log,"; } # in future dumps SyslogScan is object-oriented, so the first step is to load the module and create a new object instance: that work for me, thanks Hamtech achiola Bug #455223 Traceback,txt (edit) No e } ; foreach $type (qw(Error Warning Information For our purposes, we can just add some code to our previous breach-finder program that scans the tcpwrappers log (tcpdlog in this case) for connections from the suspect hosts we found in our scan of wtmp, If we add the following code to the end of our previous code sample: # compromised account, then record tags: removed: need-duplicate-check manip is a function with type istream& (*)(istream&) msbusmou: 162 Zach Malpensado while (read(WTMP,$record,$recordsize)) { Sat Mar 14 23:14:05 1998-Sat Mar 14 23:34:28 1998 traal-22,ccs,neu On Sun, Nov 1, 2009 at 6:01 AM, Rick wrote: root@rising-sun,media,mit,edu ftp 0 * open(XFERLOG,$xferlog) or Rune Lillehammer DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK <- /home/dnb/,emacs19 ]; Bug #465420 # for more information ptr is a char* or unsigned char* insp=&ins,read(ptr,n) ($user,$ignore) = @ARGV; while (read(WTMP,$record,$recordsize)) { Charlie_Smotherman (porthose) 12 Warning: 714 } AuditSuccess AuditFailure)){ pidfile = /var/run/wpa_supplicant,pid Bug #451786 while (read(WTMP,$record,$recordsize)) { # we can exit if we've never seen a connect from this user local($session); Convert to a question tie %connectdb, "DB_File",$connectdb,O_RDONLY,666,$DB_BTREE &ShowTransfers; # correlate and print transfers for (sort {$files{$b} <=> $files{$a}||$a cmp $b} keys %files){ ios& oct(ios&) ; Sean Robinson wrote on 2009-10-18: #3 BROWSER (8) Bug attachments skipping dump,\n"; Bug #453883 ~$ sudo wifi-radar The type and name (operator>>) of the extraction operations are chosen to give a convenient syntax for sequences of input operations, The operator overloading of C++ permits extraction functions to be declared for user-defined classes, These operations can then be used with the same syntax as the member functions described here, # if we've already used this entry Le Monolecte return undef; $source{$event->{Source}}++; Log in / Register This pops the reference to the first connection pair off that stack: Crash bug triager,,, $unixdate = Debian PTS RistoH # feed this summary object to ::ByGroup and receive a 'EventID',NULL, split('~'); while (){ If ins's error state is non-zero, returns zero immediately, If necessary (and if it is non-null), any ios tied to ins is flushed (see the description ios::tie() in ios(C++)), Flushing is considered necessary if either need==0 or if there are fewer than need characters immediately available, If ios::skipws is set in ins,flags() and need is zero, then leading whitespace characters are extracted from ins, ipfx() returns zero if an error occurs while skipping whitespace; otherwise it returns non-zero, close(WTMP); 'TimeGenerated',NULL, Ubuntu Bugs -------------------------------------------------- unless (@secondstat = lstat DUMPFILE){ use SyslogScan::Summary; Black Boxes Michel A S # iterate through the users and store the info in our ERRORs by source: Does the same thing as ins,get(ptr,len,delim) with the exception that it extracts a terminating delim character from ins, In case delim occurs when exactly len characters have been extracted, termination is treated as being due to the array being filled, and this delim is left in ins, Apport retracing service on 2009-08-19 # parse the options I've made 'sudo wifi-radar' and works fine, Input prefix function int ipfx(int need=0); To post a comment you must log in, Extracts a character and returns it, i is EOF if extraction encounters end of file, ios::failbit is never set, Rune Lillehammer wrote on 2009-11-06: RE: [Bug 414399] Re: wifi-radar crashed with SyntaxError in read() #29 use Getopt::Long; We can eliminate the easy cases first, If we've never seen transfers initiated by this host, or the first transfer associated with this host occurs after the session triad we are checking has ended, we know no files have been transferred during that session, open(WTMP,"/var/adm/wtmp") or die "Unable to open wtmp:$!\n"; warn "found lone logout on $tty:" , untie %connectdb; For a final and more sophisticated example of the read-remember-process approach, let's look at a task that requires combining stateful and stateless data, If you wanted a more comprehensive picture of the activity on a wu-ftpd server, you might want to use code to correlate the login and logout activity logged in a machine's wtmp file with the file transfer information recorded by wu-ftpd in its xferlog file, It might be nice if you could see output that showed when an FTP session started and finished, and what transfers took place during that session, Bug #443157 { $connects{host} = #include # To do that we create a list of lists where each push(@{$users{$user}},[$thishost,$host,$when]); 8 Closing and re-opening the filehandle, This is often the only choice when you are reading the output of a program like last, ($tty,$name,$host,$time)=unpack($template,$record); print STDERR "done,\n"; # a list of mail syslog files Security in log processing programs ins>>ws Bug #468315 A simple variation of the stream read-count approach involves taking multiple passes through the data, This is sometimes necessary for large data sets and cases where it takes an initial scan through the data before you can determine the difference between interesting and non-interesting data, Programmatically, this means after the first pass through the input, either: Duplicates of this bug great when I installed it, so I have no complaints, You folks have done a Key or Value Size Limits Rick wrote on 2009-11-01: #13 Extracts and throws away up to n characters, Extraction stops prematurely if d is extracted or end of file is reached, If d is EOF it can never cause termination, Kostas Lykourgiotis > From: push(@{$connections{$tty}},[$host,$time]); Read more,,, istream& get(unsigned char&); My results look like this: we get output that looks like this: close(DUMPFILE); ios(C++), sbuf,pub(C++), manip(C++) -- scanning for first host contacts from user -- Bug #444256 print "$_:$files{$_}\n"; } insp=&ins,ignore(n,d) foreach $session (@sessions){ ]; 4K while (){ Vasanth istream& operator=(streambuf*); Bug #454360 insp is an istream* Doraann2 Cdrom (22) description: updated Sean Robinson wrote on 2010-05-12: #36 i=ins,peek() unless (@{$connections{$tty}}); mbkc2009@yahoo,com In our program we check if an entry for this user or host exists, If it doesn't, we simply "freeze" the data structure into a string and store that string in the database using our tied hash, If it does exist, we "thaw" the existing data structure found in the database back into memory, add our data, then re-freeze and re-store it, timeout = 30 Bug #451559 Yes a ins is an istream close(XFERLOG); bodo Yes floycouncil 0 GetOptions("buffsize=i" => \$buffsize, # perform a hash lookup below 'Strings',NULL, $name,$host,$connect # the location of our maillog print "-->Event Log Source Totals:\n"; Thu Mar 12 18:14:30 1998-Thu Mar 12 18:14:38 1998 pitpc,ccs,neu,ed > Deleting /etc/wifi-radar,conf One problem with this program is that it is too specific, It will only match exact hostnames, If an intruder is coming in from a dialup modem bank of an ISP (which they often are), chances are the hostnames will change with each dial-up connection, Still, partial solutions like this often help a great deal, } # output data field separated by ~ and without full message demoman2k7 # zorch the active buffer to avoid leftovers join(",",@{$delivery->{ReceiverList}}),"\n"; Extracts a single character and stores it in c, Judy Bug #469316 istream& get(streambuf& sb, char delim ='\n'); extern istream_withassign cin; Utz wrote on 2009-10-26: #5 Let's extend this methodology and see an example of statistics gathering using the Windows NT Event Log facility, As mentioned before, NT has a well-developed and fairly sophisticated system-logging mechanism, This sophistication makes it a bit trickier for the beginning Perl programmer, We'll have to use some Win32-specific Perl module routines to get at the basic log information, RemoteAccess (30) $iterator = new SyslogScan::DeliveryIterator(syslogList => $maillogs); } $hostlen = 16; # max length of hostname in wtmp file # returns all of the files transferred for a given connect $firststat[1] != $secondstat[1] or # check inode "old" dbm Extracts n characters and stores them in the array beginning at ptr, If end of file is reached before n characters have been extracted, read stores whatever it can extract and sets ios::failbit, The number of characters extracted can be determined via ins,gcount(), } =20 } } authentication-method driver = wext or die "Unable to open $userdb database for reading:$!\n"; Sun Dec 27 06:15:04 1998 1 rising-sun,media,mit,edu 11868 /CPAN/MIRRORING,FROM b _ o a root@rising-sun,media,mit, 2 {groupUsage}->getReceiveVolume( )}; Rick wrote on 2009-11-06: #30 Bug #479032 $SIG{'USR1'} = \&dumpnow; # set a signal handler for dump for (sort keys %types) { foreach $connect (@{$connectinfo}){ You may have noticed that the output above found connections from two different time ranges, We found connections in wtmp from April 3 to October 22, while the tcpwrappers data appeared to show only January connections, The difference in dates is an indication that our wtmp files and our tcpwrappers files are rotated at different speeds, You need to be aware of these details when writing code that tacitly assumes the two log files being correlated refer to the same time period, Cory ----------------------------------------------------------------- Dhcp (2524) Using Perl-only databases # do the same for the connections use DB_File; Thank you for letting me know, No, I am not working on it, Please feel # set up the signal handler and initialize a counter else { } Here's some code to show which files have been transferred most often: i=ins,get(), # if it is not a logout, and we're looking for this host, Bill Milman wrote on 2009-11-06: #28 istream -- formatted and unformatted input for (sort keys %$type){ sub ShowTransfers { # it exists Bug #466147 while ($delivery = $iterator -> next( )){ push(@{$connects{$host}},[$thishost,$user,$when]); ($ut_user,$ut_id,$ut_line,$ut_pid,$ut_type,$ut_e_termination, alxalx ($tty,$name,$host,$time)=unpack($template,$record); Subscribe/Unsubscribe } next if (substr($record,0,3) ne "ftp"); service-name scalar localtime($time),"\n"; " on ",$contact->[2],"\n"; ex001 If we run this code on several machines, we'll have a database with some potentially useful information to feed to the next version of our breach-finder program, sankaran close(ELDUMP); dave,shar return undef; if (exists $userdb{$user}){ open(LAST,"$lastex|") or $tcpdlog = "/var/log/tcpd/tcpdlog"; Win32::EventLog::Open($EventLog,'System','') Sdbm $template = "A8 A8 A16 l"; # for SunOS 4,1,x } ios& dec(ios&) ; It gets even snazzier, If we feed a SyslogScan iterator object to the new method of the SyslogScan::Summary module, new will take all of the output from that iterator's next method and return a summary object, This summary object contains usage summaries for all of the delivery objects that iterator could possible return, with wifi-radar,conf removed: last unless (defined $buffer[$line]); Traceback (most recent call last): print STDERR ","; $numevents + $oldestevent, $event); istream& read(char* s, int n); open(TCPDLOG,$tcpdlog) or die "Unable to read $tcpdlog:$!\n"; # database using freeze @<<<<<<<<<<<<<<<<< @>>>>> @>>>>>>> @>>>>> @>>>>>>> @>>>>> @>>>>>>> istream_withassign(); > Worked for me : close(WTMP); char&, unsigned char& Any time you spend learning how to wield regexp power will benefit you in many ways, One of the best for learning about regular expressions is Jeffrey Friedl's book, Mastering Regular Expressions (O'Reilly), I didn't notice the crash, before the crash report icon came up Bug #451479 foreach $transfer (@{$transfers{$rhost}}){ ftpd1833:(logout):(logout):Fri Mar 27 14:06:20 1998 [DEFAULT] ganesh istream& seekg(streampos); $line = ($line == $buffsize) ? 1 : $line+1; > Sent: Monday, May 03, 2010 1:48 PM insp=&ins,seekg(off,dir) Bug #449851 # we have to take special precautions when we're doing an $summary = new SyslogScan::Summary($iterator); Matt j short&, unsigned short&, Shawn Stewart wrote on 2009-11-03: #21 unless(@firststat = lstat $dumpfile){ Yes [8] use FreezeThaw qw(freeze thaw); EventLog: 351 Bug #443349 $bygroup = new SyslogScan::ByGroup($summary); return undef; Bug #450928 Dhcp (76) else { } SNMP: 350 No print "-- scanning tcpdlog --\n"; PCTeacher012 &ScanXferlog; # scan the transfer log # simple signal handler that just sets an exception flag, istream& read(unsigned char* s, int n); Affects Status Importance Assigned to Milestone <- /home/dnb/lib/emacs19/cperl-mode,el Content-Type: text/plain; charset="Windows-1252" But the SyslogScan package takes this functionality to still another level, If we now feed a summary object to the new method of SyslogScan::ByGroup, we get a bygroup object that has grouped all of the summaries into domains and compiled stats for those groups, Here's the magic we just described in action: unless (exists $connections{$tty}){ istream& operator>>(short&); jamiepr 4, This Crash Report was generated istream& putback(char); pidfile = /etc/dhcpc/dhcpcd-%(interface)s,pid Nominated for Karmic by francesco 1 Jan 13 14:38:54 host3 in,rlogind[4761]: connect from user5@host,ccs,neu,edu WARNINGs by source: Windows 7: Se direkte-TV fra den b=E6rbare PCen, Finn ut mer, $EventLog->Win32::EventLog::GetOldest($oldestevent); print "-"x30,"\n"; use Time::Local; } format STDOUT_TOP = Bug #465549 Ulsak wrote on 2009-08-16: #1 Deleting /etc/wifi-radar,conf worked great for me, Thanks, DCOM: 12 On a 64bit version on desktop box, return "\t(no transfers in xferlog)\n"; off is a streamoff skipping dump,\n"; Before we actually write to this file, we lstat( ) the open filehandle and check that it is still the same file we expect it to be and it hasn't been switched since we initially checked it, If it is not the same file (e,g,, someone swapped the file with a link right before the open), we do not write to the file and complain loudly, This last step avoids a race condition as mentioned in Chapter 1, Our code takes the output from the last program and does the following: Bruno Garcia Mattia Musiello > Date: Tue=2C 3 Nov 2009 15:11:16 +0000 > of a duplicate bug, my($rhost,$login,$logout) = @_; insp=&ins,get(ptr,len,delim) push(@{$connectinfo},@{$connects{$connect}}); Bug #472382 projevie@hotmail,com } msinport: 162 } # session triad Lauching Wifi-Radar $connectfrom =~ s/^,+@//; Let's move on to scanning wtmp : or launch from the menu For example, take the case where the output file we've specified is maliciously swapped with a link to another file, If we naively opened and wrote to the file, we might find ourselves inadvertently stomping on an important file like /etc/passwd instead, Even if we checked the output file before opening it, a nasty person may have switched it on us before we began to write to it, To avoid this scenario: DB BEFORE DELETE } You may have noticed that bigbuffy troubles itself more than usual with the opening and writing of its output file, This is an example of the defensive coding style mentioned earlier in "Log Rotation," If this program is to be used to debug server daemons, it is likely to be run by privileged users on a system, It is important to think about unpleasant situations that might allow this program to be abused, logfile = /var/log/wifi-radar,log Establishes consistency between internal data structures and the external source of characters, Calls ins,rdbuf()->sync(), which is a virtual function, so the details depend on the derived class, Returns EOF to indicate errors, Associates sb with inswa and initializes the entire state of inswa, Bug #450808 Characters are stored in the array pointed at by x until a whitespace character is found in ins, The terminating whitespace is left in ins, If ins,width() is non-zero it is taken to be the size of the array, and no more than ins,width()-1 characters are extracted, A terminating null character (0) is always stored (even when nothing else is done because of ins's error status), ins,width() is reset to 0, Bug #462452 Bug #477232 print scalar localtime($$session[1]) , "-" , if ($firststat[3] != 1) { We dereference it to get at the actual (host, login-time) connection pair list, If we place this pair at the beginning of another list that ends with the connection time, Perl will interpolate the connection pair and we'll have a single, three-element list, This gives us a triad of (host, login-time, logout-time): # iterate over the session log, pairing sessions # here's the output format, may need to be adjusted based on template streampos tellg(); On Sun, Nov 1, 2009 at 8:23 PM, proxygeek wrote: Stream Read-Count Bug #453259 Bug #466421 Bug #472012 Caveats } CRC # with transfers Bug #464084 Deleting /etc/wifi-radar,conf worked great for me, Thanks, Luis Bug #442984 Tiago Ramos wrote on 2009-11-03: #22 to the while( ) loop allows you to specify a regular expression to limit which files will be counted, $maillogs = ["/var/log/mail/maillog"]; sub dodump{ &dodump( ); print STDERR "Scanning $wtmp,,,\n"; # where should the next line go?   Unassigned Edit The previous examples we've seen work fine on reasonably-sized data sets when run on machines with a reasonable amount of memory, but they don't scale, For situations where you have lots of data, especially if the data comes from different sources, databases are the natural tool, Squirrels away the output in two hash of list of lists data structures that look like this: Bug #444014 $EventLog->Win32::EventLog::Read((EVENTLOG_SEEK_READ | [[current host, username1, connect time], Charles Summers Now let's look at the procedure that reads the wu-ftpd xferlog log file: Danny Sprang Add attachment ttyp7:(logout):(logout):Fri Mar 27 14:05:11 1998 Our next step is to open up the System event log, The Open( ) places an EventLog handle into $EventLog that we can use as our connection to this particular log: Yes [7] I like the Berkeley-DB format because it can handle larger data sets and is byte-order independent, The byte-order independence is particularly important for the Perl code we're about to see, since we'll want to read and write to the same file from different machines which may have different architectures, Bug #556643 What do i have to do for delite it? NWCWorkstation: 2 authenticated-user-id Bug #463736 ftpd1833:dnb:hotdiggitydog-he:Fri Mar 27 14:05:20 1998 Removing myself as assignee for Ubuntu, istream& ws(istream&) ; mysticdream06150@,,, Harald wrote on 2009-11-01: #12 warn "Unable to lstat opened $dumpfile, ($mon,$mday,$time,$year,$rhost,$fname,$direction) = write; Traceback,txt (318 bytes, text/plain; charset="utf-8") visibility: private â†' public http://windows,microsoft,com/windows-7= # i is "transferred in" istream& operator>>(ios& (*)(ios&)); Bug #558732 typedef long streamoff, streampos; Thanks No Bug #565605 Bug #440060 Other members We open the file in append mode, push(@{$userinfo},@{$users{$user}}); and it starts fine; however, I haven't tested to see if it will receive print "-->Event Log Type Totals:\n"; # feed this iterator to ::Summary, receive a summary object If this final test passes, we declare victory and add the filename to the list of files transferred in that session, The session and its accompanying file transfers are printed, Log Analysis istream& operator>>(streambuf*); istream(streambuf*); status: New â†' Confirmed Here's an example where a multiple-pass read-count approach might be useful, Imagine you have to deal with a security breach where an account on your system has been compromised, One of the first questions you might want to ask is "Has any other account been compromised from the same source machine?" Finding a comprehensive answer to this seemingly simple question turns out to be trickier than you might expect, Let's take a first shot at the problem, This SunOS-specific code (see the initial template) takes the name of a user as its first argument and an optional regular expression as a second argument for filtering out hosts we wish to ignore: Bug #451630 $whatline = 1; # start line in circular buffer Input blocking in log processing programs Mouclass: 6 # Source and EventTypes First, an easy example: let's say you have an FTP transfer log and you want to know which files have been transferred the most often, Here are some sample lines from a wu-ftpd FTP server transfer log: [current host, username2, connect time], } We check if the output file exists already, If it does, we lstat( ) it to get filesystem information, {groupUsage}->getSendVolume( )}; i=ins,ipfx(need) # if we've already used this entry Wed Mar 25 21:21:15 1998-Wed Mar 25 21:36:15 1998 traal-22,ccs,neu -- scanning for other contacts from those hosts -- format STDOUT = Initializes ios state variables and associates buffer sb with the istream, ins>>sb ins>>manip The plus side of the black box approach is that you can often get a great deal done, thanks to the hard work of the module or script author, with very little code of your own, The minus side to using the black box approach is the trust you have to place in another author's code, It may have subtle bugs or use an approach that does not scale for your needs, It is best to look over the code before you drop it into production in your site, 0, $event); ($date,$time,$source,$type,$category,$event,$user,$computer) = enum seek_dir { beg, cur, end }; tie %userdb, "DB_File",$userdb,O_CREAT|O_RDWR, 0600, $DB_BTREE Punnsa Yes a Thank you for your reply, I have deleted the config file and restarted WR Dougal Here's the list of fields for each line of the previous output (please see the wu-ftpd server man page xferlog(5) for details on each field), $thishost = &hostname; $maillogs = ["/var/log/mail/maillog"]; [current host, connecting host, connect time] --> Event Log Source Totals: int sync(); int peek(); Subscribers Bug #453629 $connect = localtime($time); Unlike Unix, the actual description of the event, or log message, is not actually stored with the event entry, Instead, an EventID is posted to the log, This EventID contains a reference to a specific message compiled into a program library (,dll ), Retrieving a log message given an EventID is tricky, The process involves looking up the proper library in the Registry and loading the library by hand, Luckily, the current version of Win32::EventLog performs this process for us automatically (see $Win32::EventLog::GetMessageText in our first Win32::Eventlog example earlier, "Using the OS's Logging API," Information: 1014 Deleting /etc/wifi-radar,conf if (-e $dumpfile and (! -f $dumpfile or -l $dumpfile)) { $otherhosts{$contact->[1]}=''; , The details of conversion depend on the values of ins's format state flags and variables (see ios(C++)) and the type of x, Except that extractions that use width reset it to 0, the extraction operators do not change the value of ostream's format state, Extractors are defined for the following types, with conversion rules as described below, Bug #447158 # add the direction of transfer to the filename, [$unixdate,$fname]); Jefferson Moraes } } Ubuntu “wifi-radar†package Bugs Bug #414399 it works!! Because this error message indicates that no AP profiles are configured, my(@firststat,@secondstat); # to hold output of lstats 1, stop wifi-radar; sebaie # if we find an open connection record, then # read each line of the output from "last" description: updated sub ScanXferlog { ------------------------------ deleted /etc/wifi-radar,conf push(@{$transfers{substr($rhost,0,$hostlen)}}, insp=&ins,seekg(pos) Extracts characters and stores them in the byte array beginning at ptr and extending for len bytes, Extraction stops when delim is encountered (delim is left in ins and not stored), when ins has no more characters, or when the array has only one byte left, get always stores a terminating null, even if it doesn't extract any characters from ins because of its error status, ios::failbit is set only if get encounters an end of file before it stores any characters, Drasli ins>>dec did find /etc/wifi-radar,conf warn "Unable to open $dumpfile for append, AlexanderFinch wrote on 2009-11-01: #16 $transfers{hostname} = close(LAST); This also worked for me, Associates ins->rdbuf() with inswa and initializes the entire state of inswa, access-mode jeffix xavier wrote on 2009-10-31: #11 For our next example, we're going to generate some simple statistics on the number of entries currently in the System log, where they have come from, and their level of severity, We'll write this program in a slightly different manner than the first NT logging example in this chapter, Unix Support if (length($host) > 2 and !exists $contacts{$host}){ class istream_withassign : public istream { char delim='\n'); write; gillette,com 1 984 1 984 4 7812 'Category',NULL, 'TimeWritten',NULL, eoininmoran wrekced Bug #453389 This problem exposes one of Unix's flaws: Unix systems tend to store log information in a number of different places and formats, Few tools are provided for dealing with these disparities (luckily we have Perl), It is not uncommon to need more than one data source to solve problems like these, Dhcp: 12 great job, Thanks again for the reply, istream& getline(char* ptr, int len, char delim='\n'); Read-Remember-Process msi8042: 3 [@{shift @{$connections{$tty}}},$time]); description: updated The last approach we'll discuss requires the most knowledge outside of the Perl domain to implement, As a result, we'll only take a very simple look at a technique that over time will probably become more prevalent, # use an array slice to select the fields we want sub setup { $$type{$source}++; istream_withassign() # with ftp sessions die "Can't run the program $lastex:$!\n"; TheDane MadhuKrishna wrote on 2009-11-02: #18 [,,,] Member functions related to positioning # put the data into a hash of lists of lists: We use a hash here as a simple way of collecting the unique list of hosts from all of the contact records, Now that we have the list of hosts the intruder may have connected from, we need to find out all of the other users who have connected from these potentially compromising hosts, # note, we do this first, even if we've caught a signal, } $types{$event->{EventType}}++; Bug #469793 [sudo] password for alexander: for (sort keys %source) { Josh wrote on 2009-11-04: #27 Let's untangle this line from the inside out to make sure everything is clear, The part in bold type returns a reference to the stack/list of open connection pairs for a specific tty: This file dont want to be delited=2C DCOM (15) assignee: nobody â†' Sean Robinson (seankrobinson) Sampo Niskanen wrote on 2010-04-11: #32 thanks for your info,,=20 print "-- first host contacts from $user --\n"; There is no overflow detection on conversion of integers, There should be, and overflow should cause the error state to be set, ($userinfo) = thaw($userdb{$user}); ile)s } auto_profile_order = [] Bug #472833 Changed in wifi-radar (Ubuntu): globalserve,net 1 1245 1 1245 0 0 alexander@alexander:~$ mv /etc/wifi-radar,conf /etc/wifi-radar,conf,bak , I've deleted /etc/wifi-radar,conf and NOT work commit_required = False long&, unsigned long& Bug #479098 next if (defined $ignore and $host =~ /$ignore/o); Besides its simplicity, the stream read-count approach we've been discussing has the advantage of being faster and less memory-intensive than other method, It works best with the stateless type of log files we discussed early on in the chapter, But sometimes, especially when dealing with stateful data, we need to use a different plan of attack, # database files we'll be using File "/usr/lib/python2,6/logging/__init__,py", line 838, in _open while (read(WTMP,$record,$recordsize)) { MadhuKrishna 'Computer',NULL, int&, unsigned int&, scan_timeout = 5 Bug #467883 Bug #471609 $name ne $user){ @types = ("","Error","Warning","","Information"); write; # it does not exist see the footnote in the text re: $DB_BTREE 7 can be fixed by your change, other things in the config file have been return undef; remote-host while (<>){ Bug #429790 qadir francesco on 2009-11-02 Bug #467477 Subscribe someone else Begins by calling ins,ipfx(1), If that call returns zero or if ins is at end of file, it returns EOF, Otherwise it returns the next character without extracting it, C++ Stream Library ($tty,$name,$host,$time)=unpack($template,$record); exit; # append, The next set of "if" statements perform a set of Rewriting bigbuffy to interleave reading and writing while it is dumping, The simplest version of this approach would involve writing some number of lines to the output file each time a new line is read, This gets a bit tricky if the log output being read is "bursty" instead of arriving as constant flow, You wouldn't want to wait for a new line of output before you could receive the requested log buffer dump, You'd have to use some sort of timeout or internal clock mechanism to get around this problem, $whatline = 1; wifi-radar (Ubuntu) Confirmed Undecided Bug #441182 sanjiv wrote on 2010-05-04: #35 , ins>>hex None proxygeek wrote on 2009-11-02: #17 (no transfers in xferlog) present, since I istalled WR for when I do not have that option, It worked Errors related to old config files are caught and explained in upstream version 2,0,s06, format STDOUT = } Bug #480510 next if ($$transfer[0] < $login); While you are correct that the particular error (SyntaxError in read()) } # text (faster) [,,,] istream(C++) istream& getline(unsigned char* ptr, int len, Manipulator } istream& operator>>(unsigned int&); if ($user eq $name){ Two possible solutions to this problem include: # create a hash of list of lists, The LoL will be used ($user,$tty,$host,$day,$mon,$date,$time) = split; iwlist_command = /sbin/iwlist ($what_line %= $buff_size)++; paolinuz $buffer = ( ); # template for Solaris 2,6 wtmpx, see the pack( ) doc C de-Avillez on 2010-05-03 # loop through all of the events, recording the number of # events per source my($line); # counter for line dump Instead, we use the list of lists keyed off every tty in %connections as a stack, When we see a connection opening, we add a (host, login-time) pair for the connection to the stack kept for that tty, Each time we see a close connection line for this tty, we "pop" one of the open connection records off the stack and store our complete information about the session as a whole in another data structure, That's the purpose of this line of code: Sean Robinson wrote on 2009-11-03: Re: [Bug 414399] Re: wifi-radar crashed with SyntaxError in read() #24 print "Total reboots: $reboots\n"; push(@sessions, Bug #467585 skipping dump,\n"; Rick wrote on 2009-11-01: #15 F4CXF C de-Avillez on 2010-05-03 Field # Equivalent to manip(ins), Syntactically this looks like an extractor operation, but semantically it does an arbitrary operation rather than converting a sequence of characters and storing the result in manip, A predefined manipulator, ws, is described below, ---------------------------------------- The database population code presented here is too bare-sbones for production use, One glaring deficiency is the lack of a mechanism to prevent multiple instances of the program from updating the database at the same time, Given that file locking over NFS is known to be dicey at best, it might be easier to call code like this from a larger program that serializes the process of collecting information from each machine in turn, Bug #450146 Thanks guys! # read through it one record at a time 'RecordNumber',NULL, my($record,$tty,$name,$host,$time,%connections); Bug #470028 $template = "A8 A8 A16 l"; # SunOS 4,1,4 template for wtmp ($rmesg,$rbytes)=@{$bygroup->{$group}-> # we'll use the previous open connect and this pdgtips This last step is the most interesting, so let's explore it more carefully, We tie the hashes %userdb and %connectdb to database files,[9] This magic allows us to access those hashes transparently, while Perl handles storing and retrieving data to the database files behind the scenes, But hashes only store simple strings, How do we get our "hashes of list of lists" into a single hash value for storage? ([time1, filename1], [time2, filename2],[time3, filename3],,,) yzrider261 skipping dump,\n"; # and print them # security checks while opening the file for append fromearth $EventLog->Win32::EventLog::GetNumber($numevents); Bug #468141 print if (exists $contacts{$connectfrom} and } Content-Transfer-Encoding: quoted-printable Here's a snippet from the output: insp=&ins,putback(c) Good, auto_profile_order = owner-freebsd-java-digest@freebsd,org -> user2@ccs,neu,edu if ($ut_line eq "system boot"){ kill_args = -k } Converts the characters according to C++ syntax for a float or double, and stores the result in x, ios::failbit is set if there are no digits available in ins or if it does not begin with a well formed floating point number, Hubschrauber print "Total number of events: $numevents\n"; unless (exists $transfers{$rhost}){ rauliño 2, wifi-radar 2,0,s05-1 root@host,ccs,neu,edu -> user3@ccs,neu,edu Takes this data structure in memory and attempts to merge it into a database, Bug #469159 restarted wifi-radar Lauri > https://bugs,launchpad,net/bugs/414399 Yes push(@sessions,[@{shift @{$connections{$tty}}},$time]); public: sub dumpnow { _________________________________________________________________ return undef; $connectfrom !~ /$ignore/o); Jan 15 14:30:17 host4 in,ftpd[18799]: connect from user6@host,ccs,neu,edu Service Control Manager (100) Bug #469833 # something goes wrong in the dumping process foreach $connect (keys %connects){ As long as the data set is not too large, we can probably stick to a Perl-only solution, We'll extend our ubiquitous breach-finder for an example, So far our code just dealt with connections on a single machine, If we wanted to find out about logins from intruders on any of our machines, how would we do it? } Bug #451560 warn "$dumpfile is a hard link, skipping dump,\n"; dir is a seek_dir $userdb{$user}=freeze $userinfo; if (exists $connectdb{$connect}){ Cool! $dumpnow = 0; # reset the flag and signal handler Moving back to the beginning of the data stream (which could just be a file) using seek( ) or an API-specific call, or return undef; Read more,,, ($hours,$min,$sec) = split(':',$time); tie %connectdb, "DB_File",$connectdb,O_CREAT|O_RDWR, Bug #418358 [,,,] Chuck Fetterman wrote on 2009-11-02: #20 Flash wrote on 2009-10-30: #7 $recordsize = length(pack($template,( ))); } # tcpwrappers can log the entire hostname, not just the first N These sorts of gyrations are necessary on most Unix systems because Unix was not originally designed with security as a high priority, Symbolic-link security breaches are not a problem under NT4 since they are a little-used part of the POSIX subsystem, and MacOS, which doesn't have the notion of "privileged user,"[3] next if $tty =~ /^:0/ or $tty =~ /^console$/; Read-remember-process programs that have to do this sort of correlation can get fairly sophisticated, especially when they are bringing together data sources where the correlation is a bit fuzzy, So in good Perl spirit, let's see if we can take an easier approach, None Service Control Manager: 248 $SIG{'USR1'} = \&dumpnow; } That worked, Thank you, :) ios& hex(ios&) ; next unless (defined $$transfer[1]); 0600, $DB_BTREE [,,,] negrowason Application Popup: 4 last if ($$transfer[0] > $logout); No @Sean Robinson: are you working on a fix for this? If not, please unassign yourself from the bug -- nobody will touch it while you are assigned to it ;-) Bug #443276 Time to do the actual correlation between our two different data sets, This task falls to our &ShowTransfers subroutine, For each session, it prints out the connection triad, and then the files transferred during this session, Once we've found a line that begins with ftp, we take it apart to determine if it describes opening or closing of an FTP session, If it is an opening of a connection, we record that in %connections, a data structure that keeps tabs on all the open sessions, Like %transfers in our previous subroutine, it is a hash of list of lists, this time keyed on the tty (i,e,, terminal) of each connection, Each of the values in this hash is a set of pairs detailing the connection hostname and time, ($userinfo) = thaw($userdb{$user}); class istream : public ios { Bug #473307 # find all files transferred in this connection triad Sean Robinson wrote on 2009-08-20: #2 File "/usr/lib/python2,6/logging/handlers,py", line 107, in __init__ Bug #481079 } There are at least two ways to make use of databases from Perl, The first is one I'll call a "Perl-only" method, With this method, all of the database activity takes place in Perl, or libraries tightly coupled to Perl, The second way uses Perl modules like the DBI family to make Perl a client of another database like MySQL, Oracle, or MS-SQL, Let's use both of these approaches for log processing and analysis, Sun Dec 27 05:18:57 1998 1 nic,funet,fi 11868 /net/ftp,funet,fi/CPAN/MIRRORING,FROM a _ o a cpan@perl,org ftp 0 * Serial (24) # tty, remove from hash wifi-radar crashed with SyntaxError in read() interface = auto_detect Yes } # for each type of event, print out the sources and number of untie %userdb; ------------------- ----- -------- ------ -------- ------ ------- # 2 is "Warning", etc, Sat Mar 14 23:28:08 1998-Sat Mar 14 23:28:56 1998 traal-22,ccs,neu kaya print &FindFiles(@{$session}),"\n"; pos is a streampos See also // and lots of other stuff, see ios(C++) ,,, On Fri, 2009-11-06 at 20:39 +0000, Rune Lillehammer wrote: IOError: [Errno 13] Permission denied: '/var/log/wifi-radar,log' # tcpd log file location A simple stream read-count variation Deleting the /etc/wifi-radar,conf and restarting the app solved the problem for me as well, Thanks everyone :) print "-" x 65,"\n"; next unless (exists $connectdb{$host}); Thank you It works now open(XFERLOG,$xferlog) or die "Unable to open $xferlog:$!\n"; istream& operator>>(char&); fileLogHandler = logging,handlers,RotatingFileHandler(confFile,get_opt('DEFAULT,logfile'), maxBytes=64*1024, backupCount=5) # if we find a close connection record, we try to pair Paolo Topa RemoteAccess: 108 print STDERR "done,\n"; for reading:$!\n";
Financial_Aid_Expansion -Pell_Grants Upto_Usd5500 @_@vehiclesu.com/crd.html?r-YjE3NGNkMSE0NXAxcGY5cGY0ITEwNTAhM2ViIXBhZDAxfGdtIW1kaGVscG1lZmluZGdtZnJqITEydDV0N2RhIQ==
YouMay qualify for a Grants_And_Scholarships ToGo back_to_School
Confirm_that you are Grant_Eligible
@_@vehiclesu.com/crd.html?r-YjE3NGNkMSE0NXAxcGY5cGY0ITEwNTAhM2ViIXBhZDAxfGdtIW1kaGVscG1lZmluZGdtZnJqITEydDV0N2RhIQ==
----------------------------------------
Unsubscribe From_Offer click_below
@_@vehiclesu.com/crd.html?o-YjE3NGNkMSE0NXAxcGY5cGY0ITEwNTAhM2ViIXBhZDAxfGdtIW1kaGVscG1lZmluZGdtZnJqITEydDV0N2RhIQ==
or_writeto helpme.find.degrees com, 101Redwood_shores_Parkway, Third_Floor, Redwood_City, CA_94065
OR
----------------------------------------
Unsubscribe FromUs click_Below
@_@vehiclesu.com/crd.html?u-YjE3NGNkMSE0NXAxcGY5cGY0ITEwNTAhM2ViIXBhZDAxfGdtIW1kaGVscG1lZmluZGdtZnJqITEydDV0N2RhIQ==
or_writeto network_Labor pobox 208 165 courtland ST_atlanta GA30303 US
No comments:
Post a Comment