[Hatchet-users] Fixes for hatchet-0.8

Sun Jun 19 14:31:41 EDT 2005

Here are a couple of patches for hatchet and README.chroot that will 
fix an issue with hatchet not seeing any pflog entries.  Thanks to 
Christopher Fuhrman for the patch against bin/hatchet.  Thanks to many 
folks for reporting me forgetting to mention copying hatchet.conf over 
to the chroot (and editing it accordingly).  I will try to have 
hatchet-0.8.1 out today or tomorrow, which will have these patches 
included.  These patches have been tested against OpenBSD 3.7.

--- hatchet-0.8/bin/hatchet        Thu May 12 21:38:22 2005
+++ hatchet-0.8/bin/hatchet     Sun Jun 19 11:16:17 2005
@@ -146,7 +146,17 @@
                         my $input = $_;
                         my ($date, $points, $rulenum, $action, 
$interface, $src_host, $src_port, $dst_host, $dst_port, $remainder);
                         SWITCH: {
+                               if ($input =~ /(\w+ \d+ 
\d+:.\d:.\d+)\.(\d+) rule (\d+)\/\(match\) (\w+ \w+) \w+ (\w+)\: 
(\d+\.\d+\.\d+\.\d+)\.(\d+) > (\d+\.\d+\.\d+\.\d+)\.(\d+)\:(.*)/)
+                                       {
+                                               ($date, $points, 
$rulenum, $action, $interface, $src_host, $src_port, $dst_host, 
$dst_port, $remainder) = ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10);
+                                               last SWITCH;
+                                       }
                                 if ($input =~ /(\w+ \d+ 
\d+:.\d:.\d+)\.(\d+) rule (\d+)\/\d+\(match\)\: (\w+ \w+) \w+ (\w+)\: 
(\d+\.\d+\.\d+\.\d+)\.(\d+) > (\d+\.\d+\.\d+\.\d+)\.(\d+)\:(.*)/)
+                                       {
+                                               ($date, $points, 
$rulenum, $action, $interface, $src_host, $src_port, $dst_host, 
$dst_port, $remainder) = ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10);
+                                               last SWITCH;
+                                       }
+                               if ($input =~ /(\w+ \d+ 
\d+:.\d:.\d+)\.(\d+) rule (\d+)\/\(match\)\: (\w+ \w+) \w+ (\w+)\: 
([a-f0-9\:]+)\.(\d+) > ([a-f0-9\:]+)\.(\d+)\:(.*)/)
                                         {
                                                 ($date, $points, 
$rulenum, $action, $interface, $src_host, $src_port, $dst_host, 
$dst_port, $remainder) = ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10);
                                                 last SWITCH;


--- hatchet-0.8/Docs/README.chroot  Sun Jun 19 10:52:52 2005
+++ hatchet-0.8/Docs/README.chroot      Sun Jun 19 10:53:30 2005
@@ -38,4 +38,7 @@
  3) Move the database into chroot
         > mv /var/db/pflog.db /var/www/var/db/pflog.db

-4) Restart Apache
+4) Edit /etc/hatchet.conf to point to the chrooted database
+       $db_file = '/var/www/var/db/pflog.db';
+
+5) Restart Apache


Thanks,

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

