output external

[SrvrSide]

Hello,
Could someone perhaps help me understand why this directive might
fail?

output external: /usr/home/sagan/evtparse parsable

The rest of the solution works perfectly. Triggered events are written
to the /var/log/sagan/alerts log but the external script is never
called.
Thanks for any help
Best - SrvrSide

[Champ Clark III]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What's the evtparse written in? How did you verify it's not running?
You might want to have the evtparse "touch" a file in the /tmp before
doing anything serious. At least that way you know it's being called :)

Thanks.

- --
- - Champ Clark III (ccl...@quadrantsec.com)
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP5NEiAAoJENnmXt7Lmc3KOjwH/3D9e9ncAImcB570PIEJIvr5
MnB+0t/XTSzpMx2bjBsyJ5hulX3QFnxqcxH8bZ/AIGDut0SKYRlEqaFYFqE+RlT8
ZYOctFGC9qRmDkBAfhIEBBgJWIKTvv0RoFOlFTVw9SREm+jKmhlyp2Hcz50Xfwa9
O2lNoeaKaAAL6ZgWeKT8dmKSbuN2STMwQn1XnaGTJQ2jfQ4ZVEkT8rNe+BHuGgi/
XAhW6FoOPIVP2dXEUNdmRTq4AMIBbgaNhbculYAtpn3eyU6YQZhgQ1a4mvVzdveE
9XK9CU/1K2q/RrilDvpICviMUWMFSgscOcpEBtHGPr6onp9yBUyp1sWDE0Q9aFM=
=9BUa
-----END PGP SIGNATURE-----

[SrvrSide]

Hello Champ, thank you for the reply and thanks for the software.
the script is a simple test script - i've tried perl and shell - it
just echo's information to a 'log' so I can see that it ran...
--
#!/bin/sh
echo `date` >> /usr/home/sagan/_test.log
--

On Jun 22, 9:10 pm, Champ Clark III <ccl...@quadrantsec.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> What's the evtparse written in?  How did you verify it's not running?
>  You might want to have the evtparse "touch" a file in the /tmp before
> doing anything serious.  At least that way you know it's being called :)
>
> Thanks.
>
> On 6/22/12 4:07 PM, SrvrSide wrote:
>
> > Hello, Could someone perhaps help me understand why this directive
> > might fail?
>
> > output external: /usr/home/sagan/evtparse parsable
>
> > The rest of the solution works perfectly. Triggered events are
> > written to the /var/log/sagan/alerts log but the external script is
> > never called. Thanks for any help Best - SrvrSide
>
> - --
> - - Champ Clark III (ccl...@quadrantsec.com)
>   Quadrant Information Security (http://quadrantsec.com)
>   Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
>   GPG Key ID: 0381878A
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

> Comment: GPGTools -http://gpgtools.org
> Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org/

[Champ Clark III]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Make sure that the "output external: {program}" that there's a space
between the "external:" and the {program}. That's a known bug.
Which code are you using? Sagan-0.2.1 or the git tree? I'll test a
bit later and see if I can duplicate.

On 6/22/12 4:24 PM, SrvrSide wrote:
> Hello Champ, thank you for the reply and thanks for the software.
> the script is a simple test script - i've tried perl and shell -
> it just echo's information to a 'log' so I can see that it ran...
> -- #!/bin/sh echo `date` >> /usr/home/sagan/_test.log --
>

>>>> output external: /usr/home/sagan/evtparse parsable

>

- --
- - Champ Clark III (ccl...@quadrantsec.com)
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

Comment: GPGTools - http://gpgtools.org

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP5NcRAAoJENnmXt7Lmc3KgwAH/1J9RtsZ040Y164fXCk6dRmr
+ZUAHjsk+sS967R0z3LYiwh7WnM+nYIZFt6FNkyrCurWS+ObqwxaBgfk1TULNf4W
qC/5aObFfffKzOPME4bAbxDJkcw/J7IT0wzcz3KWQpGbw5urAJ94wsy8Tdb3EuYc
tCGhsDdYAl7pnGf7+GVg3AJhj9Roo9IEHLIPctLDqj2V+AT3son1OarXkpaYr20a
FY40xmuU4sL0VIKruTiec0tfYHehsQnfiLm8/EoZwUL/8f6GIrVo3+iljQfdt580
fhti4PvfjbX7Uy2woxW7kHLPWKN6SknPB0VCVHaCJ35ESg4xD7QFelbUYTKEoMg=
=76QN
-----END PGP SIGNATURE-----

[SrvrSide]

Thanks Champ, The version details are:
[*] ,-._,-. -*> Sagan! <*-
[*] \/)"(\/ Version 0.2.1
[*] (_o_) Champ Clark III & The Quadrant InfoSec Team
[quadrantsec.com]
[*] / \/) Copyright (C) 2009-2012 Quadrant Information Security,
et al.
[*] (|| ||) Using PCRE version: 8.30 2012-02-04
[*] oo-oo Sagan is processing events.....
I've checked the space issue, i don't believe it's that - spent a
couple of hours on Google before asking for assistance. The directive
I'm using is:
output external: /usr/home/sagan/evtparse parsable
^ ^ ^ spaces
I've also tried tabs.
Just in case it has some relevance, the OS is FreeBSD 9.0
Thank you for the assistance
- SrvrSide

On Jun 22, 9:35 pm, Champ Clark III <ccl...@quadrantsec.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Make sure that the "output external: {program}" that there's a space
> between the "external:" and the {program}.  That's a known bug.
> Which code are you using?  Sagan-0.2.1 or the git tree?  I'll test a
> bit later and see if I can duplicate.
>
> On 6/22/12 4:24 PM, SrvrSide wrote:
>
> > Hello Champ, thank you for the reply and thanks for the software.
> > the script is a simple test script - i've tried perl and shell -
> > it just echo's information to a 'log' so I can see that it ran...
> > -- #!/bin/sh echo `date` >> /usr/home/sagan/_test.log --
>
> >>>> output external: /usr/home/sagan/evtparse parsable
>
> - --
> - - Champ Clark III (ccl...@quadrantsec.com)
>   Quadrant Information Security (http://quadrantsec.com)
>   Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
>   GPG Key ID: 0381878A
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

> Comment: GPGTools -http://gpgtools.org
> Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org/

[Champ Clark III]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for the info. I have a FreeBSD box as well (however, I don't
think it's FreeBSD 9.. Not likely to make a difference). I'll test
it on my Linux dev side first. It should be spaces and not a tab.
Sounds like you have the configuration correct.

> I've checked the space issue, i don't believe it's that - spent a
> couple of hours on Google before asking for assistance. The
> directive I'm using is: output external: /usr/home/sagan/evtparse
> parsable ^ ^ ^
> spaces I've also tried tabs. Just in case it has some relevance,
> the OS is FreeBSD 9.0 Thank you for the assistance - SrvrSide

- --
- - Champ Clark III (ccl...@quadrantsec.com)
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

Comment: GPGTools - http://gpgtools.org

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP5N0WAAoJENnmXt7Lmc3K6OAH/i8XwlJyIaMwkaGUOSZB/9so
Hm0/ZiWVq+1RK3PoYHwdy/TbrF/lkKTrc+Wp4pbLzf0hRrKhYJrnNitImA2yMOPZ
L9OTG+iEXcOggE8QAbyqufJPnPyc+RPMcWqEvKnjuGrMQkp98sPZl0XXQpxrcC69
oUk4CCEubww4aoWt3Qp0ry3+cO8wgUyGO7ag5GtCIEcaskoVXuhFLhghoGtVsX+f
eG/9NxX8CR8UWD5OVGx1fv4mJQcXZmosM7DbbihV5TEHtETSNvF0NnAGRj+K8p1q
5Lz6AWJVdXPQkQSm9CdeTgUdhle5ZXOtGUvVvpEtRPTe85CtXegciAozslzdkig=
=pvyH
-----END PGP SIGNATURE-----

[Champ Clark III]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I just did a really, really quick test and you're correct. The
"external:" is no being called. I'll take a look at it over the
weekend and let you know what I find.

In the mean time, I'm going to file a bug for this. Thanks for the
information.

- --
- - Champ Clark III (ccl...@quadrantsec.com)
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP5N+oAAoJENnmXt7Lmc3Kkt4H/18Yr8xnKBjf1eOyy10bxLR7
9bUcLL0yaHCHuoemQjUaKw0xPhlnidjYcFqV82oZzMTpo5CtGbfpyVD6pPeLN6lw
GAgBBA9bJNITnQK/Lk0UPd0ras5K5AVhNfLNTGNI5ybgfxbRLWFdGUtDO2KRkP3r
wKCJE3s+MsHyAoDlH2Au9K2OQbW/L3rYAk+4D3API4dbKE05/+ylj3qzV0Jwrc7f
TcDHGaWf20nmeHCy3gpSZqFxGlsh1uBSjyfPxyCO1n8EoltAbQuLVJJ/9KUzCG8+
Efx/fc6FDVCC96EN+Z17N5HUMJKdz2HT3KM8r32XHtAZLRT9apWKGRzBThh3C78=
=sVVj
-----END PGP SIGNATURE-----

[SrvrSide]

Hello Champ,
I had a quick look at the source and I believe the issue is a small
one.
The config file parser is setting the "sagan_ext_flag" variable in the
config structure (as below: sagan-config.c:265)

if (!strcmp(sagan_var, "external:")) {
snprintf(config->sagan_extern, sizeof(config->sagan_extern),
"%s", strtok_r(NULL, " ", &tok));
if (strstr(strtok_r(NULL, " ", &tok), "parsable")) config-
>sagan_exttype=1;
config->sagan_ext_flag=1;
}

but the main() routing is checking for the file "output_thread_flag"
variable (as below: sagan.c:1264) to fire off the new thread.
if ( config->output_thread_flag ) {

Adding the "output_thread_flag" variable name to the config parser (as
the "sagan_ext_flag" is referenced by the sagan-output routines)
appears to make everything fall into place. This is only a two minute
check, so I don't know if this would have further negative impact.

if (!strcmp(sagan_var, "external:")) {
snprintf(config->sagan_extern, sizeof(config->sagan_extern),
"%s", strtok_r(NULL, " ", &tok));
if (strstr(strtok_r(NULL, " ", &tok), "parsable")) config-
>sagan_exttype=1;
config->sagan_ext_flag=1;
config->output_thread_flag=1;
}
Hope it helps a little
- SrvrSide

On Jun 22, 10:12 pm, Champ Clark III <ccl...@quadrantsec.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I just did a really,  really quick test and you're correct.  The
> "external:" is no being called.  I'll take a look at it over the
> weekend and let you know what I find.
>
> In the mean time,  I'm going to file a bug for this.  Thanks for the
> information.
>
> - --
> - - Champ Clark III (ccl...@quadrantsec.com)
>   Quadrant Information Security (http://quadrantsec.com)
>   Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
>   GPG Key ID: 0381878A
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

> Comment: GPGTools -http://gpgtools.org
> Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org/

[Champ Clark III]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yep. config->output_thread_flag is flag set when a sagan_output()
needs to be called. What I thought was strange the other day when I
quickly tested it, was it was "working" for me (without problems)
then it stopped working for me. However, if _any_ other output
plugin is called config->output_thread_flag() is set. So it you
_only_ have external being called, it won't work. However, if
you're doing external and SQL for example, it will :)

I'll push the fix to git tonight. I also added a --debug external
flag as well.


Thanks for the help on debugging this, I appreciate it.

- --
- - Champ Clark III (ccl...@quadrantsec.com)
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

Comment: GPGTools - http://gpgtools.org

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP50c/AAoJENnmXt7Lmc3KCA8H/3etTZ7YSjinTMvcVvXwJaKI
+E2YsTqB+SOVxXdMWDiI0vMwPOsLavEf70IxXskc/sgnW2czmugk5ePOMHiQul/6
/SUW8IGNyDR+/jq6q9OMcU/My8iKRB7+jGKvlVlqdhT6GvovpRTWr/BYNr01eVo3
ZowkCxxa4u/bABRMlN4Ykp1OqrOvb5V8Yi2lOLsy3UWlo4c/9ZzxeR8ptXZh89Yp
Ne8uhFc46AnQTE8L3vzwWldx8w0OzdBRnAVPsZaTd6qLZNtQwalP2qt2sulKsNYH
hOkihJA5U2bF/skdRp9j26w6zmJjVdZzO6TZIfLNIIyEjokB3SqsGmXob+MBMc0=
=paSX
-----END PGP SIGNATURE-----

[Champ Clark III]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just pushed to git a (sagan-0.2.2-git) a fix for the output "external"
not being called. Was due to config->output_thread_flag not being
set. I re-arranged the way config->output_thread_flag gets set in the
code. Any time a "output" plugin is called,
config->output_thread_flag now gets set. Before it was being set
per-output plugin, which didn't make much sense.

Thanks to SrvrSide for pointing this out.

If anyone tests and notices any other problems, please let me know.

- --
- - Champ Clark III (ccl...@quadrantsec.com)
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP6P1lAAoJENnmXt7Lmc3K/R0H/jza9oxQnLZ+5MXR0QGgHxfP
3LAZX+hAHkArzWvP17CwmH2XWw4OK/zVYqWyARkIohp6ni0OLcrBdHASCQK4jvbk
GnB8Ky4+uxXFMqHNcMNsNtFpDj0pJ0P5PePSVewigOgLP2IL5EDNjhP0xKwX+YuY
aGAslAOZQvBlI5GUB6sYjWE7ZfAbA7PyZ4fxcbvSkxCD3oyobq6ZEvnkyVOuwsO+
2EYGaqFcA+OoSXUbOb3IkhRd4g130LTgR5Oc7PCqRuMhjjBRu3z/FBS2VFaerbDE
dLYa0XbHS3MMF1yOWuKr9DNB7gRsz1wrBZxcXgV2UKsJK0N5bJx+9P3mlpcJZho=
=o5wY
-----END PGP SIGNATURE-----

[Da Beave]

SrvrSide,  

Did you get a chance to check out git?  Did it work for you?  Just curious.

[SrvrSide]

Hello,
Sadly haven't had chance - I'll be looking at it over the weekend.

[SrvrSide]

working great Champ - thanks again
sorry didn't get round to confirming earlier
- all the best SrvrSide

[Da Beave]

On Wednesday, July 4, 2012 5:19:47 PM UTC-4, SrvrSide wrote:

working great Champ - thanks again
sorry didn't get round to confirming earlier
- all the best SrvrSide

Hey... thanks for testing and the update.