argus fix
David Brumley
dbrumley at rtfm.stanford.edu
Sun Sep 3 22:08:12 EDT 2000
Carter,
For solaris 7, you should add these defines
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
to enable large file support (files > 2GB, which we often have :)
I've also included the perl script we use for restarting argus (and
tcpdump), which might be a good example.
cheers,
david
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley at Stanford.EDU
Phone: +1-650-723-2445 WWW: http://www.stanford.edu/~dbrumley
Fax: +1-650-725-9121 PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
Quidquid latine dictum sit, altum viditur.
-------------- next part --------------
#!/usr/bin/perl
use strict;
use vars qw ($opt_v $opt_d);
use Getopt::Std;
use POSIX qw(strftime);
$opt_v =0;
$opt_d =0;
my $CONFIGFILE="/usr/local/etc/monitor.conf";
# Things defined in CONFIGFILE
my $LOGDIR;
my $ARCHIVEDIR;
my $SUCCESS;
my $FAILURE;
my $ARGUSPREF;
my $TCPDUMPPREF;
my $ARGUS_CMD;
my $TCPDUMP_CMD;
my $TCPDUMP_FILTER;
my $FIXTIME;
my $ERR_RCPT;
# Get our variables value
open(CONF, $CONFIGFILE) || die "couldn't open $CONFIGFILE\n";
while(<CONF>){
chomp;
eval("$_");
}
getopts('vd');
# Returns current date string by default. If arg supplied
# returns date of time() - arg. note: Time is in unix epoch seconds
sub finddate {
# this is atrocious. solaris 2.6 doesn't have %g in ctime()
my $sec; my $min; my $hour; my $mday; my $mon; my $year;
my $wday; my $yday; my $isdst;
my $tm;
if( ! @_[0]){
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime();
} else {
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time - @_[0]);
}
$tm = sprintf("%02d%02d%02d", $year%100, $mon+1, $mday);
return $tm;
}
sub testname {
my $ds;
if(!@_) { die "testname\n"; }
$ds = @_[0];
if ( -e $ds ) {
my $i = 1;
while ( -e ( $ds . "." . "part$i") ) { $i++; }
$ds = $ds . "." . "part$i";
}
return $ds;
}
sub findpid {
my @pids; my @proclist;
my $tmp;
if(!@_) { die "must supply string of process in ps to findpid\n"; }
@proclist=`/usr/bin/ps -eaf`;
$tmp=(grep(/@_[0]/, @proclist))[0];
chomp $tmp;
@pids = split(" ", $tmp);
$tmp = 0;
$tmp = @pids[1];
return $tmp;
}
sub start_tcpdump {
my $ds;
printf "Starting tcpdump...\n" if ($opt_v == 1);
# Make sure times reported are accurate.
`$FIXTIME`;
if( ! -r $TCPDUMP_FILTER) {
printf STDERR "$TCPDUMP_FILTER not found or unreadable.\n";
printf STDERR "Skipping TCPDUMP startup\n";
return;
}
$ds = $LOGDIR . "/" . $TCPDUMPPREF . "." . finddate();
$ds = testname($ds);
# We don't care about tcpdump statistics.
system("$TCPDUMP_CMD -F $TCPDUMP_FILTER -w $ds 2>/dev/null &");
system("chown security:security $ds");
}
sub stop_tcpdump {
my $pid;
printf "Stopping tcpdump...\n" if ($opt_v == 1);
$pid = findpid("$TCPDUMP_CMD");
while($pid > 10){
kill("TERM", $pid);
sleep(1);
$pid = findpid("$TCPDUMP_CMD");
}
}
sub rotate_argus {
# According to carter, I don't have to stop argus to rotate
# For this to work our saved argus file would have to be the
# same every day, and rotated into the days file name. THis
# is complicated, so I'm not doing it as the data we loose
# stop->start is minimal
stop_argus();
start_argus();
}
sub start_argus {
my $ds;
my $ds2;
my $pid;
printf "Starting argus...\n" if ($opt_v == 1);
# Make sure times reported are accurate.
`$FIXTIME`;
$ds = $LOGDIR . "/" . $ARGUSPREF . "." . finddate();
$ds = testname($ds);
$ds2 = $LOGDIR . "/" . $ARGUSPREF . "_stat." . finddate();
$ds2 = testname($ds2);
$pid = findpid("$ARGUS_CMD");
if($pid > 10){
printf "Warning: Argus process already exists\n";
}
system("/usr/bin/nice --4 $ARGUS_CMD -w $ds 2>>$ds2 &");
system("chown security:security $ds $ds2");
}
sub stop_argus {
my $pid;
printf "Stopping argus...\n" if ($opt_v == 1);
$pid = findpid("$ARGUS_CMD");
while($pid > 10){
kill("TERM", $pid);
sleep(1);
$pid = findpid("$ARGUS_CMD");
}
}
sub start_serv {
if($#ARGV == 1){
if(@ARGV[1] eq "tcpdump") { start_tcpdump(); return; }
if(@ARGV[1] eq "argus") { start_argus(); return; }
usage(); exit($FAILURE);
} else {
start_tcpdump();
start_argus();
}
return;
}
sub stop_serv {
if($#ARGV == 1){
if(@ARGV[1] eq "tcpdump") { stop_tcpdump(); return; }
if(@ARGV[1] eq "argus") { stop_argus(); return; }
usage(); exit($FAILURE);
} else {
start_tcpdump();
start_argus();
}
return;
}
sub restart_serv {
if($#ARGV == 1){
if(@ARGV[1] eq "tcpdump") { stop_tcpdump();
start_tcpdump();
return; }
if(@ARGV[1] eq "argus") { stop_argus();
start_argus();
return; }
# default case
usage(); exit($FAILURE);
} else {
stop_tcpdump();
start_tcpdump();
stop_argus();
start_argus();
}
return;
}
sub rotate_serv {
if($#ARGV == 1){
# TCPDUMP must be restarted to rotate
if(@ARGV[1] eq "tcpdump") { stop_tcpdump();
start_tcpdump();
return;
}
# According to carter, i don't need to stop the argus server
if(@ARGV[1] eq "argus" ) { rotate_argus();
return;
}
} else {
stop_tcpdump();
start_tcpdump();
rotate_argus();
}
return;
}
sub usage() {
printf "$0 <-v> start|stop|restart|help <tcpdump|argus>\n";
printf " Ommitting second argument means both tcpdump and argus\n";
}
if($#ARGV > 1|| $#ARGV < 0 ){
usage();
exit($FAILURE);
}
if( !(`id` =~ /root/)){
printf STDERR "Program must be ran by root\n";
exit($FAILURE);
}
SWITCH: {
if (@ARGV[0] eq "start" ) { start_serv(); last SWITCH; }
if (@ARGV[0] eq "stop") {stop_serv(); last SWITCH; }
if (@ARGV[0] eq "rotate") {rotate_serv(); last SWITCH; }
if (@ARGV[0] eq "restart") {restart_serv(); last SWITCH; }
if (@ARGV[0] eq "help") {usage(); exit($SUCCESS); }
usage();
exit($FAILURE);
}
-------------- next part --------------
$LOGDIR="/log1";
$ARCHIVEDIR="/log2";
$ARGUSPREF="pax";
$TCPDUMPPREF="paxdump";
$ARGUS_CMD="/usr/local/sbin/argus -D 1800";
$TCPDUMP_CMD="/usr/local/sbin/tcpdump -s 1600";
$TCPDUMP_FILTER="$LOGDIR/Combined_Filter";
$SUCCESS="0";
$FAILURE="1";
$FIXTIME="/usr/sbin/ntpdate -t 1 171.64.7.99";
$ERR_RCPT="security\@sunset.stanford.edu";
More information about the argus
mailing list