Two program and other odds and ends

Russell Fulton r.fulton at auckland.ac.nz
Mon Sep 11 17:30:07 EDT 2000


On Mon, 11 Sep 2000 08:23:14 -0400 Carter Bullard <carter at qosient.com> 
wrote:

> Well,
>    That will make it much easier and solve a
> few fundamental problems on the way.  Does anyone
> have any problems with a flex/bison dependency?
> 

Nope, we normally put all the gnu developement tools on to any systems 
that we do developement on.

As for the snort/argus problem:

I 'discovered' the problem yesterday when I did a search for an IP that 
turned up in my slow scan detector (which runs on a linux box).  It was 
probing POP and IMAP ports at the rate of about 5 a day.  I ran ra on 
the new (fast) FreeBSd box to get all POP and IMAP sessions that did 
not get established for the last few days and could not find my prober. 
I then ran ra to extract just the records for that IP address and only 
found 3 of the 5 packets.  Both machines are running 1.8.1.

Hmmm... back to 2.0.0c on freeBSD 4.1.  I have just run new ra on a 
file that I had collected overnight and I am now puzzled.  Using the -z 
option yesterday I thought I got  sSEfF for a standard tcp session but 
this morning I am getting sSEFC (like my old one).  I remember you 
saying that you were distinguishing between FIN and FIN/ACK.  Tell me 
I', not cracking up ;-)

Aonother oddity:  when I pipe the output from ra (2.0.0) through less 
or more I don't get complete pages.  Instead the cursor stops at some 
arbitrary point on the screen until I hit the space bar.  I never see 
the ':' prompt.  If I redirect output to a file and view with more or 
less things behave as expected.

I am getting somewhat suspicious about that machine!

Russell



More information about the argus mailing list