argus-2.0 and 1.8 support
David Brumley
dbrumley at rtfm.stanford.edu
Mon Jan 22 17:44:24 EST 2001
> Hey David,
> Yes it should, but if you're having a problem, lets
> get to work on it.
>
> FYI, Clauss has reported a bug in ra(), where it core dumps
> on some non-ip traffic. I've got a patch for this. I
> mention it just in case it may impact any problem you may
> be having.
>
I'm having two issues. First:
ra -S <hostname>
core dumps. The problem is in the getopt logic, I think.
For case 'S' the line:
if ((!Scmdline++) && (ArgusRemoteHostList != NULL))
ArgusDeleteHostList();
I don't know what Scmdline is, but it's 0. ArgusRemoteHostList is not
Null. However, ArgusRemoteHostList->hostname has
(gdb) p *ArgusRemoteHostList
$2 = {nxt = 0x0, addr = 2130706433,
hostname = 0xffbee6b2 "\n\n\n \n\n\n \n\n\n \n\n\n \n\n\n \n\n\n\n
", '\n' <repeats 19 times>, " ", '\n' <repeats 18 times>, filename =
0x0, pipe = 0x0,
So I'm guessing that hostname is unmalloc'ed information.
Note I'm passing everything on the command line, though it's reading
my (default) $HOME/.rarc.
If I change the above to:
Scmdline++;
if ((!Scmdline++) && (ArgusRemoteHostList != NULL))
ArgusDeleteHostList();
Then it does the right thing with connect, but uses the .rarc server
instead of the command line one.
For the ra on 1.8 records, it's just not reading anything. send me
the patch and I'll see if that's the problem.
cheers,
david
> >
> > Do I remember right that 2.0S ra should be able to read 1.8 files?
> >
> > thx,
> > david
> >
--
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley at Stanford.EDU
Phone: +1-650-723-2445 WWW: http://www.stanford.edu/~dbrumley
Fax: +1-650-725-9121 PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
Fact: you can burn 150 caloria per hour banging your head against a wall
More information about the argus
mailing list