something killed argus....
Russell Fulton
r.fulton at auckland.ac.nz
Sun Nov 18 21:16:25 EST 2001
Hi All,
Early Sunday morning (local time) something nasty happened on
our DMZ which killed of all three of my argus processes (two 1.8.x and
one 2.0.3).
Here is the last record that the argus 2 server logged:
<ArgusRecord ArgusSourceId = "130.216.4.207" SequenceNumber = "275349679"
Cause = "Status"
StartTime = "U1006002487" StartTimeusecs = "109678"
LastTime = "U572214639" LastTimeusecs = "1595010053"
Duration = "-433787848.1594900375" >
<Far TransRefNum = "223208229">
<Flow> <IP SrcIPAddr = "221.95.223.94" DstIPAddr = "160.186.69.52"
Proto = "idpr-cmtp" Sport = "48185" Dport = "52005" />
</Flow>
<FlowAttrs SrcTTL = "210" DstTTL = "9" SrcTOS = "0xe4"
DstTOS = "0xed" />
<Metrics SrcCount = "-1905790438" DstCount = "-1523318114"
SrcBytes = "-602963239" DstBytes = "168149263"
SrcAppBytes = "2043903996" DstAppBytes = "66380956" />
</Far>
</ArgusRecord>
Hmmm... one thing that occurs to me is that this just represents garbage
that got written on the end of the output file when argus crashed, rather
than a real record. ra crashed with a seg fault after printing this
record.
Any other ideas?
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
More information about the argus
mailing list