argus command-line parameter handling
Chris Russel
russel at yorku.ca
Fri Jun 14 12:03:14 EDT 2002
Hi Folks. I have a problem that really puts the "argh" in argus for me.
This is not so much of a bug as it is a feature but I don't think it is
adequately explained (at least I didn't notice it before) so hopefully
this will help others.
I came across this because Debian's argus-server package was generating
double accounting records for each packet and went hunting to find out
why.
By the "principle of least suprise" I normally expect command-line
parameters to override the corresponding parameter specified in the config
file. This seems to be true for some, but not all argus parameters. It
is especially amusing when using the -i for interface to listen on.
For example, argus will read /etc/argus.conf if it exists and always
listen on the interface specified there regardless what you put on the
command line. It will ALSO listen on the interface you told it to on the
command line of course. If it happens to be the same interface you get
double records for every packet. If it's a different interface you get
accounting records for both, either way causing no end of confusion.
Even better: If you specify -F for the config file, it will STILL read
/etc/argus.conf if it exists, and tack on that interface too. Therefore,
if you start argus like so: argus -i bond0 -F /etc/argus.conf (and
argus.conf says to listen on bond0) you would get TRIPLE accounting
records for every packet!
Anyhow, the moral of this story: use -X to clear the configuration when
you are starting a custom instance from the command line, or from a
startup script which specifies the config file and either use command-line
options or config files, not both at once.
Debian's argus-server package starts with just such a script and hence
always gives double records (hard to believe nobody else noticed this).
BTW, this is not a knock against argus - it's awesome. The config handling
could use some cleanup though (thankfully the -X option is there).
--
Chris Russel | CNS Information Security
russel at yorku.ca | York University, Toronto, Canada
More information about the argus
mailing list