argus command-line parameter handling

Carter Bullard carter at qosient.com
Fri Jun 14 12:52:24 EDT 2002 

Hey Chris,
   There are several complex behaviors in argus, resulting in
some confusion, and I think you're describing the biggest
one.  I think the problem is that the Argus project is
going to provide maximum flexibility, rather than trying to
keep the user from shooting themselves.  And of course the
documentation sucks, but then again it is free ;o)

   One bug that I will try to fix is preventing argus from
reading the same interface more than once.  That is not that
easy of a thing when some Linuxs support the 'any' interface,
but I'll give it a try.  We could just exit if argus reads
the same configuration file more than once, or warns if its
reading the same conf more than once?

   The real question for the list is "should argus read
the system /etc/argus.conf if the user specifies another
configuration file".  The answer many, many years ago was
yes, this would allow you to have system defaults and the
user configuration file would modify them.  This was decided
when argus could only read one interface at a time.  Now that
argus can read multiple interfaces, should this be changed?

   Programmatically, this is a bit awkward, since the getopt()
way of dealing with command line options is to deal with them
one at a time, in left to right order.  So, you have to
parse potentially a number of options before you realize that
the user has specified a configuration file, so what do you
do then?  Do you revert to a clean slate, add back the processed
options and then read the configuration file?  That's kinda
complex, isn't it?  and then what to do if they specify two
or more configuration files?

   I'd love to hear some comments on this, if anyone has
any!  

Carter


Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Chris Russel
> Sent: Friday, June 14, 2002 12:03 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: argus command-line parameter handling
> 
> 
> Hi Folks.  I have a problem that really puts the "argh" in 
> argus for me.
> This is not so much of a bug as it is a feature but I don't 
> think it is
> adequately explained (at least I didn't notice it before) so hopefully
> this will help others.
> 
> I came across this because Debian's argus-server package was 
> generating
> double accounting records for each packet and went hunting to find out
> why.
> 
> By the "principle of least suprise" I normally expect command-line
> parameters to override the corresponding parameter specified 
> in the config
> file.  This seems to be true for some, but not all argus 
> parameters.  It
> is especially amusing when using the -i for interface to listen on.
> 
> For example, argus will read /etc/argus.conf if it exists and always
> listen on the interface specified there regardless what you put on the
> command line.  It will ALSO listen on the interface you told 
> it to on the
> command line of course.  If it happens to be the same 
> interface you get
> double records for every packet.  If it's a different 
> interface you get
> accounting records for both, either way causing no end of confusion.
> 
> Even better: If you specify -F for the config file, it will STILL read
> /etc/argus.conf if it exists, and tack on that interface too. 
>  Therefore,
> if you start argus like so: argus -i bond0 -F /etc/argus.conf (and
> argus.conf says to listen on bond0) you would get TRIPLE accounting
> records for every packet!
> 
> Anyhow, the moral of this story: use -X to clear the 
> configuration when
> you are starting a custom instance from the command line, or from a
> startup script which specifies the config file and either use 
> command-line
> options or config files, not both at once.
> 
> Debian's argus-server package starts with just such a script and hence
> always gives double records (hard to believe nobody else 
> noticed this).
> 
> BTW, this is not a knock against argus - it's awesome. The 
> config handling
> could use some cleanup though (thankfully the -X option is there).
> 
> -- 
> Chris Russel     | CNS Information Security
> russel at yorku.ca  | York University, Toronto, Canada
> 
> 
> 
>

More information about the argus mailing list