new argus and argus-clients distribution

Carter Bullard carter at qosient.com
Sun Aug 17 22:49:25 EDT 2003 

Gentle people,
   There is a new argus and argus-clients tar distribution
that fixes a parsing error in the ra* filter compiler.

ftp://qosient.com/dev/argus-2.0/argus-2.0.6.beta.13.tar.gz
ftp://qosient.com/dev/argus-2.0/argus-clients-2.0.6.beta.43.tar.gz

Please test this release at your convenience, and of course
if there are any issues that you need addressing, don't
hesitate to send mail.

Carter



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> Carter Bullard
> Sent: Sunday, August 17, 2003 9:34 PM
> To: 'Geoff Powell'; argus-info at lists.andrew.cmu.edu
> Subject: RE: Argus: ip proto usage
>
>
> Hey Geoff,
>    I've checked out the compiler and yes, there is a
> bug in the "proto value" parsing.  I'll have a fix
> up on Monday, in both the argus and argus-clients
> distributions on the server.
>
> Carter
>
>
>
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu
> > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> > Carter Bullard
> > Sent: Sunday, August 17, 2003 7:08 PM
> > To: 'Geoff Powell'; argus-info at lists.andrew.cmu.edu
> > Subject: RE: Argus: ip proto usage
> >
> >
> > Hey Geoff,
> >    There could easily be a bug, so we'll have to dig just a
> > bit, but first, what does '1.2.3.4/56' mean?  That is not
> > a real CIDR address, so I'm not sure what it will do, but
> > I'll check later tonight.  Have you tried this with a correct
> > CIDR address to see if it changes things?
> >
> >    The mask bit length should be less than 32.
> >
> > Carter
> >
> >
> >
> > > -----Original Message-----
> > > From: owner-argus-info at lists.andrew.cmu.edu
> > > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> > > Geoff Powell
> > > Sent: Saturday, August 16, 2003 9:52 AM
> > > To: argus-info at lists.andrew.cmu.edu
> > > Subject: Argus: ip proto usage
> > >
> > >
> > > Hi all
> > >
> > > I've been using Argus server and the ra utilities for a few
> > months, I
> > > have found the application to be reasonably stable and
> useful, it's
> > > pretty good so thanks to the authors and maintainers.
> > >
> > > I have a few questions, hopefully someone has the answers
> > >
> > > I use racount to grasp traffic usage on different IP protocols and
> > > ports. For example, to find the usage for tcp port 80 for
> > > host 1.2.3.4 I
> > > might use the following two commands
> > >
> > > racount -n -r datafile.out - tcp and src net 1.2.3.4/56
> and port 80
> > > racount -n -r datafile.out - tcp and dst net 1.2.3.4/56
> and port 80
> > >
> > >
> > > However, when I use the same method to get usage for
> IPSec (udp port
> > > 500, also utilizes ip protocols 50 and 51), using the
> > > following commands
> > >
> > > racount -n -r datafile.out - ip proto 50 and not tcp and not
> > > udp and not
> > > icmp and src net 1.2.3.4/56
> > > racount -n -r datafile.out - ip proto 50 and not tcp and not
> > > udp and not
> > > icmp and dst net 1.2.3.4/56
> > > racount -n -r datafile.out - ip proto 51 and not tcp and not
> > > udp and not
> > > icmp and src net 1.2.3.4/56
> > > racount -n -r datafile.out - ip proto 51 and not tcp and not
> > > udp and not
> > > icmp and dst net 1.2.3.4/56
> > > racount -n -r datafile.out - udp and port 500 and dst 1.2.3.4/56
> > > racount -n -r datafile.out - udp and port 500 and src net
> 1.2.3.4/56
> > >
> > > I have noticed that the above filters yield incorrect
> > > results. The first
> > > command, if piped to a file using ra instead of racount
> shows any IP
> > > transaction that is not tcp, udp or icmp. So, in my file
> > for that one
> > > command I see 47, 50 and 51. Hence, when using racount
> and the same
> > > filter incorrect byte counts are returned.
> > >
> > > Moreover, the following two commands produce the same
> > output, which is
> > > incorrect.
> > >
> > > (I have RA_PRINT_SUMMARY=no)
> > >
> > > # racount -r data.out - ip proto 2987212 and not tcp and not
> > > udp and not
> > > icmp
> > > racount    records       total_pkts         src_pkts
> >  dst_pkts
> > > total_bytes        src_bytes        dst_bytes
> > >     sum        808           101170            50616
> >     50554
> > > 21254862          7194035         14060827
> > >
> > > # racount -r data.out - ip proto 1 and not tcp and not udp
> > > and not icmp
> > > racount    records       total_pkts         src_pkts
> >  dst_pkts
> > > total_bytes        src_bytes        dst_bytes
> > >     sum        808           101170            50616
> >     50554
> > > 21254862          7194035         14060827
> > >
> > > The ra documentation reads as follows:
> > >
> > > ip proto protocol
> > > True if the Argus record is an ip transaction (see ip(4P))
> > of protocol
> > > type protocol.  Protocol can be a number or any of the
> string values
> > > found in /etc/protocols
> > >
> > > "2987212" is certainly not in my /etc/protocols :-)
> > >
> > > Am I doing something wrong, or is this a bug in the application?
> > >
> > > # rpm -q argus
> > > argus-2.0-4
> > >
> > > Linux 2.4.19, Red Hat Linux release 7.3 (Valhalla)
> > >
> > > Any help much appreciated, I hope what I'm saying makes sense.
> > >
> > > Thanks in advance
> > >
> > > Regards,
> > > Geoff (geoff at lanrex.net.au)
> > >
> > >
> > >
> >
> >
> >
> >
>
>
>

More information about the argus mailing list