new argus and argus-clients distribution

Geoff Powell geoff at lanrex.net.au
Mon Aug 18 07:50:04 EDT 2003 

Hi Carter,

Love your work!  Thanks for the patch - it seems to have fixed the ip
proto issue as far as my tests so far have shown.  Also, my previous
commands from argus 2.0-4 work fine which is good news

I will keep you updated on my progress.

Is there any need for me to upgrade my Argus daemons, or is it only the
ra utilities that have been changed? Most of our servers running the
Argus daemon are the 2.0-4 release.

Thanks again

Regards,
Geoff

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu [mailto:owner-argus-
> info at lists.andrew.cmu.edu] On Behalf Of Carter Bullard
> Sent: Monday, August 18, 2003 12:49 PM
> To: 'Geoff Powell'; argus-info at lists.andrew.cmu.edu
> Subject: new argus and argus-clients distribution
> 
> Gentle people,
>    There is a new argus and argus-clients tar distribution
> that fixes a parsing error in the ra* filter compiler.
> 
> ftp://qosient.com/dev/argus-2.0/argus-2.0.6.beta.13.tar.gz
> ftp://qosient.com/dev/argus-2.0/argus-clients-2.0.6.beta.43.tar.gz
> 
> Please test this release at your convenience, and of course
> if there are any issues that you need addressing, don't
> hesitate to send mail.
> 
> Carter
> 
> 
> 
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu
> > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> > Carter Bullard
> > Sent: Sunday, August 17, 2003 9:34 PM
> > To: 'Geoff Powell'; argus-info at lists.andrew.cmu.edu
> > Subject: RE: Argus: ip proto usage
> >
> >
> > Hey Geoff,
> >    I've checked out the compiler and yes, there is a
> > bug in the "proto value" parsing.  I'll have a fix
> > up on Monday, in both the argus and argus-clients
> > distributions on the server.
> >
> > Carter
> >
> >
> >
> > > -----Original Message-----
> > > From: owner-argus-info at lists.andrew.cmu.edu
> > > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> > > Carter Bullard
> > > Sent: Sunday, August 17, 2003 7:08 PM
> > > To: 'Geoff Powell'; argus-info at lists.andrew.cmu.edu
> > > Subject: RE: Argus: ip proto usage
> > >
> > >
> > > Hey Geoff,
> > >    There could easily be a bug, so we'll have to dig just a
> > > bit, but first, what does '1.2.3.4/56' mean?  That is not
> > > a real CIDR address, so I'm not sure what it will do, but
> > > I'll check later tonight.  Have you tried this with a correct
> > > CIDR address to see if it changes things?
> > >
> > >    The mask bit length should be less than 32.
> > >
> > > Carter
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: owner-argus-info at lists.andrew.cmu.edu
> > > > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> > > > Geoff Powell
> > > > Sent: Saturday, August 16, 2003 9:52 AM
> > > > To: argus-info at lists.andrew.cmu.edu
> > > > Subject: Argus: ip proto usage
> > > >
> > > >
> > > > Hi all
> > > >
> > > > I've been using Argus server and the ra utilities for a few
> > > months, I
> > > > have found the application to be reasonably stable and
> > useful, it's
> > > > pretty good so thanks to the authors and maintainers.
> > > >
> > > > I have a few questions, hopefully someone has the answers
> > > >
> > > > I use racount to grasp traffic usage on different IP protocols
and
> > > > ports. For example, to find the usage for tcp port 80 for
> > > > host 1.2.3.4 I
> > > > might use the following two commands
> > > >
> > > > racount -n -r datafile.out - tcp and src net 1.2.3.4/56
> > and port 80
> > > > racount -n -r datafile.out - tcp and dst net 1.2.3.4/56
> > and port 80
> > > >
> > > >
> > > > However, when I use the same method to get usage for
> > IPSec (udp port
> > > > 500, also utilizes ip protocols 50 and 51), using the
> > > > following commands
> > > >
> > > > racount -n -r datafile.out - ip proto 50 and not tcp and not
> > > > udp and not
> > > > icmp and src net 1.2.3.4/56
> > > > racount -n -r datafile.out - ip proto 50 and not tcp and not
> > > > udp and not
> > > > icmp and dst net 1.2.3.4/56
> > > > racount -n -r datafile.out - ip proto 51 and not tcp and not
> > > > udp and not
> > > > icmp and src net 1.2.3.4/56
> > > > racount -n -r datafile.out - ip proto 51 and not tcp and not
> > > > udp and not
> > > > icmp and dst net 1.2.3.4/56
> > > > racount -n -r datafile.out - udp and port 500 and dst 1.2.3.4/56
> > > > racount -n -r datafile.out - udp and port 500 and src net
> > 1.2.3.4/56
> > > >
> > > > I have noticed that the above filters yield incorrect
> > > > results. The first
> > > > command, if piped to a file using ra instead of racount
> > shows any IP
> > > > transaction that is not tcp, udp or icmp. So, in my file
> > > for that one
> > > > command I see 47, 50 and 51. Hence, when using racount
> > and the same
> > > > filter incorrect byte counts are returned.
> > > >
> > > > Moreover, the following two commands produce the same
> > > output, which is
> > > > incorrect.
> > > >
> > > > (I have RA_PRINT_SUMMARY=no)
> > > >
> > > > # racount -r data.out - ip proto 2987212 and not tcp and not
> > > > udp and not
> > > > icmp
> > > > racount    records       total_pkts         src_pkts
> > >  dst_pkts
> > > > total_bytes        src_bytes        dst_bytes
> > > >     sum        808           101170            50616
> > >     50554
> > > > 21254862          7194035         14060827
> > > >
> > > > # racount -r data.out - ip proto 1 and not tcp and not udp
> > > > and not icmp
> > > > racount    records       total_pkts         src_pkts
> > >  dst_pkts
> > > > total_bytes        src_bytes        dst_bytes
> > > >     sum        808           101170            50616
> > >     50554
> > > > 21254862          7194035         14060827
> > > >
> > > > The ra documentation reads as follows:
> > > >
> > > > ip proto protocol
> > > > True if the Argus record is an ip transaction (see ip(4P))
> > > of protocol
> > > > type protocol.  Protocol can be a number or any of the
> > string values
> > > > found in /etc/protocols
> > > >
> > > > "2987212" is certainly not in my /etc/protocols :-)
> > > >
> > > > Am I doing something wrong, or is this a bug in the application?
> > > >
> > > > # rpm -q argus
> > > > argus-2.0-4
> > > >
> > > > Linux 2.4.19, Red Hat Linux release 7.3 (Valhalla)
> > > >
> > > > Any help much appreciated, I hope what I'm saying makes sense.
> > > >
> > > > Thanks in advance
> > > >
> > > > Regards,
> > > > Geoff (geoff at lanrex.net.au)
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> >
> >
> >
>

More information about the argus mailing list