argus-server: argus interface monitoring confusion

Richard Gadsden gadsden at musc.edu
Mon May 19 11:01:08 EDT 2003 

On Sat, 17 May 2003, Yotam Rubin wrote:

> On Fri, May 16, 2003 at 09:53:36AM -0400, Carter Bullard wrote:
> 
> [...]
> 
> > 
> >    1. Continue to use /etc/argus.conf as a base default
> >       configuration file.
> 
> /etc/argus.conf should be read by default, unless the user specified 
> a configuration file of his own, in which case the default configuration
> file should not be processed.

Of two minds on this one. On the one hand, being able to combine the
effects of a base config file with a second config file specified on the
command line is a useful feature. But it's also a very common source of
confusion, especially for new users. Because it is so confusing, it
probably should not be the default behavior. So I agree with Yotam.

Whenever I really NEED to combine the effects of a base config file with
one (or more) others, I should just do it explicitly:

 argus -F /etc/argus.conf -F myinterface.conf -F myfilter.conf ...
 
[...]

> >    4. Fix all the options that are additive in order to
> >       ignore duplicates.
> > 
> >    That seems like a good start.  The final issue, if
> > I'm reading the situation correctly, is to process
> > all -F options on the command line first, in left to
> > right order, and then process the other options, in
> > left to right order.  

Yes. And if the user gives any -F options, and does want /etc/argus.conf
to be used as a base config, then he'll just need to include it
explicitly, as in the example above.

> >    That will tackle much of the problems, but there is
> > still one difficult situation, what to do with the
> > additive options "-i", "-r", "-w".  If you have them
> > on the command line, do we blow away the existing
> > lists?  
> 
> This seems like the most intuitive path to follow and corresponds to the
> behavior of many other programs. By nature, command line arguments imply
> overriding previous settings. The command line arguments can be additive
> with themselves, i.e, once the initial overriding has been done, additional
> -r,-w,-i's would carry an additive effect.
> 
> >What to do if I have this situation:
> > 
> >    argus -i eth0 -i eth1
> 
> I like this option the best, as it is easily guessed and doesn't require
> special code to handle.

Agreed, but obviously it should be noted in the documentation that these
three command line options (-r,-w,-i) will first 'override' (i.e. blow
away) any corresponding settings made in the config file(s), and then
their 'additive' nature will kick in if they are used more than once on
the command line.

This is still a little confusing, but it's less confusing than any
alternative I can think of. The inherently 'additive' nature of these
options, either on the command line or within config files, is what really
needs to be emphasized to the user.

Thanks,
Richard

More information about the argus mailing list