[ARGUS] ra question (on FreeBSD/Sparc64)

Carter Bullard carter at qosient.com
Mon Dec 6 18:40:37 EST 2004 

Hey James,
   Well the 64 bit thing will cause problems, since  your
machine has defined a "struct timeval" using 64-bit values
rather than 32 bit ones.  This displaces all the data in
an argus record by 8 bytes, so none of the filters will find
the right values to compare.

Try this patch for the file ./include/compat.h,
just to see if it gets you anywhere.  It may help,
but its a long shot>

cvs diff compat.h
Index: compat.h
===================================================================
RCS file: /usr/local/cvsroot/argus-clients/include/compat.h,v
retrieving revision 1.8
diff -r1.8 compat.h
46a47,49
> #define ARGUS64BIT    1
> 
> #if !defined(ARGUS64BIT)
47a51,56
> #else
> struct argtimeval {
>    int tv_sec;
>    int tv_usec;
> };
> #endif


Carter


> From: "Gill, James" <james.gill at mci.com>
> Reply-To: <James.Gill at mci.com>
> Date: Mon, 06 Dec 2004 18:27:39 -0500 (EST)
> To: argus-info mailing list <argus-info at lists.andrew.cmu.edu>
> Subject: [ARGUS] ra question (on FreeBSD/Sparc64)
> 
> 
> So ... here's some data in my argus.out file:
> 
> [box] /usr/local/argus> ra -nn -r argus.out - | tail -5
> 23 Oct 04 19:07:00           udp  200.42.108.205.3486   ->   2.4.5.111.1434  1
> 23 Oct 04 19:07:43  s        tcp     66.77.61.80.2556   ->    2.4.5.14.3001  2
> 23 Oct 04 19:07:53  s        tcp     66.77.61.80.2556   ->    2.4.5.14.3001  1
> 23 Oct 04 19:08:08           udp    209.79.46.76.3081   ->   2.4.5.223.1434  1
> 
> now if i want to look for just stuff to, say, port 3001:
> 
> [box] /usr/local/argus> ra -nn -r argus.out - port 3001
> 
> ...what? no data?  I know I have flows with dst port 3001!  Why is this
> happening?
> 
> It seems that whatever I do, my "filter expression" causes ra to produce no
> output.  This works fine on my very similar i386 box, why not on the sparc?
> 
> I'm running this version, built from FreeBSD ports:
> [box] /usr/local/argus> argus -v
> Argus Version 2.0.6.fixes.1
> 
> Here's an important point of information:
> [box] /usr/local/argus> uname -a
> FreeBSD drain.donkeytech.net 5.3-BETA7 FreeBSD 5.3-BETA7 #0: Sat Oct  9
> 12:41:54
> UTC 2004     jamgill at drain:/usr/obj/usr/src/sys/GENERIC  sparc64
> 
> I'm pretty crunched for time until after the new year, but if anyone has
> suggestions about what might be causing this and what to do to test, I'm all
> ears.
> 
> 
> Thanks,
> 
> --gill
> 
> 
>         -----------------------------------------------------
>         MCI/UUNET Network Security & Abuse * 1-800-900-0241,4
>         -----------------------------------------------------
>              v-net:  desk = 806-3834 ; group = 806-8805
>

More information about the argus mailing list