[ARGUS] .rarc changes from 2.0.5 -> 2.0.6

Carter Bullard carter at qosient.com
Fri Jul 30 16:54:16 EDT 2004 

Yeah, documentation is not something I get into.  So there is
a rarc man page in the new release, is it ok or do we need to
do something more?  We could add additions to the FAQ, which
Steve McInerney is working on, if that would be good thing to
do.

Carter



> From: Nick <ngiordano at mitre.org>
> Date: Fri, 30 Jul 2004 15:27:01 -0500
> To: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] .rarc changes from 2.0.5 -> 2.0.6
> 
> Carter,
>   Thanks for the quick response.  RA_FIELD_DELIMITER still seems to
> work, RA_PRINT_COUNTS and RA_PRINT_DURATION cause argus to fail with:
> 
> ArgusError: ra[9266]: <config file>: syntax error line 4
> 
> -nnn worked great, thanks
> 
> I looked at the RA_FIELD_SPECIFIER in the example, thats great, now I
> can get rid of that annoying '->'.  Keep this up and you're gonna put
> awk out of business.
> 
> This may be a sore subject but is the online documentation going to be
> updated to reflect the rarc changes?  If I had enough information I
> would be willing to take a shot at it.  The page says it was updated
> last in 07 November 2000 and I have only been using argus about a year
> so anything I did would need a sanity check to make sure I don't miss
> anything glaring.
> 
> Thanks again,
> 
> Nick
> 
> Carter Bullard wrote:
> 
>> Hey Nick,
>>   All of those variables, except the RA_FIELD_DELIMITER have been
>> incorporated into the RA_FIELD_SPECIFIER variable.  The new rarc
>> is documented in the example ./support/Config/rarc file, but there
>> is no "what we broke between 2.0.5 and 2.0.6" document.  Does the
>> 2.0.6 ra() actually fail on the 2.0.5 config?  It probably should
>> just silently keep going?
>> 
>>   Use -nnn to blow away all number conversions.
>> 
>> Carter
>> 
>> 
>> 
>>  
>> 
>>> From: Nick <ngiordano at mitre.org>
>>> Date: Fri, 30 Jul 2004 14:53:39 -0500
>>> To: <argus-info at lists.andrew.cmu.edu>
>>> Subject: [ARGUS] .rarc changes from 2.0.5 -> 2.0.6
>>> 
>>> We're there changes to .rarc file configurations between versions 2.0.5
>>> and 2.0.6?  I am running both versions and my config from 2.0.5 fails in
>>> 2.0.6.  Are the differences documented anywhere?
>>> 
>>> I am trying to use:
>>> 
>>> RA_PRINT_COUNTS=yes
>>> RA_PRINT_UNIX_TIME=yes
>>> RA_FIELD_DELIMITER=','
>>> RA_PRINT_DURATION=no
>>> 
>>> and it fails on the first and forth lines (but they work fine in
>>> 2.0.5).  Also, in 2.0.5 when I use ra -nn -r <data> I get a numerical
>>> representation (ie 1,6 and 17) of the protocol, in 2.0.6 I get
>>> icmp,tcp,udp ...  Is there a way to force ra to give me the number?
>>> 
>>> Thanks,
>>> 
>>> Nick
>>> 
>>> 
>>> 
>>>    
>>> 
>> 
>> 
>>  
>> 
> 
> 
>

More information about the argus mailing list