[ARGUS] pebkac problem with ra 2.0.5?

Gill, James james.gill at mci.com
Mon Mar 22 15:29:00 EST 2004 

Hi, I am running argus 2.0.5 on FreeBSD 5.2.1 on a Sun Ultra5 sparc64.  I
installed via the FreeBSD project's package of argus.

I believe that ra is not processing the filters correctly.  First, if I am
to filter for a particular host I would expect this syntax to work:

  gill at where:~> ra -r /var/log/argus/argus.out - host qosient.com

but it returns nothing.  am I doing it wrong?  there is data in that file:

  gill at where:~> ra -r /var/log/argus/argus.out | grep qosient.com
  31 Dec 69 19:00:00  tcp haiti.corp.us.u.50998  ->  qosient.com.http  FIN
  31 Dec 69 19:00:00  tcp haiti.corp.us.u.50999  ->  qosient.com.http  FIN
  31 Dec 69 19:00:00  tcp haiti.corp.us.u.51000  ->  qosient.com.http  FIN
  31 Dec 69 19:00:00  tcp haiti.corp.us.u.51001  ->  qosient.com.http  FIN
  31 Dec 69 19:00:00  tcp haiti.corp.us.u.51002  ->  qosient.com.http  FIN

I also have problems just looking for specific types of data, TCP for
example:

  gill at where:...> ra -r ./argus.2004.03.22.12.00.00.bz2 - tcp
  <nothing>
  gill at where:...> ra -r ./argus.2004.03.22.12.00.00.bz2 - icmp
  <also nothing>

but it is in there:

  gill at where:...> ra -r ./argus.2004.03.22.12.00.00.bz2 | grep tcp
  31 Dec 69 19:00:00  tcp haiti.corp.us.u.50978  ->  nova-dsl5010-64.ssh   EST
  31 Dec 69 19:00:00  tcp ss7.argfrp.us.u.ircd   ?>  haiti.corp.us.u.50260 EST
  31 Dec 69 19:00:00  tcp haiti.corp.us.u.50822  ?>  pc127409.mcilin.ssh   EST
  31 Dec 69 19:00:00  tcp haiti.corp.us.u.50978  ->  nova-dsl5010-64.ssh   EST


and if i use the "ip proto N" syntax, just the opposite ... i see
everything (not just the requested protocol):

  gill at where:...> ra -r ./argus.2004.03.22.12.00.00.bz2 - ip proto 6 | head
  31 Dec 69 19:00:00  tcp haiti.corp.us.u.50978  ->  nova-dsl5010-64.ssh  EST
  31 Dec 69 19:00:00  pim asqlr3-vlan167.        ->  PIM-ROUTERS.MCA      INT
  31 Dec 69 19:00:00  pim asqlr4-vlan167.        ->  PIM-ROUTERS.MCA      INT
  31 Dec 69 19:00:00  udp asqlr3-vlan167..1985   ->  ALL-ROUTERS.MCA.1985 INT

and that brings me to my second question ... see that timestamp? yea, 31
DEC 69 19:00:00 is what I see on EVERY line that ra puts out, in ramon
output or archived data.  If I use the -u option, I can see the correct
epoch time, it just does not appear to be converted correctly.

I expect that I'm doing something wrong, but what?  Did I miss something
in the manpage?  Is "upgrade the client" the answer?  Could it be a
platform/package/architecture wierdness issue?

Thank you for any insight...

--gill

        -----------------------------------------------------
        MCI/UUNET Network Security & Abuse * 1-800-900-0241,4
        -----------------------------------------------------
             v-net:  desk = 806-3834 ; group = 806-8805

More information about the argus mailing list