[ARGUS] pebkac problem with ra 2.0.5?

Peter Van Epp vanepp at sfu.ca
Tue Mar 23 11:03:17 EST 2004 

	There were some bugs in 2.0.5. Your best bet would be to download and
install 2.0.6.rc2 (the latest prerelease beta) from ftp.qosient.com in 
/dev/argus-2.0 and try that. 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Mon, Mar 22, 2004 at 03:29:00PM -0500, Gill, James wrote:
> 
> Hi, I am running argus 2.0.5 on FreeBSD 5.2.1 on a Sun Ultra5 sparc64.  I
> installed via the FreeBSD project's package of argus.
> 
> I believe that ra is not processing the filters correctly.  First, if I am
> to filter for a particular host I would expect this syntax to work:
> 
>   gill at where:~> ra -r /var/log/argus/argus.out - host qosient.com
> 
> but it returns nothing.  am I doing it wrong?  there is data in that file:
> 
>   gill at where:~> ra -r /var/log/argus/argus.out | grep qosient.com
>   31 Dec 69 19:00:00  tcp haiti.corp.us.u.50998  ->  qosient.com.http  FIN
>   31 Dec 69 19:00:00  tcp haiti.corp.us.u.50999  ->  qosient.com.http  FIN
>   31 Dec 69 19:00:00  tcp haiti.corp.us.u.51000  ->  qosient.com.http  FIN
>   31 Dec 69 19:00:00  tcp haiti.corp.us.u.51001  ->  qosient.com.http  FIN
>   31 Dec 69 19:00:00  tcp haiti.corp.us.u.51002  ->  qosient.com.http  FIN
> 
> I also have problems just looking for specific types of data, TCP for
> example:
> 
>   gill at where:...> ra -r ./argus.2004.03.22.12.00.00.bz2 - tcp
>   <nothing>
>   gill at where:...> ra -r ./argus.2004.03.22.12.00.00.bz2 - icmp
>   <also nothing>
> 
> but it is in there:
> 
>   gill at where:...> ra -r ./argus.2004.03.22.12.00.00.bz2 | grep tcp
>   31 Dec 69 19:00:00  tcp haiti.corp.us.u.50978  ->  nova-dsl5010-64.ssh   EST
>   31 Dec 69 19:00:00  tcp ss7.argfrp.us.u.ircd   ?>  haiti.corp.us.u.50260 EST
>   31 Dec 69 19:00:00  tcp haiti.corp.us.u.50822  ?>  pc127409.mcilin.ssh   EST
>   31 Dec 69 19:00:00  tcp haiti.corp.us.u.50978  ->  nova-dsl5010-64.ssh   EST
> 
> 
> and if i use the "ip proto N" syntax, just the opposite ... i see
> everything (not just the requested protocol):
> 
>   gill at where:...> ra -r ./argus.2004.03.22.12.00.00.bz2 - ip proto 6 | head
>   31 Dec 69 19:00:00  tcp haiti.corp.us.u.50978  ->  nova-dsl5010-64.ssh  EST
>   31 Dec 69 19:00:00  pim asqlr3-vlan167.        ->  PIM-ROUTERS.MCA      INT
>   31 Dec 69 19:00:00  pim asqlr4-vlan167.        ->  PIM-ROUTERS.MCA      INT
>   31 Dec 69 19:00:00  udp asqlr3-vlan167..1985   ->  ALL-ROUTERS.MCA.1985 INT
> 
> and that brings me to my second question ... see that timestamp? yea, 31
> DEC 69 19:00:00 is what I see on EVERY line that ra puts out, in ramon
> output or archived data.  If I use the -u option, I can see the correct
> epoch time, it just does not appear to be converted correctly.
> 
> I expect that I'm doing something wrong, but what?  Did I miss something
> in the manpage?  Is "upgrade the client" the answer?  Could it be a
> platform/package/architecture wierdness issue?
> 
> Thank you for any insight...
> 
> --gill
> 
>         -----------------------------------------------------
>         MCI/UUNET Network Security & Abuse * 1-800-900-0241,4
>         -----------------------------------------------------
>              v-net:  desk = 806-3834 ; group = 806-8805

More information about the argus mailing list