[ARGUS] BSD argus/Linux ra problems?

Peter Van Epp vanepp at sfu.ca
Fri Nov 19 19:05:43 EST 2004 

	This sounds identical to the first report, but I wasn't able to 
reproduce it on the Fedora box I borrowed (I thought I might have done the 
wrong direction, but I didn't have root on that box so I must have run the
ra client successfully on Fedora). On my SUSE 9.1 / linux-2.6.5-7.108 kernel 
box it does fine as a sensor (because it is for westgrid) to FreeBSD and ra  
reads from a FreeBSD sensor box just fine (because I just tried it) all of 

ra -S server:561 -nn

ra -S server:561 -nn -w /tmp/t

ra -S server:561 -w /tmp/t

ra -S server -w /tmp/t

work fine and our Linux fellow says SUSE and Red Hat core should be close to 
identical. I could upgrade my OpenBSD test box to 3.6 (I doubt its there at
the moment I think its 3.3 or 3.4) and try that I suppose. I'll note in 
passing that I believe that OpenBSD still has the bug where part of the last
buffer in pcap won't get passed to argus because the OpenBSD folks rejected
the fix that FreeBSD installed to fix it (which may or may not be important
to you, it doesn't matter if you don't stop argus_bpf often :-)).
	Touching ./devel and ./debug in the argus-clients source directory and
doing ./config make would be interesting. Then starting ra with 

ra -D 8 -S server -w /tmp/t  

will dump debugging information to the console and may provide a clue about 
what is wrong. This seems to be Red Hat specific somehow (but may still be a 
BSD side bug!). It may be also kernel / version specific. I think it was a 
2.4 kernel on the RedHat box I borrowed (I gave the account back when I 
couldn't reproduce the problem so I can't easily check), but on SUSE we tried
both 2.4 and 2.6 kernels without problems.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Fri, Nov 19, 2004 at 02:36:04PM -0800, Michael Sanderson wrote:
> Carter Bullard wrote:
> > Hey Michael,
> >   So what kind of problems are you having?
> > Carter
> 
> I have an OpenBSD 3.6 box running argus 2.0.6.fixes.1.  I have a Fedora 
> Core2 box running argus-clients 2.0.6.fixes.1.  When I connect from Fedora 
> with 'ra -S argus_host -w /var/tmp/data', ra starts up, forks/execs and the 
> child exits very quickly without writing any data.  Argus daemon on OpenBSD 
> reports that the client is done.  If I run this as 'strace ra -S argus_host 
> -w /var/tmp/data', ra continues to run and collect/write data.
> 
> I wasn't directly involved in the build of the box, but my understanding is 
> that no special patches have been applied to the kernel source.  Any buffer 
> issues that Peter has previously posted about that are still outstanding in 
> the BSD kernel are still there.  However, I don't believe that this 
> particular problem has anything to do with that.
> 
> -- 
> Michael Sanderson                   sanders at cs.ubc.ca
> UBC Computer Science		http://www.cs.ubc.ca/spider/sanders/
> 					604 822 6194

More information about the argus mailing list