Argus duser field stays blank
Peter Van Epp
vanepp at sfu.ca
Thu Aug 10 11:19:58 EDT 2006
On Thu, Aug 10, 2006 at 09:59:35AM -0500, Karl Tatgenhorst wrote:
> Carter,
>
> As I think more about my test results I am reminded of the old stand
> up bit "Hey Doc, it hurts when I do this"... "Well, don't do that"
>
> In the course of testing Argus one thing we tried was giving the
> listener interface an IP Address and then hitting it with a large amount
> of ICMP. While the amount of ICMP is realistic to expect on our network,
> it would not be like that. Argus tried to seperate each ICMP packet and
> reply as a flow and adjust counters accordingly (we went into the
> millions of packets) and CPU spiked wildly followed by a core dump. I
> think it could be handled on your end with a "Don't do this" note :-)
>
> The other issue though, duser data is perplexing me and I will be
> looking at it today.
>
> Thanks,
>
> Karl
>
Unfortunatly it doesn't do any good to tell an attacker "don't do this
because it hurts me" so we really do want to understand why large amounts of
icmp caused a segfault (it is supposed to drive argus in to collecting less
information about the flows but not crash it). The desirable (but perhaps not
achievable :-)) goal is to be able to keep up with line rate under all
circumstances (that gets difficult at OC192 speeds though).
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list