Argus duser field stays blank

[Karl Tatgenhorst]

   As I was trying to say before the monkey that is the Evolution Mail
Client sent my e-mail unexpectedly. I would not think to tell the
attackers not to do that. My point was not to set up your listener with
an IP Address. That is what caused the flow-count to go so high and I
believe is what killed our server process.

   Have you tested Argus on OC192? I think we might be going down that
path in a year or so.

Karl

On Thu, 2006-08-10 at 08:19 -0700, Peter Van Epp wrote:
> On Thu, Aug 10, 2006 at 09:59:35AM -0500, Karl Tatgenhorst wrote:
> > Carter,
> > 
> >    As I think more about my test results I am reminded of the old stand
> > up bit "Hey Doc, it hurts when I do this"... "Well, don't do that"
> > 
> >    In the course of testing Argus one thing we tried was giving the
> > listener interface an IP Address and then hitting it with a large amount
> > of ICMP. While the amount of ICMP is realistic to expect on our network,
> > it would not be like that. Argus tried to seperate each ICMP packet and
> > reply as a flow and adjust counters accordingly (we went into the
> > millions of packets) and CPU spiked wildly followed by a core dump. I
> > think it could be handled on your end with a "Don't do this" note :-)
> > 
> >    The other issue though, duser data is perplexing me and I will be
> > looking at it today.
> > 
> > Thanks,
> > 
> > Karl
> > 
> 
> 	Unfortunatly it doesn't do any good to tell an attacker "don't do this
> because it hurts me" so we really do want to understand why large amounts of
> icmp caused a segfault (it is supposed to drive argus in to collecting less 
> information about the flows but not crash it). The desirable (but perhaps not
> achievable :-)) goal is to be able to keep up with line rate under all 
> circumstances (that gets difficult at OC192 speeds though).
> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada