rc.28 code on the server

Carter Bullard carter at qosient.com
Tue Aug 29 17:12:59 EDT 2006 

Hey Richard,
Looks obviously like a bug!!!  But you can never tell!!!!!
I'll take a look at it tonight.
Carter

Richard Bejtlich wrote:

> On 8/28/06, Carter Bullard <CARTER at qosient.com> wrote:
>
>> Gentle people,
>> New release candidate code on the server that  fixes a number of
>> problems
>> posted to the mailing list.
>
>
> Hi Carter and everyone,
>
> This is a weird issue which appears with both Argus 2.0.6 (from
> FreeBSD ports tree) and rc.28 (which compiles fine on FreeBSD 6.1
> SECURITY).
>
> I have a Libpcap trace that does not have any other traffic besides
> that involving host 192.168.0.10, i.e.:
>
> orr:/home/richard$ tcpdump -n -r dump.cap not host 192.168.0.10
> reading from file dump.cap, link-type EN10MB (Ethernet)
> orr:/home/richard$
>
> However, check out these results from Argus:
>
> orr:/usr/local/src/argus-3.0.0.rc.28/bin$ ./argus -r
> /home/richard/dump.cap -w /home/richard/dump.cap.arg3
>
> orr:/usr/local/src/argus-3.0.0.rc.28/bin$ cd
> /usr/local/src/argus-clients-3.0.0.rc.28/bin/
>
> orr:/usr/local/src/argus-clients-3.0.0.rc.28/bin$ ./ra -n -r
> /home/richard/dump.cap.arg3 -- not host 192.168.0.10
>
>    20:34:41.313092             arp       192.168.0.10          who
>    192.168.0.1               2        2           84          120
> CON
>    20:34:48.293810             arp        192.168.0.2          who
>   192.168.0.10               1        1           60           42
> CON
>    20:36:40.787045             tcp          80.2.0.16.4482      ->
>        0.0.0.0.67            1        0           54            0
> REQ
>    16:20:56.030858             man           34668616      0
>     2925593600 838861   153147        0   2925593600    285249248
> SHT
>    19:00:00.000000             man           34668616      0
>     2925593600 838861        0        0   2925593600    285249248
> SHT
>    19:00:00.000000
>                              0        0            0            0
> UNK
> ra[7756]: 16:22:25.961478 ArgusReadStreamSocket (0x81c8dc4) record
> length is zero
>
> Where is 80.2.0.16.4482 coming from?
>
> I get the same results with 2.0.6:
>
> orr:/home/richard$ tcpdump -n -r dump.cap not host 192.168.0.10
> reading from file dump.cap, link-type EN10MB (Ethernet)
> orr:/home/richard$
>
> orr:/home/richard$ argus -r dump.cap -w dump.cap.arg2
>
> orr:/home/richard$ ra -n -r dump.cap.arg2 -- not host 192.168.0.10
>
> 29 Aug 06 16:26:21           man  229.97.122.203  v2.0
>  1 0     0        0         0            0           STA
> 28 Aug 06 20:36:40           tcp       80.2.0.16.4482  <->
> 0.0.0.0.bootp 1        0         54           0           TIM
> 29 Aug 06 16:26:21           man  229.97.122.203  v2.0
> 69190 0     153147   0         17775603     69188       SHT
>
> Again:
>
> orr:/home/richard$ tcpdump -n -r dump.cap host 80.2.0.16
> reading from file dump.cap, link-type EN10MB (Ethernet)
> orr:/home/richard$
>
> There are three records with IP 0.0.0.0 however:
>
> orr:/home/richard$ tcpdump -n -r dump.cap host 0.0.0.0
> reading from file dump.cap, link-type EN10MB (Ethernet)
> 20:34:51.287780 IP 0.0.0.0.63000 > 192.168.0.10.60000: S 6334:6334(0) 
> win 512
> 20:34:51.867606 IP 0.0.0.0.63000 > 192.168.0.10.60000: S 6334:6334(0) 
> win 512
> 20:34:52.868105 IP 0.0.0.0.63000 > 192.168.0.10.60000: S 6334:6334(0) 
> win 512
>
> Please tell me I am making a dumb mistake!
>
> I've posted dump.cap here
>
> http://www.taosecurity.com/dump.cap.gz
>
> If anyone wants to try it.
>
> Thank you,
>
> Richard
>
> PS:  I did not generate this trace.  Someone running a scan for Snort 
> did.
>

More information about the argus mailing list