rc.28 code on the server

Carter Bullard carter at qosient.com
Tue Aug 29 17:44:08 EDT 2006


Hey Richard,   Hmmmm,
Not sure what to think, as I see no bug.  Below is the result that I get 
using
argus-clients-3.0.0.rc.28, reading argus data generated from your packet 
file
and argus-3.0.0.rc.28, on both big-endian and little-endian machines, 
32-bit
and 64-bit intel, and PPC G5 (Linux RH, Fedora, MacOS X).

I'm interested in the fact that your output has a different state output 
for the
closing man record (STP for me, SHT for you).  Sure your running the 
latest code?
Remember that argus and ra* programs append data to existing files (so we
don't blow precious data away).  Maybe this is left over from a previous 
run?

 ../bin/ra -r /tmp/argus.out - not host 
192.168.0.10                                                        
   StartTime        Flgs   Proto      SrcAddr        Sport   Dir      
DstAddr        Dport  SrcPkts  DstPkts     SrcBytes     DstBytes State
 20:34:41.313092             arp       192.168.0.10          who        
192.168.0.1               1        0           42            0   INT
 20:34:41.313267             arp        192.168.0.1          who       
192.168.0.10               1        0           60            0   INT
 20:34:48.293810             arp        192.168.0.2          who       
192.168.0.10               1        0           60            0   INT
 20:34:48.293834             arp       192.168.0.10          who        
192.168.0.2               1        0           42            0   INT
 20:35:30.713581             arp       192.168.0.10          who        
192.168.0.1               1        0           42            0   INT
 20:35:30.713768             arp        192.168.0.1          who       
192.168.0.10               1        0           60            0   INT
 17:23:24.914126             man                  0      
0                      584      1   153147    70842          584     
57924676   STP


The record that is getting mangled on your machine is coming out as this on
all of my machines:

 20:36:40.787045             tcp        192.168.0.2.4482      ->       
192.168.0.10.bootps        1        0           54            0   REQ

Carter

Carter Bullard wrote:

> Hey Richard,
> Looks obviously like a bug!!!  But you can never tell!!!!!
> I'll take a look at it tonight.
> Carter
>
> Richard Bejtlich wrote:
>
>> On 8/28/06, Carter Bullard <CARTER at qosient.com> wrote:
>>
>>> Gentle people,
>>> New release candidate code on the server that  fixes a number of
>>> problems
>>> posted to the mailing list.
>>
>>
>>
>> Hi Carter and everyone,
>>
>> This is a weird issue which appears with both Argus 2.0.6 (from
>> FreeBSD ports tree) and rc.28 (which compiles fine on FreeBSD 6.1
>> SECURITY).
>>
>> I have a Libpcap trace that does not have any other traffic besides
>> that involving host 192.168.0.10, i.e.:
>>
>> orr:/home/richard$ tcpdump -n -r dump.cap not host 192.168.0.10
>> reading from file dump.cap, link-type EN10MB (Ethernet)
>> orr:/home/richard$
>>
>> However, check out these results from Argus:
>>
>> orr:/usr/local/src/argus-3.0.0.rc.28/bin$ ./argus -r
>> /home/richard/dump.cap -w /home/richard/dump.cap.arg3
>>
>> orr:/usr/local/src/argus-3.0.0.rc.28/bin$ cd
>> /usr/local/src/argus-clients-3.0.0.rc.28/bin/
>>
>> orr:/usr/local/src/argus-clients-3.0.0.rc.28/bin$ ./ra -n -r
>> /home/richard/dump.cap.arg3 -- not host 192.168.0.10
>>
>>    20:34:41.313092             arp       192.168.0.10          who
>>    192.168.0.1               2        2           84          120
>> CON
>>    20:34:48.293810             arp        192.168.0.2          who
>>   192.168.0.10               1        1           60           42
>> CON
>>    20:36:40.787045             tcp          80.2.0.16.4482      ->
>>        0.0.0.0.67            1        0           54            0
>> REQ
>>    16:20:56.030858             man           34668616      0
>>     2925593600 838861   153147        0   2925593600    285249248
>> SHT
>>    19:00:00.000000             man           34668616      0
>>     2925593600 838861        0        0   2925593600    285249248
>> SHT
>>    19:00:00.000000
>>                              0        0            0            0
>> UNK
>> ra[7756]: 16:22:25.961478 ArgusReadStreamSocket (0x81c8dc4) record
>> length is zero
>>
>> Where is 80.2.0.16.4482 coming from?
>>
>> I get the same results with 2.0.6:
>>
>> orr:/home/richard$ tcpdump -n -r dump.cap not host 192.168.0.10
>> reading from file dump.cap, link-type EN10MB (Ethernet)
>> orr:/home/richard$
>>
>> orr:/home/richard$ argus -r dump.cap -w dump.cap.arg2
>>
>> orr:/home/richard$ ra -n -r dump.cap.arg2 -- not host 192.168.0.10
>>
>> 29 Aug 06 16:26:21           man  229.97.122.203  v2.0
>>  1 0     0        0         0            0           STA
>> 28 Aug 06 20:36:40           tcp       80.2.0.16.4482  <->
>> 0.0.0.0.bootp 1        0         54           0           TIM
>> 29 Aug 06 16:26:21           man  229.97.122.203  v2.0
>> 69190 0     153147   0         17775603     69188       SHT
>>
>> Again:
>>
>> orr:/home/richard$ tcpdump -n -r dump.cap host 80.2.0.16
>> reading from file dump.cap, link-type EN10MB (Ethernet)
>> orr:/home/richard$
>>
>> There are three records with IP 0.0.0.0 however:
>>
>> orr:/home/richard$ tcpdump -n -r dump.cap host 0.0.0.0
>> reading from file dump.cap, link-type EN10MB (Ethernet)
>> 20:34:51.287780 IP 0.0.0.0.63000 > 192.168.0.10.60000: S 6334:6334(0) 
>> win 512
>> 20:34:51.867606 IP 0.0.0.0.63000 > 192.168.0.10.60000: S 6334:6334(0) 
>> win 512
>> 20:34:52.868105 IP 0.0.0.0.63000 > 192.168.0.10.60000: S 6334:6334(0) 
>> win 512
>>
>> Please tell me I am making a dumb mistake!
>>
>> I've posted dump.cap here
>>
>> http://www.taosecurity.com/dump.cap.gz
>>
>> If anyone wants to try it.
>>
>> Thank you,
>>
>> Richard
>>
>> PS:  I did not generate this trace.  Someone running a scan for Snort 
>> did.
>>
>
>




More information about the argus mailing list