latest argus?

[Carter Bullard]

Hey Peter,
Thanks, that was a great way of putting it, I believe.  I have been  
slightly
hesitant to 'annouce' argus-3.0, for many reasons, but it is done and
ready to test.   With the announcement that CERT has included support
for argus-2.0 in their Silk tools, and the work that NCSA is doing with
visualization and argus-2.0, its hard to move to a major version  
release,
as it will have an impact, but its also very hard to put work into  
2.0, when
you've got 3.0 pretty much ready to go.

I've also been hesitant because of the time it will take to document
3.0.  It principally adds IPv6 support, better encapsulation parsing,  
64-bit
support, Cygwin support and 64 bit counters, as well as a hundred  
thousand
little nits and small changes that will probably drive everyone  
crazy.  It has
the same SASL problems as argus-2.0, so there is an opportunity for some
development if someone is interested in improving.

I have just had the last of my foot surgeries (had a bunch of screws
finally removed), and so I'm not as productive as I need to be;  down  
but
not out, so to speak.  If there is real interest in testing and  
improving on
argus-3.0, then I will make it available.   Need to see a show of hands,
if there is critical mass.  If not critical mass then I will let it  
go in April/May
sometime.

Best Regards,

Carter


On Mar 8, 2006, at 10:21 PM, Peter Van Epp wrote:

> On Wed, Mar 08, 2006 at 05:08:49PM -0800, Peter Moody wrote:
>> ok, you're right. checking the time stamps on the fixes.1.tar.gz,
>> that's from may of 04.  What I was referring to was an email you sent
>> with a link to those files.  that was the first time I'd seen that  
>> dev
>> site.
>>
>> so, the "current" is two years of patches maintained on a mailing
>> list?  With options becoming incompatible/obsolete between patches?
>> Is that right?
>>
>> -Peter
>>
>
> 	Well, thats one way of looking at it I suppose :-). Another way of
> looking at it is that it is an open source project that gets  
> support when
> time is available between paying the bills. I know of a couple of  
> commercial
> "equivelents" to argus (for some value of equivelent) and Carter  
> sells a
> commercial version of argus (which along with consulting, pays his  
> bills I
> believe) so I for one am grateful for the open source version but  
> there are
> options.
> 	I'm still running argus in production (and using it to fight off
> commecial IPS/IDS vendors quite successfully :-)) after around 10  
> years or so.
> 	Its not so much that the options are changing, its more (and I'm as
> guilty as anyone) that we haven't been updating the man pages to  
> match the
> code. Sometimes the cli options aren't exactly the same as the  
> config file
> ones which is why I added -nnn to the cli, to supress all  
> translations (which
> can be done from the config file but didn't used to be from the  
> cli). Most of
> the patches are in the clients which are mostly an example on how  
> to write your
> own (which I tend to do in perl rather than C :-)). Only a couple  
> are in argus
> itself and have mostly been bugs found while running on production  
> networks of
> various kinds. Mine has certainly caused a number of cores over the  
> years which
> typically I fix and supply the patch (and sometimes have had to  
> wait for
> Carter to get time to be able to see where the problem is) which  
> Carter then
> puts in to the next release candidate and we all gain.
> 	I expect most all the patches I'm accumulating are already in the  
> code
> base, its mostly to make sure nothing got missed and make it easier  
> to get as
> current as possible before a new release (which may take some time,  
> I hadn't
> realized it was 2 years until I looked at the date stamp on fixes.1  
> for
> instance) that I'm collecting them. Slowly of course :-). Once I  
> get the
> patches done then I'll put out a new version of my traffic  
> collecting perl
> scripts as well.
> 	The printing patch came about as a result of someone I know using  
> argus
> asking why he couldn't print out all the fields at once. I'd never  
> needed to
> do that and thus hadn't tried (the parts I use worked fine  
> already). When I
> pulled on that string I found a bunch of things that worked less  
> than optimally
> (at least in my view, Carter may disagree :-)) and a seg fault  
> which was making
> the full print out not work so I fixed them because I can :-). I  
> may have in
> fact broken a bunch of other things while doing so.
> 	I asked about the newer version of argus because you aren't the first
> person to mention it and I wanted to make sure I hadn't missed a  
> new version
> somewhere I wasn't looking (patching against an old version is  
> silly :-)).
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>