latest argus?

[Peter Moody]

well, I'm obviously in.  This is great news.


On 3/9/06, Carter Bullard <carter at qosient.com> wrote:
> Hey Peter,
> Thanks, that was a great way of putting it, I believe.  I have been
> slightly
> hesitant to 'annouce' argus-3.0, for many reasons, but it is done and
> ready to test.   With the announcement that CERT has included support
> for argus-2.0 in their Silk tools, and the work that NCSA is doing with
> visualization and argus-2.0, its hard to move to a major version
> release,
> as it will have an impact, but its also very hard to put work into
> 2.0, when
> you've got 3.0 pretty much ready to go.
>
> I've also been hesitant because of the time it will take to document
> 3.0.  It principally adds IPv6 support, better encapsulation parsing,
> 64-bit
> support, Cygwin support and 64 bit counters, as well as a hundred
> thousand
> little nits and small changes that will probably drive everyone
> crazy.  It has
> the same SASL problems as argus-2.0, so there is an opportunity for some
> development if someone is interested in improving.
>
> I have just had the last of my foot surgeries (had a bunch of screws
> finally removed), and so I'm not as productive as I need to be;  down
> but
> not out, so to speak.  If there is real interest in testing and
> improving on
> argus-3.0, then I will make it available.   Need to see a show of hands,
> if there is critical mass.  If not critical mass then I will let it
> go in April/May
> sometime.
>
> Best Regards,
>
> Carter
>
>
> On Mar 8, 2006, at 10:21 PM, Peter Van Epp wrote:
>
> > On Wed, Mar 08, 2006 at 05:08:49PM -0800, Peter Moody wrote:
> >> ok, you're right. checking the time stamps on the fixes.1.tar.gz,
> >> that's from may of 04.  What I was referring to was an email you sent
> >> with a link to those files.  that was the first time I'd seen that
> >> dev
> >> site.
> >>
> >> so, the "current" is two years of patches maintained on a mailing
> >> list?  With options becoming incompatible/obsolete between patches?
> >> Is that right?
> >>
> >> -Peter
> >>
> >
> >       Well, thats one way of looking at it I suppose :-). Another way of
> > looking at it is that it is an open source project that gets
> > support when
> > time is available between paying the bills. I know of a couple of
> > commercial
> > "equivelents" to argus (for some value of equivelent) and Carter
> > sells a
> > commercial version of argus (which along with consulting, pays his
> > bills I
> > believe) so I for one am grateful for the open source version but
> > there are
> > options.
> >       I'm still running argus in production (and using it to fight off
> > commecial IPS/IDS vendors quite successfully :-)) after around 10
> > years or so.
> >       Its not so much that the options are changing, its more (and I'm as
> > guilty as anyone) that we haven't been updating the man pages to
> > match the
> > code. Sometimes the cli options aren't exactly the same as the
> > config file
> > ones which is why I added -nnn to the cli, to supress all
> > translations (which
> > can be done from the config file but didn't used to be from the
> > cli). Most of
> > the patches are in the clients which are mostly an example on how
> > to write your
> > own (which I tend to do in perl rather than C :-)). Only a couple
> > are in argus
> > itself and have mostly been bugs found while running on production
> > networks of
> > various kinds. Mine has certainly caused a number of cores over the
> > years which
> > typically I fix and supply the patch (and sometimes have had to
> > wait for
> > Carter to get time to be able to see where the problem is) which
> > Carter then
> > puts in to the next release candidate and we all gain.
> >       I expect most all the patches I'm accumulating are already in the
> > code
> > base, its mostly to make sure nothing got missed and make it easier
> > to get as
> > current as possible before a new release (which may take some time,
> > I hadn't
> > realized it was 2 years until I looked at the date stamp on fixes.1
> > for
> > instance) that I'm collecting them. Slowly of course :-). Once I
> > get the
> > patches done then I'll put out a new version of my traffic
> > collecting perl
> > scripts as well.
> >       The printing patch came about as a result of someone I know using
> > argus
> > asking why he couldn't print out all the fields at once. I'd never
> > needed to
> > do that and thus hadn't tried (the parts I use worked fine
> > already). When I
> > pulled on that string I found a bunch of things that worked less
> > than optimally
> > (at least in my view, Carter may disagree :-)) and a seg fault
> > which was making
> > the full print out not work so I fixed them because I can :-). I
> > may have in
> > fact broken a bunch of other things while doing so.
> >       I asked about the newer version of argus because you aren't the first
> > person to mention it and I wanted to make sure I hadn't missed a
> > new version
> > somewhere I wasn't looking (patching against an old version is
> > silly :-)).
> >
> > Peter Van Epp / Operations and Technical Support
> > Simon Fraser University, Burnaby, B.C. Canada
> >
>
>
>
>