Argus-info Digest, Vol 15, Issue 9

Sat Nov 4 18:22:43 EST 2006

Phil,

Nice work, since there are always people who crying for gui. By the way does
it work for argus 3 :)

On 11/4/06, argus-info-request at lists.andrew.cmu.edu <
argus-info-request at lists.andrew.cmu.edu> wrote:
>
> Send Argus-info mailing list submissions to
>         argus-info at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> or, via email, send a message with subject or body 'help' to
>         argus-info-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
>         argus-info-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Argus-info digest..."
>
>
> Today's Topics:
>
>    1. Re:  Argus stops writing to file! (Carter Bullard)
>    2.  rc.34 on the server (Carter Bullard)
>    3.  argus-eye GUI (Philipp Letschert)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 3 Nov 2006 12:39:32 -0500
> From: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] Argus stops writing to file!
> To: karlt at uchicago.edu
> Cc: argus-info at lists.andrew.cmu.edu,    Bjarte Malmedal
>         <bjarte.malmedal at gmail.com>
> Message-ID: <DDE27197-369F-41DA-9B9D-7C8D1CE49236 at qosient.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hey Karl,
> Yes its a problem with the default chroot.  It is writing to the
> output file, but
> because "argus -d" chroots to '/', the output file finds it way to
> someplace else.
> I tested it as "argus -d -w test.out" in /tmp and the output file
> becomes "/test.out".
>
> Is this what you're seeing in your testing? I'll have to fix this.
>
> Carter
>
>
> On Nov 3, 2006, at 12:02 PM, Karl Tatgenhorst wrote:
>
> >
> >    I have not looked at the code to verify this is the case I am
> > reporting on behavior. Here is why I notice this (it also occurs in
> > vers
> > 3.0 as late as rc 32):
> >
> > We rotate the files every hour
> >
> > when we rotate the files we leave no file in place as argus creates it
> >
> > originally we had tried creating the file, if we do this argus can not
> > use it (no perms or ownership problems)
> >
> > also if I stop and start argus without removing the file that file
> > will
> > not be written to again and once rotate occurs all is normal.
> >
> > Karl
> >
> >
> >
> >    I think I will actually look at the ra code today to see if I can
> > pinpoint the problem. I am guessing that you check to see if the file
> > exists and if not you create it... you should also have the result
> > that
> > if it exists open in append mode (I think that might be missing)
> >
> > Karl
> >
> > On Fri, 2006-11-03 at 11:53 -0500, Carter Bullard wrote:
> >> Hey Karl,
> >> I'm not aware of this possibility.  Have you seen this behavior or
> >> have you looked at the code to verify that this is the case?
> >> Can you point me at where you think the problem may be?
> >> I was just now looking at 2.0.6 and couldn't see where this might
> >> happen.
> >>
> >>
> >> Carter
> >>
> >>
> >>
> >> On Nov 3, 2006, at 11:11 AM, Karl Tatgenhorst wrote:
> >>
> >>>
> >>>
> >>>    A more simple answer maybe to check and see if your argus process
> >>> is
> >>> running as a daemon. If it is running as a daemon and you remove the
> >>> file, yes it generates a new file as anticipated... however, if the
> >>> daemon halts and starts back up the file is already there so it
> >>> can't
> >>> create a new one and it is not set up (as I understand it) to open
> >>> the
> >>> file in 'append' mode. In this scenario it would sit there until
> >>> your
> >>> argus rotate script moves the file again.
> >>>
> >>>
> >>> Karl
> >>>
> >>>
> >>> On Fri, 2006-11-03 at 10:40 -0500, Carter Bullard wrote:
> >>>> Hey Kjell,
> >>>> Sorry for the delayed response.  Argus should to a stat() on the
> >>>> filename to see if
> >>>> the name is still there, and if not it should recreate the file
> >>>> and
> >>>> start writing into the
> >>>> new file.
> >>>>
> >>>>
> >>>> Are there any system messages in your system error log (/var/log/
> >>>> messages ?).
> >>>> If you ran ./configure with a '.devel' file present, then you
> >>>> should
> >>>> be able to
> >>>> attach to it using gdb() and trace to see what it thinks its
> >>>> doing.
> >>>> Look in the
> >>>> routine ArgusWriteSocket(), (you can set a break in this routine
> >>>> after you
> >>>> attach to it), to see what filename it thinks its using.
> >>>>
> >>>>
> >>>> You can also use lsof(), to see what file descriptors argus() is
> >>>> currently using.
> >>>> It maybe that argus chroot'd() somewhere and it changed your path?
> >>>>
> >>>>
> >>>> Carter
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On Oct 30, 2006, at 8:16 AM, Kjell Tore Fossbakk wrote:
> >>>>
> >>>>
> >>>>> Hello!
> >>>>>
> >>>>>
> >>>>> I have some difficulties understanding why my Argus (v.2.0.5),
> >>>>> running on a Gentoo 64bit system, stops writing flows to it's
> >>>>> output file.
> >>>>>
> >>>>>
> >>>>> I got a system which moves away the output file on a regular
> >>>>> basis,
> >>>>> and then puts the flows into a database. For the past year
> >>>>> Argus
> >>>>> has never failed to create a new file, as the old file is
> >>>>> movied
> >>>>> away, and continuing writing flows.
> >>>>>
> >>>>>
> >>>>> Is there any debugging feature I could enable?
> >>>>>
> >>>>>
> >>>>> Please advice!
> >>>>>
> >>>>>
> >>>>> --
> >>>>>
> >>>>>
> >>>>> Social Engineering Specialist
> >>>>> - Because there's no patch for Human Stupidity
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20061103/9147f3e1/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Fri, 3 Nov 2006 14:28:41 -0500
> From: Carter Bullard <carter at qosient.com>
> Subject: [ARGUS] rc.34 on the server
> To: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <7CEBAC3D-EBF6-4C57-8E79-BB3CF9F82E1F at qosient.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> Gentle people,
> Lots of fixes, if you could please test that would be most excellent.
> Thanks for all the help!!!!
>
> Carter
>
>
>
> ------------------------------
>
> Message: 3
> Date: Sat, 4 Nov 2006 08:31:22 +0100
> From: Philipp Letschert <phil at uni-koblenz.de>
> Subject: [ARGUS] argus-eye GUI
> To: argus-info at lists.andrew.cmu.edu
> Message-ID: <20061104073121.GA13066 at penguin2.uni-koblenz.de>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> I've started a GUI for argus in Perl/Gtk2.
>
> current features are:
> * read data from one or many argus logfiles
> * display transaction data in colored table
> * sorting and reordering of columns possible
> * basic display filter usage
>
> planned features:
> * serious tool
> * bells and whistles
>
> screenshot:
> http://www.uni-koblenz.de/~phil/argus-eye.png
>
> I'll release GPL'ed code within the next few weeks after major cleanups
> and
> implementation of display filter parser. Currently it's a mess of just 500
> lines
> proof-of-concept...
>
> Please let me know if there is already ongoing work for a GUI or if you
> have
> other suggestions.
>
>
> Cheers, Phil
>
>
>
> ------------------------------
>
> _______________________________________________
> Argus-info mailing list
> Argus-info at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>
>
> End of Argus-info Digest, Vol 15, Issue 9
> *****************************************
>

-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20061105/ebca2dca/attachment.html>