new code (rc.31) on the server

carter at qosient.com carter at qosient.com
Tue Oct 10 10:02:06 EDT 2006


Hey Rick,
Ahhhhhh, programatic progress!!!   I'll do some testing either tonight or Thur.  There are a few spots where it could be wrong, filter wise.  I'll also set the len correctly when its 0.  I agree, if you put 0 for a cidr len, you take saddr out of the model.

I suspect that we'll need to have separate v4 and v6 specifiers, since saddr/54 doesn't make much sense for v4 addresses?p

Carter


Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: rick <s442755 at mindlessproductions.com>
Date: Tue, 10 Oct 2006 20:36:14 
To:carter at qosient.com
Cc:argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] new code (rc.31) on the server


Hi,


Many thanks for putting the masking back in :)

Just a couple of issues with the update though :(

ok what i mentioned previously the 'daddr/0' and 'saddr/0' failing causing
segfualt.. thinking about if you were going to do that you'd leave [sd]addr
out of the model wouldn't you so not really issue ;)

there is a victim of copy/paste where a 's' wasn't replaced with a 'd' in
the bcopy() calls putting 'mask' back into retn->dmask...

also.. the mask out of inet_pton() needs endian fix (despite what linux' man
page suggests!).. the patch below fixes the bcopy() and adds htonl() call on
the mask.. also various documents seem to disagree as to how inet_pton()
returns its number form of inet6.. it appears to have stored host order 32 bit
ints in msb :/ (sorry i obviously haven't played with v6 addresses enough
recently :()

each 32 bit int in the mask is now byte swapped.. i've looped the 4 ints and
htonl()ed them also...

you may or may not want the endianess 'fixing' to msb this early on... there
may be some side effects elsewhere in the code that i don't know about that
expects host order but since the mask code was just put back in i assume
not?


flipping the mask here works for v4 and the addresses are all ok and the
masking works correctly and the output is correct endian.. for v4 only..

flipping the mask here works for v6 however the addresses are incorrect.

This isn't a completely usable fix for v6 as there appears to be bigger
underlying issues with the ipv6 addresses.. quite possibly due to more
endianness issues.. i haven't located a root cause yet.. but the following
fails...


example flows:

fec0:0:0:200::2.x -> fec0:0:0:100::6.ssh
fec0:0:0:200::2.x -> fec0:0:0:101::6.smtp
fec0:0:0:200::4.x -> fec0:0:0:1c3::70.http

etc.

i have some network boundaries based on a /56 ie splitting the 16 bit subnet
to use a collection of 256 related subnets.. in the above example

applying a filter to ra* clients of:

"dst net fec0:0:0:100::/56" seems to only matches on the 64 bit boundary
instead.. ie in the above example only matches the first flow. i haven't tested
v6 so much with endianness since the filter isn't working :( i'll dig a little
more..

flipping the v4 netmask makes it match the way the v4 addresses have been
stored by the time it applies the mask.. so presumably the addresses are msb
by this stage.. however..  the below patch fixes endianness of the v6 mask
also but i notice that at the time that the mask is applied the v6 addresses
are still little endian bytes in big endian 32 bit long words..

ah, obviously i testing on x86... i can test on msb (*sparc at least) if
neccessary.. i've traditionally had little success with argus 2.x on sparc
(linux and solaris 8) in the past.. so i should test 3 on there anyway..

here a patch for just argus_client.c


--- argus_client.c.orig	2006-10-07 02:29:50.000000000 +1000
+++ argus_client.c	2006-10-10 20:03:04.000000000 +1000
@@ -5699,11 +5699,15 @@
             if (strchr(ptr, ':')) {
                if (!(inet_pton(AF_INET6, (const char *) ptr, &mask.addr_un.ipv6) > 0))
                   ArgusLog (LOG_ERR, "syntax error: %s %s", ptr, strerror(errno));
+	       for (x = 0 ; x < 4 ; x++) {
+		  mask.addr_un.ipv6[x] = htonl(mask.addr_un.ipv6[x]);
+	       }
                len = 128;
             } else
             if (strchr(ptr, '.')) {
                if (!(inet_pton(AF_INET, (const char *) ptr, &mask.addr_un.ipv4) > 0))
                   ArgusLog (LOG_ERR, "syntax error: %s %s", ptr, strerror(errno));
+	       mask.addr_un.ipv4 = htonl(mask.addr_un.ipv4);
                len = 32;
             } else {
                if ((len = strtol(ptr, endptr, 10)) == 0)
@@ -5774,7 +5778,7 @@
                      case ARGUS_MASK_DADDR:
                         if (len > 0) {
                            retn->daddrlen = len;
-                           bcopy((char *)&mask, (char *)&retn->smask, sizeof(mask));
+                           bcopy((char *)&mask, (char *)&retn->dmask, sizeof(mask));
                         }
                         break;
 



More information about the argus mailing list