rc.32 server and client uploaded for testing
rick
s442755 at mindlessproductions.com
Mon Oct 16 18:30:41 EDT 2006
Carter,
just another couple of minor fixes / suggestions.. sorry for the delay in
testing :(
suggestions:
pretty trivial but..
would it be possible/useful to put a header on the argus data files?
becuase the format of the data files is the same coming out of so many
different ra* clients the output data could be filtered / aggregated /
various other things would it be useful to allow for a header to be able to
better define what is in the file? even if this is just a human readable
addable comment of fixed length? anywhere up to id3 tag style giving you
program that produced it possibly the time ranges it contains srcid(s) etc?
i'd find this useful but i don't know if it is generally useful :) it could
also mean that file no longer ses '8086 relocatable (Microsoft)' (on intel
dump at least)
-
your new RaParseCIDRAddr() function checks for a '.' before a ':' testing
for a v4 address first.. this will fail in the case of an ipv6 mapped ipv4
address which is a legitimate representation of a v6 address that contains a
'.'... should check for a ':' first.. ie ::ffff:192.168.0.1 i vaguely
remember something else that was quite bad in the implementation of
RaParseCIDRAddr() but it eludes me now..
fixes:
just a couple of trivial tweaks..
- change you wholesale commenting from /* */ to #if 0 / #endif so you
don't keep removing other comments in the code to avoid nesting /* */ :) i
don't know if you have deliberately not done this or not so only changed
ones in argus_client.c
- Another 's' is turned back to a 'd' :) (saddrlen should have been
daddrlen)
- where you strtol() for the prefixlen i fixed up your error checking a
little.. the way you had it the error check would have always passed :)
char **endptr = NULL;
strtol(ptr, endptr, 10);
if (endptr == ptr) ...
endptr is null when it goes into strtol so it isn't going to use it
therefore it will remain null and the if will always fail.
- Another endianness tweak.. my previous patch correcting the endianness
in the netmasks that worked for v6 doesn't work for v6 as i mentioned at
the time becuase the addresses are also host order.. since you left them
in host order and you obviously flip them somewhere before printing them
then i just took the ipv6 netmask flipping back out... this now works
correctly for masking ipv4 and ipv6 however is inconsistent.. the data is
stored NBO before it is masked with v4 and HO before masking v6..
it works as it is.. i'm just concerned about where it is flipped (closer
to the end) i haven't looked into where.. but i wondering if it affects
file.. i haven't tested this yet either.. but if it outputs data to files
in host order then it more than likely breaks reimport of data on other
endian machines?
--- argus_client.c.orig 2006-10-11 04:04:05.000000000 +1000
+++ argus_client.c 2006-10-17 00:04:45.000000000 +1000
@@ -3253,7 +3253,7 @@
} else
parser->RaHistoBinSize = ((parser->RaHistoEnd - parser->RaHistoStart) * 1.0) / parser->RaHistoBins * 1.0;
-/*
+#if 0
int i;
for (i = 0; i < parser->RaHistoBins; i++) {
if (parser->RaHistoMetricLog) {
@@ -3275,7 +3275,7 @@
}
parser->RaHistoMetricValues[parser->RaHistoBins] = parser->RaHistoEnd;
-*/
+#endif
} else
ArgusLog (LOG_ERR, "RaHistoMetricParse: ArgusCalloc %s\n", strerror(errno));
}
@@ -3398,7 +3398,7 @@
for (x = 0; x < 4; x++)
tflow.ipv6_flow.ip_dst[x] = flow->ipv6_flow.ip_dst[x];
- if (na->saddrlen > 0)
+ if (na->daddrlen > 0)
for (x = 0; x < 4; x++)
tflow.ipv6_flow.ip_dst[x] &= na->dmask.addr_un.ipv6[x];
break;
@@ -5685,7 +5685,7 @@
if ((mode = modelist) != NULL) {
while (mode) {
- char *ptr = NULL, **endptr = NULL;
+ char *ptr = NULL, *endptr = NULL;
struct ArgusIPAddrStruct mask;
int len = 0, x = 0;
@@ -5696,10 +5696,6 @@
if (strchr(ptr, ':')) {
if (!(inet_pton(AF_INET6, (const char *) ptr, &mask.addr_un.ipv6) > 0))
ArgusLog (LOG_ERR, "syntax error: %s %s", ptr, strerror(errno));
-#if defined(_LITTLE_ENDIAN)
- for (x = 0 ; x < 4 ; x++)
- mask.addr_un.ipv6[x] = htonl(mask.addr_un.ipv6[x]);
-#endif
len = 128;
} else
if (strchr(ptr, '.')) {
@@ -5710,8 +5706,8 @@
#endif
len = 32;
} else {
- if ((len = strtol(ptr, endptr, 10)) == 0)
- if (*endptr == ptr)
+ if ((len = strtol(ptr, &endptr, 10)) == 0)
+ if ((endptr == ptr) || (*endptr != '\0'))
ArgusLog (LOG_ERR, "syntax error: %s %s", ptr, strerror(errno));
if (len <= 32)
@@ -6077,7 +6073,7 @@
return(argus_nametoeproto(str));
}
-/*
+#if 0
struct RaPolicyStruct *
RaParsePolicyEntry (struct ArgusParserStruct *parser, char *str)
{
@@ -6485,7 +6481,7 @@
return (retn);
}
-*/
+#endif
double
ArgusFetchSrcId (struct ArgusRecordStruct *ns)
@@ -6535,7 +6531,7 @@
ArgusFetchAvgDuration (struct ArgusRecordStruct *ns)
{
double retn = 0;
-/*
+#if 0
float ad1 = 0.0, ad2 = 0.0;
if (n1 && n2) {
@@ -6543,8 +6539,8 @@
ad2 = RaGetFloatAvgDuration(n2);
retn = (ad1 > ad2) ? 1 : ((ad1 == ad2) ? 0 : -1);
}
+#endif
-*/
return (retn);
}
@@ -6552,7 +6548,7 @@
ArgusFetchMinDuration (struct ArgusRecordStruct *ns)
{
double retn = 0;
-/*
+#if 0
float ad1 = 0.0, ad2 = 0.0;
if (n1 && n2) {
@@ -6560,8 +6556,8 @@
ad2 = RaGetFloatMinDuration(n2);
retn = (ad1 > ad2) ? 1 : ((ad1 == ad2) ? 0 : -1);
}
-
-*/
+#endif
+
return (ArgusReverseSortDir ? ((retn > 0) ? -1 : ((retn == 0) ? 0 : 1)) : retn);
}
@@ -6569,7 +6565,7 @@
ArgusFetchMaxDuration (struct ArgusRecordStruct *ns)
{
double retn = 0;
-/*
+#if 0
float ad1 = 0.0, ad2 = 0.0;
if (n1 && n2) {
@@ -6577,8 +6573,8 @@
ad2 = RaGetFloatMaxDuration(n2);
retn = (ad1 > ad2) ? 1 : ((ad1 == ad2) ? 0 : -1);
}
-
-*/
+#endif
+
return (retn);
}
@@ -6621,7 +6617,7 @@
ArgusFetchProtocol (struct ArgusRecordStruct *ns)
{
double retn = 0;
-/*
+#if 0
struct ArgusFlow *f1 = (struct ArgusFlow *) n1->dsrs[ARGUS_FLOW_INDEX];
struct ArgusFlow *f2 = (struct ArgusFlow *) n2->dsrs[ARGUS_FLOW_INDEX];
unsigned char p1 = 0, p2 = 0;
@@ -6662,7 +6658,7 @@
}
retn = p1 - p2;
-*/
+#endif
return(retn);
}
@@ -6670,7 +6666,7 @@
ArgusFetchSrcPort (struct ArgusRecordStruct *ns)
{
double retn = 0;
-/*
+#if 0
struct ArgusFlow *f1 = (struct ArgusFlow *) n1->dsrs[ARGUS_FLOW_INDEX];
struct ArgusFlow *f2 = (struct ArgusFlow *) n2->dsrs[ARGUS_FLOW_INDEX];
unsigned short p1 = 0, p2 = 0;
@@ -6721,7 +6717,7 @@
}
retn = p1 - p2;
-*/
+#endif
return(retn);
}
More information about the argus
mailing list