racluster, wounded after battling a dragon...

Adrian Bool aid at logic.org.uk
Tue Oct 31 11:24:09 EST 2006 

Hi,

I have previously used ragator to look a traffic flows from archived  
pcap data.  Over the last couple of days I've been trying to do  
similar in Argus 3rc33 with racluster.

I'm trying for a filter of the form,

	filter="src net 192.168.0.0/16" model="saddr/24 daddr/24 dport"

Whilst trying to get the data I want I have found a couple of bugs in  
the function argus_client.c::ArgusNewAggregator,

	Mask length decoding,

	Currently we have,
		
		char * endptr = NULL ;

        if ((len = strtol(mptr, endptr, 10)) == 0)
           if (*endptr == mptr)
               ArgusLog (LOG_ERR, "syntax error: %s %s", mptr,  
strerror(errno));

	... but really need ...

		char * endptr = NULL ;

        if ((len = strtol(mptr, &endptr, 10)) == 0)
             if (endptr == mptr)
                ArgusLog (LOG_ERR, "syntax error: %s %s", mptr,  
strerror(errno));


	... and possibly bomb out if we hit the syntax error.  strtol stakes  
a char ** as its second argument - and if that is NULL it will not  
return any endptr information.  So, we pass the address of the NULL  
ptr, it places the end of processing ptr in our end ptr and then we  
can just compare normal pointers.

	Then, there is currently,

	       if (len <= 32)
                   mask.addr_un.ipv4 = (0xFFFFFFFF << (32 - retn- 
 >saddrlen));

	The mask.addr_un.ipv4 is not a function of the len we just decoded!   
Using the following seems to be ok,

	       if (len <= 32)
                   mask.addr_un.ipv4 = (0xFFFFFFFF << (32 - len));

	saddrlen (or daddrlen) seems to be set as appropriate lower down.

I'm actually looking at aggregating on destination port  - which  
worked pretty well in ragator.  Lower down this function iterates  
through members of ArgusMaskDefs but only seem to be picking up  
saddr, daddr, smpls and dmpls.  sport and dport seem to be ignored.   
Is aggregation on ports not implemented as yet?

Regards,

aid


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20061031/e80d824d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2415 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20061031/e80d824d/attachment.bin>

More information about the argus mailing list