Argus-info Digest, Vol 14, Issue 39

CS Lee geek00l at gmail.com
Tue Oct 31 12:27:10 EST 2006 

Carter,

Sorry I'm unable to share the neflow data due to legal practice :( hopefully
someone can share it if possible.

Anyway if you release the code, I'm sured I will test it and report. Thanks.

On 11/1/06, argus-info-request at lists.andrew.cmu.edu <
argus-info-request at lists.andrew.cmu.edu> wrote:
>
> Send Argus-info mailing list submissions to
>         argus-info at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> or, via email, send a message with subject or body 'help' to
>         argus-info-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
>         argus-info-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Argus-info digest..."
>
>
> Today's Topics:
>
>    1.  Fwd: Oops forgot the .tcp file ... (Carter Bullard)
>    2.  netflow version testing (Carter Bullard)
>    3. Re:  Compiling on Solaris w/o bpf.h ?? (carter at qosient.com)
>    4.  racluster, wounded after battling a dragon... (Adrian Bool)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 30 Oct 2006 13:14:33 -0500
> From: Carter Bullard <carter at qosient.com>
> Subject: [ARGUS] Fwd: Oops forgot the .tcp file ...
> To: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <659D0B67-575B-43C5-8941-374CC3C07C97 at qosient.com>
> Content-Type: text/plain; charset="us-ascii"
>
>
>
> Begin forwarded message:
>
> > From: Carter Bullard <carter at qosient.com>
> > Date: October 30, 2006 1:14:12 PM EST
> > To: Peter Van Epp <vanepp at sfu.ca>
> > Subject: Re: Oops forgot the .tcp file ...
> >
> > Hey Peter,
> > So the problem with your ICMP packets not generating flows is that
> > the snaplen
> > for the packets didn't capture the complete icmp hdr, so we bail on
> > parsing.
> > I break out of the packet parsing loop when the ICMP parsing is
> > done, and
> > because the packet hdr is truncated, I don't return a flow key to
> > match.
> >
> > I'll fix this, not a problem.
> >
> > Carter
> >
> >
> > On Oct 28, 2006, at 11:02 PM, Peter Van Epp wrote:
> >
> >>      So include it here.
> >>
> >> Peter Van Epp / Operations and Technical Support
> >> Simon Fraser University, Burnaby, B.C. Canada
> >>
> >> <icmp.tcp>
> >
> >
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20061030/e5458947/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Mon, 30 Oct 2006 16:49:02 -0500
> From: Carter Bullard <carter at qosient.com>
> Subject: [ARGUS] netflow version testing
> To: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <3C3865F4-5E0D-42C3-BDC6-C08E463AE792 at qosient.com>
> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
>
> Gentle people,
> I have re-incorporated the netflow parsing into argus-3.0 clients and
> need some
> data to test.  If anyone has a quasi-standard netflow file, version
> 1, 5, 6, whatever,
> that you can share, could you send a copy?
>
> Thanks!!!!
>
> Carter
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 31 Oct 2006 12:07:44 +0000
> From: carter at qosient.com
> Subject: Re: [ARGUS] Compiling on Solaris w/o bpf.h ??
> To: "Tom Briglia" <briglia at stanford.edu>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID:
>         <
> 1472312924-1162296552-cardhu_blackberry.rim.net-79115852- at bwe032-cell00.bisx.prod.on.blackberry
> >
>
> Content-Type: text/plain
>
> Hey Tom,
> Well, we've moved on to argus-3.0 which is completely different, and all
> the issues you are mentioning are fixed.
>
> Is there something that the SIFT tools do in particular that we could do
> with argus tools?  Are they going to support argus-3.0?
>
> Carter
>
>
> Carter Bullard
> QoSient LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
> -----Original Message-----
> From: Tom Briglia <briglia at stanford.edu>
> Date: Mon, 30 Oct 2006 09:26:51
> To:Carter Bullard <carter at qosient.com>
> Cc:Argus <argus-info at lists.andrew.cmu.edu>
> Subject: Re: [ARGUS] Compiling on Solaris w/o bpf.h ??
>
> Hey Carter,
>
> I understand yet as I mentioned in my last paragraph below one of the
> reasons I started working with Argus was to utilize the SIFT tools
> (http://www.projects.ncassr.org/sift) and according to their website the
> Argus output format changed in 2.0.6 so that is why I started with 2.0.5.
>
> Thx!
>
> Tom
>
> Carter Bullard wrote:
>
> > Hmmmm, what version of argus are you trying to build?  You should be
> > trying to build
> > argus-3.0.0.rc.3x (we're currently on rc.33).   I believe that the
> > SASL problems have
> > been dealt with in argus-3.0?  The ether_ntohost() issues, etc....
> >
> > Carter
> >
> >
> >
> > On Oct 26, 2006, at 6:52 PM, Tom Briglia wrote:
> >
> >> Hey Carter,
> >>
> >> Thanks for the follow up! Sure I'll grab that off my dev system
> >> later and forward it to you.
> >>
> >> BTW another point of frustration . . . I noticed that after
> >> successfully compiling there was no SASL support and when I went
> >> back to the config log I saw that it did not find SASL even though  I
> >> had pointed to it. I did some hacking of the configure script so  it
> >> would find sasl.h yet then the frustration really started . . .
> >>
> >> Took me a couple hrs of hacking to figure it out, yet the  conclusion
> >> is that Argus 2.0.X cannot use Version 2 of SASL. Long  story short I
> >> grabbed the most recent release of V1 of SASL,  compiled it, unhacked
> >> the changes I made to the configure script  and then got Argus
> >> compiled with SASL.
> >>
> >> So this too would be a welcomed addition to the INSTALL or README,
> >> ie: SASL V1 is required not V2, would have saved me a couple hrs of
> >> frustration.
> >>
> >> Finally one more favor . . . do you know of any detailed  'cookbooks'
> >> on how to get going with Argus? I have a couple hundred  systems
> >> (Solaris, Linux, and Win) and want to run Argus on as many  as
> >> possible so I can map out what systems are talking to what  systems
> >> on our networks. I think I know what I need to do, yet I  hate
> >> reinventing the wheel so if anyone has written up a good  "Argus
> >> Cookbook" or an 'Idiots Guide to large scale Argus  Deployments' I
> >> would love to get my hands on those docs!
> >>
> >> Also one last comment I am using 2.0.5 for I was hoping to leverage
> >> the SIFT tools (http://www.projects.ncassr.org/sift) and according
> >> to their website the Argus output format changed between 2.0.5 and
> >> 2.0.6 and the SIFT tools will not work with 2.0.6, and I am
> >> suspecting Version 3 too. Any comments on this?
> >>
> >> Thanks!
> >>
> >> Regards,
> >>
> >> Tom
> >>
> >> carter at qosient.com wrote:
> >>
> >>> Hey Tom,
> >>> Thanks, I'll add the test to the configure script.   Could you do
> >>> me a favor, and send the output of the ./config/config.guess
> >>> script?  I'll need to see what the script see's as your os.
> >>>
> >>> Carter
> >>>
> >>>
> >>> Carter Bullard
> >>> QoSient LLC
> >>> 150 E. 57th Street Suite 12D
> >>> New York, New York 10022
> >>> +1 212 588-9133 Phone
> >>> +1 212 588-9134 Fax
> >>> -----Original Message-----
> >>> From: Tom Briglia <briglia at stanford.edu>
> >>> Date: Wed, 25 Oct 2006 19:20:17 To:argus-info at lists.andrew.cmu.edu
> >>> Subject: Re: [ARGUS] Compiling on Solaris w/o bpf.h ??
> >>>
> >>>
> >>> I figured out how I had to edit the gencode.c file changing bpf.h to
> >>> pcap-bpf.h. It would be nice if this was added to the INSTALL or
> >>> README
> >>> files since it seems to be an old problem relating to pcap headers.
> >>>
> >>> Also for anyone interested in compiling on Solaris 10, it
> appears  that
> >>> Solaris 10 now includes:
> >>>
> >>> ether_ntohost
> >>> ether_hostton
> >>>
> >>> in /usr/include/sys/ethernet.h.
> >>>
> >>> So in order to get Argus to compile I had to go hack up
> >>> argusfilter.c and
> >>> comment out the varied declarations of ether_ntohost  ether_hostton.
> >>> Once I
> >>> did that everything finally compiled. :-)
> >>>
> >>>
> >>>
> >>> Quoting Tom Briglia <briglia at stanford.edu>:
> >>>
> >>>
> >>>> Hi Folks,
> >>>>
> >>>> I am a newbie to Argus and trying to compile on Solaris. I have seen
> >>>> multiple references that Argus will compile on Solaris which is  why
> I
> >>>> even
> >>>> tried in the first place.
> >>>>
> >>>> I successfully compiled and installed Bison, libpcap, libwrap,  and
> >>>> sasl
> >>>> on
> >>>> Solaris 10 and successfully ran the argus ./configure script.  When
> >>>> I try
> >>>> to
> >>>> compile Argus it starts crapping out due to no bpf.h:
> >>>>
> >>>> gcc -O2 -mcpu=v9 -m64 -O -I. -I../include -I../../
> >>>> tcp_wrappers_7.6-ipv6.4
> >>>> -I../../libpcap-0.9.5 -DPACKAGE_NAME=\"\" -DPACKAGE_TARNAME=\"\"
> >>>> -DPACKAGE_VERSION=\"\" -DPACKAGE_STRING=\"\" -DPACKAGE_BUGREPORT=
> \"\"
> >>>> -DLBL_ALIGN=1 -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -
> >>>> DHAVE_SYS_STAT_H=1
> >>>> -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -
> >>>> DHAVE_STRINGS_H=1
> >>>> -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1
> >>>> -DHAVE_TCP_WRAPPER=1 -DHAVE_SYS_SOCKIO_H=1 -DHAVE_STRING_H=1
> >>>> -DHAVE_FCNTL_H=1 -DHAVE_SYS_FILE_H=1 -DHAVE_SYSLOG_H=1 -
> >>>> DHAVE_SOLARIS=1
> >>>> -DSTDC_HEADERS=1  -DARGUS_SYSLOG=1 -c ./gencode.c
> >>>> ./gencode.c:62:21: net/bpf.h: No such file or directory
> >>>>
> >>>> I have searched my system and searched google and I get the
> >>>> impression
> >>>> "bfp.h" is not native to Solaris.
> >>>>
> >>>> I figured maybe it would be included in libpcap yet it is not.
> >>>>
> >>>> So what is the real deal? How can Argus be compiled on Solaris w/ o
> >>>> bpf.h?
> >>>>
> >>>> I have a whole network of Solaris systems I would like to run
> >>>> Argus on
> >>>> yet
> >>>> am now hitting this showstpper . . .
> >>>>
> >>>> Any help will be greatly appreciated!
> >>>>
> >>>> Thanks!
> >>>>
> >>>> Tom
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >
> >
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 31 Oct 2006 16:24:09 +0000
> From: Adrian Bool <aid at logic.org.uk>
> Subject: [ARGUS] racluster, wounded after battling a dragon...
> To: argus-info at lists.andrew.cmu.edu
> Message-ID: <7A7537F5-E2CE-462B-B672-4AD8F53CFF03 at logic.org.uk>
> Content-Type: text/plain; charset="us-ascii"
>
> Skipped content of type multipart/alternative-------------- next part
> --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 2415 bytes
> Desc: not available
> Url :
> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20061031/e80d824d/smime.bin
>
> ------------------------------
>
> _______________________________________________
> Argus-info mailing list
> Argus-info at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>
>
> End of Argus-info Digest, Vol 14, Issue 39
> ******************************************
>



-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20061101/8f3898e4/attachment.html>

More information about the argus mailing list