Argus-info Digest, Vol 19, Issue 28

CS Lee geek00l at gmail.com
Wed Mar 21 12:53:53 EDT 2007 

Carter,

[root@ /usr/local/lib]# strings * | egrep -i 'prop_get'
prop_get
prop_getnames
sasl_auxprop_getctx
prop_get
prop_getnames
sasl_auxprop_getctx
prop_getnames
prop_get
prop_getnames
prop_get
prop_getnames
sasl_auxprop_getctx
prop_get
prop_getnames
sasl_auxprop_getctx


On 3/21/07, argus-info-request at lists.andrew.cmu.edu <
argus-info-request at lists.andrew.cmu.edu> wrote:
>
> Send Argus-info mailing list submissions to
>         argus-info at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> or, via email, send a message with subject or body 'help' to
>         argus-info-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
>         argus-info-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Argus-info digest..."
>
>
> Today's Topics:
>
>    1.  Re: Argus-info Digest, Vol 19, Issue 27 (CS Lee)
>    2.  rc.42 an rabins: filtering won't work (Wolfgang Barth)
>    3.  ra and srcid: bug (Wolfgang Barth)
>    4. Re:  rc.42 an rabins: filtering won't work (Carter Bullard)
>    5. Re:  ra and srcid: bug (Carter Bullard)
>    6. Re:  argus with sasl2 installation (Peter Van Epp)
>    7. Re:  argus with sasl2 installation (Carter Bullard)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 21 Mar 2007 01:31:38 +0800
> From: "CS Lee" <geek00l at gmail.com>
> Subject: [ARGUS] Re: Argus-info Digest, Vol 19, Issue 27
> To: argus-info at lists.andrew.cmu.edu
> Message-ID:
>         <1bb5dd90703201031p6ee89547ycf13b245b2fefaa7 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Peter,
>
> That's just typo in mail, I would like to hear from you if you got argus
> running with sasl2 on bsd system. Thanks.
>
> Carter,
>
> I would say I prefer all the argus related tools distributed in
> argus-client. That would be easy to maintained? And the version number of
> argus clients usually following argus server convention, that would make
> it
> clear that what are the clients that are workable on that version of argus
> server.
>
> Maybe others have different view :)
>
> Cheers.
>
> On 3/21/07, argus-info-request at lists.andrew.cmu.edu <
> argus-info-request at lists.andrew.cmu.edu> wrote:
> >
> > Send Argus-info mailing list submissions to
> >         argus-info at lists.andrew.cmu.edu
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >         https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> > or, via email, send a message with subject or body 'help' to
> >         argus-info-request at lists.andrew.cmu.edu
> >
> > You can reach the person managing the list at
> >         argus-info-owner at lists.andrew.cmu.edu
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Argus-info digest..."
> >
> >
> > Today's Topics:
> >
> >    1. Re:  argus with sasl2 installation (Peter Van Epp)
> >    2.  radump() as a new client program (Carter Bullard)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Tue, 20 Mar 2007 08:48:02 -0700
> > From: Peter Van Epp <vanepp at sfu.ca>
> > Subject: Re: [ARGUS] argus with sasl2 installation
> > To: argus-info at lists.andrew.cmu.edu
> > Message-ID: <20070320154801.GB28896 at sfu.ca>
> > Content-Type: text/plain; charset=3Dus-ascii
> >
> > On Tue, Mar 20, 2007 at 11:00:12PM +0800, CS Lee wrote:
> > > Carter,
> > >
> > > I have grabbed the latest rc42 source -
> > >
> > > ./configure --prefix=3D/usr/local/stow/argus-3rc42
> --with-sasl=3D/usr/l=
> oal
> > > ..........
> >
> >         typo in the make? --with-sasl=3D/usr/loal should perhaps be
> >
> > --with-sasl=3D/usr/local
> >
> > Peter Van Epp / Operations and Technical Support
> > Simon Fraser University, Burnaby, B.C. Canada
> >
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Tue, 20 Mar 2007 12:14:42 -0400
> > From: Carter Bullard <carter at qosient.com>
> > Subject: [ARGUS] radump() as a new client program
> > To: Argus <argus-info at lists.andrew.cmu.edu>
> > Message-ID: <5FE872C7-E509-442C-9746-26E7D9274451 at qosient.com>
> > Content-Type: text/plain; charset=3DUS-ASCII; format=3Dflowed
> >
> > Gentle people,
> > With argus frozen, I can now turn my attention to getting
> > the clients in order for the release.  I am adding a new program,
> > radump(),  to the list of client programs, which provides a tcpdump
> > decoder for the userdata buffers that are captured in argus data.
> >
> > It really is tcpdump-3.9.5, where each original tcpdump print
> > routine that deals with protocols above TCP and UDP is modified
> > slightly so that it can be run against the argus user data buffer.
> >
> > I'm wondering how is the best way of distributing this new program.
> > I'm thinking that it should be as a separate client program, that is
> > not in the argus-clients distribution?  But as a separate tarfile on its
> > own?  That way we can maintain it independently, with its own
> > version numbers, release cycle etc....
> >
> > Any thoughts?  Anyone want to test this bugger out?
> >
> > Carter
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > Argus-info mailing list
> > Argus-info at lists.andrew.cmu.edu
> > https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> >
> >
> > End of Argus-info Digest, Vol 19, Issue 27
> > ******************************************
> >
>
>
>
> -- =
>
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20=
> 070321/fca83bc8/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Tue, 20 Mar 2007 20:38:18 +0100
> From: wob at swobspace.de (Wolfgang Barth)
> Subject: [ARGUS] rc.42 an rabins: filtering won't work
> To: argus-info at lists.andrew.cmu.edu
> Message-ID: <20070320193818.GA11303 at swobspace.swobspace.de>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> filtering in rc.42 won't work as in previous versions:
>
> argus-clients-3.0.0.rc.42/bin/rabins -r /var/log/argus/argus.log \
>    -M rmon 10s -m smac -w - - srcid eligate1 | ...
> rabins[32470]: 20:36:14.580569 srcid eligate1 filter syntax error
>
> rc.40 (and previous):
> argus-clients-3.0.0.rc.40/bin/rabins -r /var/log/argus/argus.log \
>    -M rmon 10s -m smac -w - - srcid eligate1 | ...
> shows the expected behavior.
>
> Is this a bug or a feature? (i.e. changed parameter syntax?)
>
> Wolfgang
> --
> <wob (at) swobspace de> * http://www.swobspace.de
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 20 Mar 2007 21:42:58 +0100
> From: wob at swobspace.de (Wolfgang Barth)
> Subject: [ARGUS] ra and srcid: bug
> To: argus-info at lists.andrew.cmu.edu
> Message-ID: <20070320204258.GA21958 at swobspace.swobspace.de>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
>
> argus-clients-3.0.0.rc.42/bin/ra -s srcid -r /var/log/argus/argus.log
>
> ...
>      90.130.17.172
>       3.130.17.172
>       172.17.129.2
>       3.130.17.172
>      97.130.17.172
> ...
>
> The third line is correct, the others are in wrong byte order...
>
> Filtering like "ra -r argus.log - srcid 172.17.129.2 " won't work:
> ra[18615]: 21:40:57.413454 srcid eligate2 filter syntax error
>
> I had to specify "srcid 2.129.17.172", all my scripts fails with rc.42
>
> :-((
>
> Wolfgang
> --
> <wob (at) swobspace de> * http://www.swobspace.de
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 20 Mar 2007 16:55:24 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] rc.42 an rabins: filtering won't work
> To: wob at swobspace.de
> Cc: argus-info at lists.andrew.cmu.edu
> Message-ID: <48F5DFC5-7A9B-416B-9F0A-882B22AF35FA at qosient.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> Oh, a bug I'm sure.   What platform are you running on?
> On my intel fedora and my mac ox x (g5), i'm getting good
> behavior.  When did you pick up your copy of rc.42?  I've
> put up a minor mod'd rc.42, it may help!!!!
>
>
> Carter
>
> On Mar 20, 2007, at 3:38 PM, Wolfgang Barth wrote:
>
> > Hi,
> >
> > filtering in rc.42 won't work as in previous versions:
> >
> > argus-clients-3.0.0.rc.42/bin/rabins -r /var/log/argus/argus.log \
> >    -M rmon 10s -m smac -w - - srcid eligate1 | ...
> > rabins[32470]: 20:36:14.580569 srcid eligate1 filter syntax error
> >
> > rc.40 (and previous):
> > argus-clients-3.0.0.rc.40/bin/rabins -r /var/log/argus/argus.log \
> >    -M rmon 10s -m smac -w - - srcid eligate1 | ...
> > shows the expected behavior.
> >
> > Is this a bug or a feature? (i.e. changed parameter syntax?)
> >
> > Wolfgang
> > --
> > <wob (at) swobspace de> * http://www.swobspace.de
> >
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 20 Mar 2007 17:11:38 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] ra and srcid: bug
> To: wob at swobspace.de
> Cc: argus-info at lists.andrew.cmu.edu
> Message-ID: <25094C3D-32FF-4638-A0A9-E08449B87F34 at qosient.com>
> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
>
> So, there is/was a little endian problem in earlier versions of 3.0.0-
> rc.x,
> at least with the srcid.   So what versions are we dealing with
> with these argus sources?  Are you running some argus-2.x
> as well?
>
> Carter
>
>
>
> On Mar 20, 2007, at 4:42 PM, Wolfgang Barth wrote:
>
> > Hi,
> >
> >
> > argus-clients-3.0.0.rc.42/bin/ra -s srcid -r /var/log/argus/argus.log
> >
> > ...
> >      90.130.17.172
> >       3.130.17.172
> >       172.17.129.2
> >       3.130.17.172
> >      97.130.17.172
> > ...
> >
> > The third line is correct, the others are in wrong byte order...
> >
> > Filtering like "ra -r argus.log - srcid 172.17.129.2 " won't work:
> > ra[18615]: 21:40:57.413454 srcid eligate2 filter syntax error
> >
> > I had to specify "srcid 2.129.17.172", all my scripts fails with rc.42
> >
> > :-((
> >
> > Wolfgang
> > --
> > <wob (at) swobspace de> * http://www.swobspace.de
> >
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 21 Mar 2007 08:24:37 -0700
> From: Peter Van Epp <vanepp at sfu.ca>
> Subject: Re: [ARGUS] argus with sasl2 installation
> To: argus-info at lists.andrew.cmu.edu
> Message-ID: <20070321152437.GB1567 at sfu.ca>
> Content-Type: text/plain; charset=us-ascii
>
> On Tue, Mar 20, 2007 at 11:00:12PM +0800, CS Lee wrote:
> > Carter,
> >
> > I have grabbed the latest rc42 source -
> >
> > ./configure --prefix=/usr/local/stow/argus-3rc42 --with-sasl=/usr/loal
> > ..........
> > checking for ranlib... ranlib
> > checking if unaligned accesses fail... no
> > checking sasl/sasl.h usability... no
> > checking sasl/sasl.h presence... no
> > checking for sasl/sasl.h... no
> > configure: error: sasl2 not found. see the INSTALL for more info
> >
> > No chance to test out anything unless it gets to compiled :(
> >
> > Anyone?
> >
>
>         First it needs to be --with-sasl=/usr/local/  but with the sasl2
> from
> ports on 6.1 all the happens is it can't find prop_get() and it still dies
> :-). As I get some time I'll poke further, there may be two versions of
> sasl floating around (although cyrus-sasl seems to have come from CMU in
> the
> ports collection) and this version seems to have sasl as in sasl_getprop()
> in front of everything (at least from the man page). It may be we can't
> use
> the one in ports and need to manually install the same one Carter is using
> in the argus directory (although ports would be the preferred path for
> sure).
>         I'll probably need to do that anyway since I need it on Linux in
> the
> end (unless I can find a Suse rpm for sasl2 which I may be able to).
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 21 Mar 2007 11:57:55 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] argus with sasl2 installation
> To: Peter Van Epp <vanepp at sfu.ca>
> Cc: argus-info at lists.andrew.cmu.edu
> Message-ID: <C5B9F61A-521A-48AC-85A8-1FA64A591D56 at qosient.com>
> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
>
> I'm using the cmu sasl that comes standard with Fedora 6, and our
> aclocal.m4 is using macros from cmu's cyrus-imapd, so they should be
> legit.  argus doesn't actually use prop_get(), but testing for it  in
> the
> sasl library seems to be a specific test for sasl2, and we definately
> have to find sasl2 now.   Doing a strings on /usr/lib/libsasl2.a does
> have prop_get.
>
>     strings /usr/lib/*sasl2* | fgrep prop_get
>
> if you find prop_get in your library, then I may need to fix something
> in the aclocal.m4, so it can find it!!!!
>
>
> Carter
>
>
> On Mar 21, 2007, at 11:24 AM, Peter Van Epp wrote:
>
> > On Tue, Mar 20, 2007 at 11:00:12PM +0800, CS Lee wrote:
> >> Carter,
> >>
> >> I have grabbed the latest rc42 source -
> >>
> >> ./configure --prefix=/usr/local/stow/argus-3rc42 --with-sasl=/usr/
> >> loal
> >> ..........
> >> checking for ranlib... ranlib
> >> checking if unaligned accesses fail... no
> >> checking sasl/sasl.h usability... no
> >> checking sasl/sasl.h presence... no
> >> checking for sasl/sasl.h... no
> >> configure: error: sasl2 not found. see the INSTALL for more info
> >>
> >> No chance to test out anything unless it gets to compiled :(
> >>
> >> Anyone?
> >>
> >
> >       First it needs to be --with-sasl=/usr/local/  but with the sasl2
> from
> > ports on 6.1 all the happens is it can't find prop_get() and it
> > still dies
> > :-). As I get some time I'll poke further, there may be two
> > versions of
> > sasl floating around (although cyrus-sasl seems to have come from
> > CMU in the
> > ports collection) and this version seems to have sasl as in
> > sasl_getprop()
> > in front of everything (at least from the man page). It may be we
> > can't use
> > the one in ports and need to manually install the same one Carter
> > is using
> > in the argus directory (although ports would be the preferred path
> > for sure).
> >       I'll probably need to do that anyway since I need it on Linux in
> the
> > end (unless I can find a Suse rpm for sasl2 which I may be able to).
> >
> > Peter Van Epp / Operations and Technical Support
> > Simon Fraser University, Burnaby, B.C. Canada
> >
>
>
> ------------------------------
>
> _______________________________________________
> Argus-info mailing list
> Argus-info at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>
>
> End of Argus-info Digest, Vol 19, Issue 28
> ******************************************
>



-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070322/b5ebaec9/attachment.html>

More information about the argus mailing list