new clients rc.58 on the server

Patrick Forsberg fors at chalmers.se
Thu Oct 4 09:01:23 EDT 2007 

Carter Bullard wrote:
> Gentle people,
> ftp://qosient.com/dev/argus-3.0/argus-clients-3.0.0.rc.58.tar.gz

> If anyone finds any issues, regardless of wether its code, installation
> problems, documentation errors, etc....   please send email!!!!!


It would seem that rastrip is still broken

We collect argusdata on two nodes with two NICs each (IN and OUT).
We collect 12 bytes of user DATA.
We merge the data from the two nodes with racluster

Because of policy we need to clean out userdata after a period of time,
but right now we don't trust rastrip since it looks as if it does things
with the data that it shouldn't

Here's a representation of the problem:

#Sort the indata (since it comes from more than one collector)
rasort -r /var/log/argus/2007/10/03-0000 -w 100300.rasort
#Strip userdata from logfiles
rastrip -M -suser -M -duser -r 100300.rasort -w 100300.rasort.strip1
#Strip userdata again (should do nothing)
rastrip -M -suser -M -duser -r 100300.rasort.strip1 -w 100300.rasort.strip2
#Plaintext the stripped files
ra -r 100300.rasort.strip1 >strip1
ra -r 100300.rasort.strip2 >strip2

# I would expect the second run of rastrip to do nothing to the data since the
# only thing it's supposed to do is remove suser and duser and that should
# already be gone. But a simple comparison of the text output shows that
# something funky is happening to some of the flows.

#Compare the two plaintext files. There should be no difference.
diff strip1 strip2
10703c10703
<    23:55:11.467660            tcp     1.2.3.4.63212     ->       2.3.4.5.smtp          1        2           68          198   RST
---
>    23:54:59.085949            tcp     1.2.3.4.63212     ->       2.3.4.5.smtp          1        2           68          198   RST
10760c10760
<    23:55:11.579806    d       tcp      3.4.5.6.55954     ->      2.3.4.6.smtp          1        1           60           60   RST
---
>    23:54:58.833879    d       tcp      3.4.5.6.55954     ->      2.3.4.6.smtp          1        1           60           60   RST
19540c19540
<    23:55:29.428842    d       tcp    4.5.6.7.3014      ->       2.3.4.7.http          7       12          426        15047   FIN
---
>    23:54:57.897868    d       tcp    4.5.6.7.3014      ->       2.3.4.7.http          7       12          426        15047   FIN
23914c23914
<    23:55:37.793078  e         tcp    5.6.7.8.42565     ->      2.3.4.8.http          3        4          192          264   RST
---
>    23:55:09.038700  e         tcp    5.6.7.8.42565     ->      2.3.4.8.http          3        4          192          264   RST

<REST OF DATA STRIPPED>


Only 24 out of 121773 flows are affected, but that's bad enough.

The collector nodes are running argus-3.0.0 64-bit on a RHEL-4ES 2.6.9-55.ELsmp
racluster is argus-3.0.0.rc.44 32bit on a RHEL-3AS 2.4.21-47.ELsmp
rasort,rastrip and ra above are argus-3.0.0.rc.58 32bit on a RHEL-3AS 2.4.21-47.ELsmp

Regards,

/Patrick

More information about the argus mailing list