PF ring support in argus
Carter Bullard
carter at qosient.com
Fri Oct 12 11:11:59 EDT 2007
Gentle people,
So, we don't really need to do anything in argus, as it seems
to be driven by environment variables (assuming your using
the shared library strategy). But that doesn't sound very
elegant.
So I can add to argus.conf:
ARGUS_ENV="name=value"
And we can allow for any environment variable to be set?
Is this dangerous? I'm thinking that its pretty benign, as long
as we're careful on buffer overflow etc...., but it also would be
trivial to allow only specific environment variables? I'm sure
that someone will think that its dangerous, but in the
Bell-Lapadula scheme of things, it probably is not a real issue.
Comments?
Carter
On Oct 12, 2007, at 10:39 AM, Jason Ish wrote:
> On Fri, Oct 12, 2007 at 10:32:36AM -0400, Carter Bullard wrote:
>> Hey Peter,
>> Ok, I'll take a look to see what I need to do. If we need to add a
>> parameter,
>> would it be reasonable to put it just in the argus.conf, or will we
>> need a
>> command line option?
>
> The most basic way to active the mmap ring is to set the PCAP_FRAMES
> environment variable. If that is not set, I believe it falls back to
> normal pcap methods.
>
> There are other variables as well that replace some normal tcpdump
> style command line options which are covered in README.ring from the
> mmap pcap distribution.
>
> -- Jason
>
More information about the argus
mailing list