ARGUSBug - Argus Seg Faults When Analyzing Wireless PCAP File

Carter Bullard carter at qosient.com
Wed Feb 6 10:51:14 EST 2008 

Hey Mathew,
You may end up being the wireless guy on the list ;o)
Well, I haven't tested it with radiotap like devices, and when I fixed
the Prism header support,  I also added support for AVS headers,
so doing something to test AVS header parsing would be cool.

I think, for the purposes of the argus-3.0.0 release, all I need to do
now is test the check for when there is a device type we don't
support, we generate a useful error message, and exit cleanly.
The new code on the server should do that correctly, now.

For argus-3.1.0, next step, we should propagate the information
in the monitor headers into the argus records, so we do some
wireless fingerprinting and get the signal and noise behavior for
location tracking etc......  Also getting performance information on
the beacons would be good.

There is a big issue with the packet capture you used to report
the bug.  Non of the Prism header data was converted to big-endian,
so on big-endian machines the data is pretty much garbage.  I put
in a fix for this, and so we can now use this data on any platform.

Propagating the semantics in the wireless monitor headers is pretty
straight forward, ssid channel etc....  The interesting part is the
signal and noise information.   I can do avg, or first or last signal/
noise values seen in the flow reporting interval, and possibly
a vector for whether the last was getting higher or lower from
the reported value.  That maybe all that we need to do for argus(),
but when we aggregate these values, I think doing something
like what we're doing for packet sizes makes some since (max,
min, avg, stdev).

Any thoughts?

Carter

On Feb 6, 2008, at 2:26 AM, Mathew Brown wrote:

> Hi Carter,
>  Thank you for the clarification.  Should I try to test it with other
>  wireless pcaps to make sure they are covered or was the Prism chipset
>  an exception?
>
> On Tue, 5 Feb 2008 01:08:22 -0500, "Carter Bullard" <carter at qosient.com 
> >
> said:
>> Hey Mathew,
>> Your/our problem is not like that.  We were crashing before reading  
>> any
>> data on the wire, as the interface type was unknown to argus().  But,
>> no program is completely immune from getting garbage and having to
>> deal with it.  We do a pretty good job of that, and the network helps
>> a great
>> deal in that if its on the network, its has passed a number of  
>> checks.
>> (length, format, type, etc...).
>>
>> Argus doesn't have to run as root, we support setuid() and setgrp()
>> calls to 'degrade' its capabilities, and if it does have to run as  
>> root
>> for whatever reason, you can control where it functions on your
>> system using chroot().  Check out the argus.conf file in ./common/ 
>> Config
>> and you'll see what support we have.
>>
>>
>> Carter
>>
>>
>>
>> On Feb 4, 2008, at 11:23 PM, Mathew Brown wrote:
>>
>>> Hi Carter,
>>>
>>> Thank you for your super fast fix.  I tried it out and it looks like
>>> it's working fine (no seg faults).  However, this does bring about a
>>> question:  if argus is listening on a network interface and a user  
>>> is
>>> able to send it unexpected input, could they crash your argus sensor
>>> (seg fault it) and possibly worse - since argus is usually run as  
>>> the
>>> super user?  Of does argus by default protect and report __bad
>>> traffic__ with the wireless pcap below being an exception?  Thanks.
>>>
>>> On Mon, 4 Feb 2008 22:01:24 -0500, "Carter Bullard" <carter at qosient.com
>>>>
>>> said:
>>>> Hey Mathew,
>>>> Did you get a chance to test the new argus-3.0.0.tar.gz that is on
>>>> the
>>>> server?
>>>> Carter
>>>>
>>>>
>>>> On Feb 1, 2008, at 12:05 AM, Mathew Brown wrote:
>>>>
>>>>>> Description:
>>>>> 	
>>>>> Argus Seg Faults When Analyzing Wireless PCAP File
>>>>>
>>>>> I ran into a pcap file when reading the article: "Wireless
>>>>> Forensics:
>>>>> Tapping the Air - Part Two" -
>>>>> http;//www.securityfocus.com/print/infocus/1885.  The actual pcap
>>>>> file
>>>>> can be downloaded directly from here:
>>>>> http://www.raulsiles.com/downloads/VoIP_roaming_session.zip  After
>>>>> unzipping, running:
>>>>>
>>>>> argus -r merged_voip_roaming_session.pcap -w
>>>>> merged_voip_roaming_session.pcap.argus
>>>>>
>>>>> would give me the error:
>>>>>
>>>>> Segmentation Fault
>>>>>
>>>>>> How-To-Repeat:
>>>>>
>>>>> See Description
>>>>>
>>>>>> Fix:
>>>>>
>>>>> None that I know of.
>>>>>
>>>>>> Submitter-Id:  None
>>>>>> Originator:    mathewbrown at fastmail.fm
>>>>>> Organization:	None
>>>>>> ARGUS support: none
>>>>>> Release:       argus-3.0
>>>>>> Product:       argus
>>>>>> Synopsis:      Argus Seg Faults When Analyzing Wireless PCAP File
>>>>>> Class:	        sw-bug
>>>>>> Severity:      non-critical
>>>>>> Priority:      low/medium
>>>>>
>>>>>> Environment:   <machine, os, target, libraries (multiple lines)>
>>>>>
>>>>> System:  Linux deb 2.6.22-grml #1 SMP PREEMPT Tue Jul 10 00:35:57
>>>>> CEST
>>>>> 2007 i686 GNU/Linux
>>>>>
>>>>>
>>>>> Paths:    /usr/local/sbin/argus /usr/local/bin/ra /usr/bin/make
>>>>> /usr/bin/gcc
>>>>>
>>>>> ARGUS:   Argus Version 3.0.0
>>>>> RA:      Ra Version 3.0.0.rc.68
>>>>>
>>>>>
>>>>> GCC:     Using built-in specs.
>>>>> Target: i486-linux-gnu
>>>>> Configured with: ../src/configure -v
>>>>> --enable-languages=c,c++,fortran,objc,obj-c++,treelang --prefix=/ 
>>>>> usr
>>>>> --enable-shared --with-system-zlib --libexecdir=/usr/lib
>>>>> --without-included-gettext --enable-threads=posix --enable-nls
>>>>> --with-gxx-include-dir=/usr/include/c++/4.1.3 --program- 
>>>>> suffix=-4.1
>>>>> --enable-__cxa_atexit --enable-clocale=gnu --enable-libstdcxx- 
>>>>> debug
>>>>> --enable-mpfr --enable-checking=release i486-linux-gnu
>>>>> Thread model: posix
>>>>> gcc version 4.1.3 20080114 (prerelease) (Debian 4.1.2-19)
>>>>>
>>>>> LIBC:
>>>>> lrwxrwxrwx 1 root root 11 2007-12-14 13:55 /lib/libc.so.6 ->
>>>>> libc-2.7.so
>>>>> -rwxr-xr-x 1 root root 1356012 2007-12-07 11:38 /lib/libc-2.7.so
>>>>> -rw-r--r-- 1 root root 3030784 2007-12-07 11:39 /usr/lib/libc.a
>>>>> -rw-r--r-- 1 root root 238 2007-12-07 11:11 /usr/lib/libc.so
>>>>>
>>>>> PS.  I had trouble sending the report using argusbug due to SMTP
>>>>> being
>>>>> unavailable, so I'm sending it via web mail.  I also tried running
>>>>> it
>>>>> through argus on my Fedora 8 box and it would also seg fault.
>>>>> -- 
>>>>> Mathew Brown
>>>>> mathewbrown at fastmail.fm
>>>>>
>>>>> -- 
>>>>> http://www.fastmail.fm - The professional email service
>>>>>
>>>>>
>>> -- 
>>> Mathew Brown
>>> mathewbrown at fastmail.fm
>>>
>>> -- 
>>> http://www.fastmail.fm - The way an email service should be
>>>
>>>
> -- 
>  Mathew Brown
>  mathewbrown at fastmail.fm
>
> -- 
> http://www.fastmail.fm - A fast, anti-spam email service.
>
>

More information about the argus mailing list