ARGUSBug - Argus Seg Faults When Analyzing Wireless PCAP File

Carter Bullard carter at qosient.com
Mon Mar 24 08:45:33 EDT 2008 

Hey Mathew,
Did you get a chance to do anymore testing with wireless argus?
Carter



On Feb 6, 2008, at 10:51 AM, Carter Bullard wrote:

> Hey Mathew,
> You may end up being the wireless guy on the list ;o)
> Well, I haven't tested it with radiotap like devices, and when I fixed
> the Prism header support,  I also added support for AVS headers,
> so doing something to test AVS header parsing would be cool.
>
> I think, for the purposes of the argus-3.0.0 release, all I need to do
> now is test the check for when there is a device type we don't
> support, we generate a useful error message, and exit cleanly.
> The new code on the server should do that correctly, now.
>
> For argus-3.1.0, next step, we should propagate the information
> in the monitor headers into the argus records, so we do some
> wireless fingerprinting and get the signal and noise behavior for
> location tracking etc......  Also getting performance information on
> the beacons would be good.
>
> There is a big issue with the packet capture you used to report
> the bug.  Non of the Prism header data was converted to big-endian,
> so on big-endian machines the data is pretty much garbage.  I put
> in a fix for this, and so we can now use this data on any platform.
>
> Propagating the semantics in the wireless monitor headers is pretty
> straight forward, ssid channel etc....  The interesting part is the
> signal and noise information.   I can do avg, or first or last signal/
> noise values seen in the flow reporting interval, and possibly
> a vector for whether the last was getting higher or lower from
> the reported value.  That maybe all that we need to do for argus(),
> but when we aggregate these values, I think doing something
> like what we're doing for packet sizes makes some since (max,
> min, avg, stdev).
>
> Any thoughts?
>
> Carter
>
> On Feb 6, 2008, at 2:26 AM, Mathew Brown wrote:
>
>> Hi Carter,
>> Thank you for the clarification.  Should I try to test it with other
>> wireless pcaps to make sure they are covered or was the Prism chipset
>> an exception?
>>
>> On Tue, 5 Feb 2008 01:08:22 -0500, "Carter Bullard" <carter at qosient.com 
>> >
>> said:
>>> Hey Mathew,
>>> Your/our problem is not like that.  We were crashing before  
>>> reading any
>>> data on the wire, as the interface type was unknown to argus().   
>>> But,
>>> no program is completely immune from getting garbage and having to
>>> deal with it.  We do a pretty good job of that, and the network  
>>> helps
>>> a great
>>> deal in that if its on the network, its has passed a number of  
>>> checks.
>>> (length, format, type, etc...).
>>>
>>> Argus doesn't have to run as root, we support setuid() and setgrp()
>>> calls to 'degrade' its capabilities, and if it does have to run as  
>>> root
>>> for whatever reason, you can control where it functions on your
>>> system using chroot().  Check out the argus.conf file in ./common/ 
>>> Config
>>> and you'll see what support we have.
>>>
>>>
>>> Carter
>>>
>>>
>>>
>>> On Feb 4, 2008, at 11:23 PM, Mathew Brown wrote:
>>>
>>>> Hi Carter,
>>>>
>>>> Thank you for your super fast fix.  I tried it out and it looks  
>>>> like
>>>> it's working fine (no seg faults).  However, this does bring  
>>>> about a
>>>> question:  if argus is listening on a network interface and a  
>>>> user is
>>>> able to send it unexpected input, could they crash your argus  
>>>> sensor
>>>> (seg fault it) and possibly worse - since argus is usually run as  
>>>> the
>>>> super user?  Of does argus by default protect and report __bad
>>>> traffic__ with the wireless pcap below being an exception?  Thanks.
>>>>
>>>> On Mon, 4 Feb 2008 22:01:24 -0500, "Carter Bullard" <carter at qosient.com
>>>>>
>>>> said:
>>>>> Hey Mathew,
>>>>> Did you get a chance to test the new argus-3.0.0.tar.gz that is on
>>>>> the
>>>>> server?
>>>>> Carter
>>>>>
>>>>>
>>>>> On Feb 1, 2008, at 12:05 AM, Mathew Brown wrote:
>>>>>
>>>>>>> Description:
>>>>>> 	
>>>>>> Argus Seg Faults When Analyzing Wireless PCAP File
>>>>>>
>>>>>> I ran into a pcap file when reading the article: "Wireless
>>>>>> Forensics:
>>>>>> Tapping the Air - Part Two" -
>>>>>> http;//www.securityfocus.com/print/infocus/1885.  The actual pcap
>>>>>> file
>>>>>> can be downloaded directly from here:
>>>>>> http://www.raulsiles.com/downloads/VoIP_roaming_session.zip   
>>>>>> After
>>>>>> unzipping, running:
>>>>>>
>>>>>> argus -r merged_voip_roaming_session.pcap -w
>>>>>> merged_voip_roaming_session.pcap.argus
>>>>>>
>>>>>> would give me the error:
>>>>>>
>>>>>> Segmentation Fault
>>>>>>
>>>>>>> How-To-Repeat:
>>>>>>
>>>>>> See Description
>>>>>>
>>>>>>> Fix:
>>>>>>
>>>>>> None that I know of.
>>>>>>
>>>>>>> Submitter-Id:  None
>>>>>>> Originator:    mathewbrown at fastmail.fm
>>>>>>> Organization:	None
>>>>>>> ARGUS support: none
>>>>>>> Release:       argus-3.0
>>>>>>> Product:       argus
>>>>>>> Synopsis:      Argus Seg Faults When Analyzing Wireless PCAP  
>>>>>>> File
>>>>>>> Class:	        sw-bug
>>>>>>> Severity:      non-critical
>>>>>>> Priority:      low/medium
>>>>>>
>>>>>>> Environment:   <machine, os, target, libraries (multiple lines)>
>>>>>>
>>>>>> System:  Linux deb 2.6.22-grml #1 SMP PREEMPT Tue Jul 10 00:35:57
>>>>>> CEST
>>>>>> 2007 i686 GNU/Linux
>>>>>>
>>>>>>
>>>>>> Paths:    /usr/local/sbin/argus /usr/local/bin/ra /usr/bin/make
>>>>>> /usr/bin/gcc
>>>>>>
>>>>>> ARGUS:   Argus Version 3.0.0
>>>>>> RA:      Ra Version 3.0.0.rc.68
>>>>>>
>>>>>>
>>>>>> GCC:     Using built-in specs.
>>>>>> Target: i486-linux-gnu
>>>>>> Configured with: ../src/configure -v
>>>>>> --enable-languages=c,c++,fortran,objc,obj-c++,treelang -- 
>>>>>> prefix=/usr
>>>>>> --enable-shared --with-system-zlib --libexecdir=/usr/lib
>>>>>> --without-included-gettext --enable-threads=posix --enable-nls
>>>>>> --with-gxx-include-dir=/usr/include/c++/4.1.3 --program- 
>>>>>> suffix=-4.1
>>>>>> --enable-__cxa_atexit --enable-clocale=gnu --enable-libstdcxx- 
>>>>>> debug
>>>>>> --enable-mpfr --enable-checking=release i486-linux-gnu
>>>>>> Thread model: posix
>>>>>> gcc version 4.1.3 20080114 (prerelease) (Debian 4.1.2-19)
>>>>>>
>>>>>> LIBC:
>>>>>> lrwxrwxrwx 1 root root 11 2007-12-14 13:55 /lib/libc.so.6 ->
>>>>>> libc-2.7.so
>>>>>> -rwxr-xr-x 1 root root 1356012 2007-12-07 11:38 /lib/libc-2.7.so
>>>>>> -rw-r--r-- 1 root root 3030784 2007-12-07 11:39 /usr/lib/libc.a
>>>>>> -rw-r--r-- 1 root root 238 2007-12-07 11:11 /usr/lib/libc.so
>>>>>>
>>>>>> PS.  I had trouble sending the report using argusbug due to SMTP
>>>>>> being
>>>>>> unavailable, so I'm sending it via web mail.  I also tried  
>>>>>> running
>>>>>> it
>>>>>> through argus on my Fedora 8 box and it would also seg fault.
>>>>>> -- 
>>>>>> Mathew Brown
>>>>>> mathewbrown at fastmail.fm
>>>>>>
>>>>>> -- 
>>>>>> http://www.fastmail.fm - The professional email service
>>>>>>
>>>>>>
>>>> -- 
>>>> Mathew Brown
>>>> mathewbrown at fastmail.fm
>>>>
>>>> -- 
>>>> http://www.fastmail.fm - The way an email service should be
>>>>
>>>>
>> -- 
>> Mathew Brown
>> mathewbrown at fastmail.fm
>>
>> -- 
>> http://www.fastmail.fm - A fast, anti-spam email service.
>>
>>
>

More information about the argus mailing list