ra -M hex bug

CS Lee geek00l at gmail.com
Sat Apr 18 12:16:17 EDT 2009 

hi carter,

After I applied the patch, the segfault gone, thanks!

On Thu, Apr 16, 2009 at 1:56 AM, Carter Bullard <carter at qosient.com> wrote:

> Hey CS Lee,Here is a patch that should deal with the segfault when using
> -M hex option?Send email if you have any problems!!!
>
> Thanks for all the help!!!
>
> Carter
>
> ==== //depot/argus/clients/clients/ra.c#38 -
> /home/carter/argus/clients/clients/ra.c ====
> 344,356c344,358
> <                struct ArgusDataStruct *user = NULL;
> <                if (parser->RaPrintAlgorithmList[i]->print ==
> ArgusPrintSrcUserData) {
> <                   int slen = 0, len =
> parser->RaPrintAlgorithmList[i]->length;
> <                   if (len > 0) {
> <                      if ((user = (struct ArgusDataStruct
> *)argus->dsrs[ARGUS_SRCUSERDATA_INDEX]) != NULL) {
> <                         if (user->hdr.type == ARGUS_DATA_DSR) {
> <                            slen = (user->hdr.argus_dsrvl16.len - 2 ) * 4;
> <                         } else
> <                            slen = (user->hdr.argus_dsrvl8.len - 2 ) * 4;
> <
> <                         slen = (user->count < slen) ? user->count : slen;
> <                         slen = (slen > len) ? len : slen;
> <                         ArgusDump ((const u_char *) &user->array, slen, "
>      ");
> ---
> >                if (parser->RaPrintAlgorithmList[i] != NULL) {
> >                   struct ArgusDataStruct *user = NULL;
> >                   if (parser->RaPrintAlgorithmList[i]->print ==
> ArgusPrintSrcUserData) {
> >                      int slen = 0, len =
> parser->RaPrintAlgorithmList[i]->length;
> >                      if (len > 0) {
> >                         if ((user = (struct ArgusDataStruct
> *)argus->dsrs[ARGUS_SRCUSERDATA_INDEX]) != NULL) {
> >                            if (user->hdr.type == ARGUS_DATA_DSR) {
> >                               slen = (user->hdr.argus_dsrvl16.len - 2 ) *
> 4;
> >                            } else
> >                               slen = (user->hdr.argus_dsrvl8.len - 2 ) *
> 4;
> >
> >                            slen = (user->count < slen) ? user->count :
> slen;
> >                            slen = (slen > len) ? len : slen;
> >                            ArgusDump ((const u_char *) &user->array,
> slen, "      ");
> >                         }
> 359,367c361,368
> <                }
> <                if (parser->RaPrintAlgorithmList[i]->print ==
> ArgusPrintDstUserData) {
> <                   int slen = 0, len =
> parser->RaPrintAlgorithmList[i]->length;
> <                   if (len > 0) {
> <                      if ((user = (struct ArgusDataStruct
> *)argus->dsrs[ARGUS_DSTUSERDATA_INDEX]) != NULL) {
> <                         if (user->hdr.type == ARGUS_DATA_DSR) {
> <                            slen = (user->hdr.argus_dsrvl16.len - 2 ) * 4;
> <                         } else
> <                            slen = (user->hdr.argus_dsrvl8.len - 2 ) * 4;
> ---
> >                   if (parser->RaPrintAlgorithmList[i]->print ==
> ArgusPrintDstUserData) {
> >                      int slen = 0, len =
> parser->RaPrintAlgorithmList[i]->length;
> >                      if (len > 0) {
> >                         if ((user = (struct ArgusDataStruct
> *)argus->dsrs[ARGUS_DSTUSERDATA_INDEX]) != NULL) {
> >                            if (user->hdr.type == ARGUS_DATA_DSR) {
> >                               slen = (user->hdr.argus_dsrvl16.len - 2 ) *
> 4;
> >                            } else
> >                               slen = (user->hdr.argus_dsrvl8.len - 2 ) *
> 4;
> 369,371c370,373
> <                         slen = (user->count < slen) ? user->count : slen;
> <                         slen = (slen > len) ? len : slen;
> <                         ArgusDump ((const u_char *) &user->array, slen, "
>      ");
> ---
> >                            slen = (user->count < slen) ? user->count :
> slen;
> >                            slen = (slen > len) ? len : slen;
> >                            ArgusDump ((const u_char *) &user->array,
> slen, "      ");
> >                         }
> 374c376,377
> <                }
> ---
> >                } else
> >                   break;
>
>
> On Apr 15, 2009, at 9:46 AM, CS Lee wrote:
>
> hi carter,
>
> Herby I attach with the argus file. The segfault happens when I run
>
> ra -M hex -nr ConfickerB9hrs-512.arg3 -s saddr daddr suser duser
>      192.168.1.101    239.255.255.250
>       0x0000     4d2d 5345 4152 4348 202a 2048 5454 502f
> M-SEARCH.*.HTTP/
> Segmentation fault: 11
>
> You can try that with latest argus, I have segfault on FreeBSD 7.1.
>
> Another problem is I try to do regex matching, usually we use \x as prefix
> to match hex code, as sometimes matching with ascii is not feasible, say i
> want to extract the flow that contains \x4d\x2d, i try with
>
> ra -nr ConfickerB9hrs-512.arg3 -e "\x4d\x2d" -s saddr daddr suser:512
> duser:512
>
> It doesn't return any flow which is not true as I have flow with \x4d\x2d
> in the user data bytes.
>
> Hope my question is more clear this time, sorry for the confusion.
>
> Cheers!
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
> <ConfickerB9hrs-512.arg3>
>
>
>


-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090419/7b2964fd/attachment.html>

More information about the argus mailing list