Some problems (bugs?) with argus

Carter Bullard carter at qosient.com
Mon Aug 17 12:09:39 EDT 2009 

If we could keep these conversations on the list that would be better.

I thought I had responded to this, sorry if I'm mistaken.

So we use the token 'syn' in the compiler already.  It generates code
to test the SYN bit in the TCP flags variable in the Argus record.   
Test this
using the client code:
     ra -b - src syn

and you'll see the code that the compiler generates.

I modified the tokens  a long time ago, when we started supporting  
simple
TCP flags filtering for the Netflow imported data (it doesn't have the
concept of TCP state, just TCP flags).

For all practical purposes, this works to get flows that have the syn  
bit set
in the source, if you add the additional filter for the synack state,  
you will
get your result:

    ra -b - src syn and not synack

However, this is not really what you are looking for.  We can't reuse  
the 'syn' token,
without another syntactical discriminator, or the compiler will be a  
bit unhappy.
So, we need another word for the argus 's' TCP state.    Would  
'syninit' work?

Carter


On Aug 17, 2009, at 11:34 AM, Martijn van Oosterhout wrote:

> Back to the matter at hand:
>
> On Wed, Aug 12, 2009 at 9:46 PM, Carter Bullard<carter at qosient.com>  
> wrote:
>> Hey Martijn,
>> Very interesting problem that broke our sense of direction in flow  
>> key
>> generation,
>> and the desire to reuse an existing cache.
>>
>> I have uploaded the release candidate for argus-3.0.2 that has a  
>> fix for
>> this problem.
>>   ftp://qosient.com/dev/argus-3.0/argus-3.0.2.tar.gz
>>
>> Give this a run, if you don't mind, and thanks for the packets!!!!
>
> On the latest downloaded versions it works. Thank you very much.
>
> As an aside, the patch I posted originally for thre "syn" filter
> doesn't appear to be in there.
> (http://thread.gmane.org/gmane.network.argus/6732). I'm hoping this is
> an oversight, as without this it doesn't appear to be possible to
> match a flow with only a SYNACK but no SYN (the first flow in that
> test pcap I sent).
>
> Thanks in advance,
>
>
> -- 
> Martijn van Oosterhout <kleptog at gmail.com> http://svana.org/kleptog/
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090817/90e870c0/attachment.bin>

More information about the argus mailing list