Some problems (bugs?) with argus
Martijn van Oosterhout
kleptog at gmail.com
Tue Aug 18 03:12:31 EDT 2009
Also to list.
---------- Forwarded message ----------
From: Martijn van Oosterhout <kleptog at gmail.com>
Date: Tue, Aug 18, 2009 at 9:11 AM
Subject: Re: [ARGUS] Some problems (bugs?) with argus
To: Carter Bullard <carter at qosient.com>
On Mon, Aug 17, 2009 at 6:09 PM, Carter Bullard<carter at qosient.com> wrote:
> If we could keep these conversations on the list that would be better.
>
> I thought I had responded to this, sorry if I'm mistaken.
>
> So we use the token 'syn' in the compiler already. It generates code
> to test the SYN bit in the TCP flags variable in the Argus record. Test
> this
> using the client code:
> ra -b - src syn
>
> and you'll see the code that the compiler generates.
Yeah, I understand that the use of syn here is unambiguous, since the
state and the flag are called the same.
> However, this is not really what you are looking for. We can't reuse the
> 'syn' token,
> without another syntactical discriminator, or the compiler will be a bit
> unhappy.
> So, we need another word for the argus 's' TCP state. Would 'syninit'
> work?
The solution I'd favour is that you'd need a syntactic discriminator
for the flags, since I'm matching on flows and the flags apply to
individual packets. However, this poses a huge backward compatability
issue so not going to happen.
Maybe you can have the two possibilities:
tcpstate syn
tcpflag syn
which differentiates and at the same time is self documenting.
However, if we're going to do it in one word, I'd prefer 'synstate' to
'syninit'.
Have a nice day,
--
Martijn van Oosterhout <kleptog at gmail.com> http://svana.org/kleptog/
--
Martijn van Oosterhout <kleptog at gmail.com> http://svana.org/kleptog/
More information about the argus
mailing list