Argus on Bivio 7500

Jason Carr jcarr at andrew.cmu.edu
Sun Aug 23 01:15:35 EDT 2009


Although I don't have a direct experience with this I was told that  
having two processes running in one "inspection group" such as argus  
and snort would be perfectly fine.  In fact a recent conversation with  
one of their tech support guys suggested doing this.  Very soon I hope  
to be able to test this and will provide information on success or fail.

I'd be happy to exchange information about our configuration but I  
would think we should do this off list since it's not really argus  
related :)

Why isn't there a Bivio users group yet...?

- Jason

On Aug 21, 2009, at 1:08 PM, Eric Gustafson wrote:

> Hey everyone,
> We've been doing some further experiments with Argus on our Bivios  
> in our environment, and have noticed some partial flows, and  
> magically disappearing packets when compared to our currently-in- 
> production Dell-based sensor.
> We figured out, however, that the problem is not with Argus or Snort  
> (the other app running on our Bivios) specifically, but only happens  
> when we combine the two.
> We were able to track this down by running full packet captures on a  
> box inside our network, a box outside our network, and both sensors,  
> while making some transmissions of known size and content.
> A huge percentage of the packets captured by tethereal on the Bivio  
> would be missing when both Snort and Argus were running at once,  
> with no noticeable pattern. Sounds to me like some sort of race  
> condition.
>
> Is anyone else here running Argus with another app on your Bivio,  
> and if so, how do you have it configured?  Also, which NIMs do you  
> have and how much traffic are you processing?
>
> FTR, we're using ours in a monitoring configuration, with a mirror  
> port on our main router configured to send a copy of all traffic to  
> our 10G NIM.  We're seeing not too far over 1.5G of traffic on  
> average, but this is growing slowly, and large spikes happen often.   
> Our CIG has all traffic load-balanced across all four APC cores. (2- 
> tuple vs 5-tuple load balancing seems to make no difference here)
>
> TIA,
> Eric
>
> On Tue, Aug 11, 2009 at 3:38 PM, Peter Van Epp <vanepp at sfu.ca> wrote:
> On Tue, Aug 11, 2009 at 10:36:03AM -0400, Carter Bullard wrote:
> > Hey Peter,
> > Its possible the routine ArgusGetInterfaceStatus(), called from
> > ArgusGetPackets(), around
> > line 2044, which does some interface housekeeping, is broken on the
> > Bivio and maybe closing
> > the pcap interfaces?
> >
> > Carter
> >
>
>        Yes that looks like a good possibility. While looking back at  
> the
> messages I came across this trace that Jason did. It does look like  
> the
> interface may have gotten closed (silently!) at around line 2500. If  
> the
> ioctl fails the interface will be quietly closed which would cause the
> problem we are seeing later in the trace (no open interface as found  
> never
> gets incremented). I expect Jason needs to trace in to the call at  
> line 2019
> and we would probably be wise to add an ARGUSDEBUG statement or two to
> ArgusGetInterfaceStatus such as:
>
> line 2476:
>
>  if (device == NULL) {
>
> #ifdef ARGUSDEBUG
>    ArgusDebug (4,"ArgusGetInterfaceStatus: device NULL returning\n";)
> #endif
>    return;
>  }
>
> line 2503:
>
>        src->ArgusInterface[i].ArgusPD = NULL;
> #ifdef ARGUSDEBUG
>    ArgusDebug (4,"ArgusGetInterfaceStatus: interface %d closed,  
> returning\n",i;)
> #endif
>
>        I suspect we will find the last one is what is tripping us up  
> this
> time. That ioctl is reacting badly on the Bivio perhaps. It would  
> also be
> worthwhile doing a tail on /var/log/messages (assuming this is  
> Linux) as a
> number of errors syslog but don't ARGUSDEBUG log and one of them may  
> provide
> the necessary clue.
>
>
> On Mon, Aug 10, 2009 at 11:17:36AM -0400, Jason Carr wrote:
> > I've attached the gdb output and the configure log.  It looks like
> > pcap_get_selectable_fd is not available.
> >
> > The gdb log doesn't seem indicate that it even touched  
> pcap_dispatch.
> >
> <snip>
>
> > Starting program: /usr/local/sbin/argus -U 128 -i default -P 563 - 
> e 1 -B 0.0.0.0 -D 999
> > Reading symbols from shared object read from target memory...done.
> > Loaded system supplied DSO at 0x100000
> <snip>
>
>        As before it seems to open default successfully:
>
> > argus[5858]: 10 Aug 09 11:13:11.782693 ArgusOpenInterface()  
> pcap_open_live(default) returned 0x1012f590
> > argus[5858]: 10 Aug 09 11:13:11.782790  
> Arguslookup_pcap_callback(1) returning 0x1000e940
> > argus[5858]: 10 Aug 09 11:13:11.782835  
> ArgusOpenInterface(0x30070008, 'default') returning
> <snip>
>
>        And we start to try and read packets from the interface but  
> nowhere
> does found get incremented which will result in the break at line 2239
> to execute and ezit exactly as we are seeing. This in turn could  
> well be
> because the pcap interface was quietly closed earlier.
>
> >
> > Breakpoint 1, ArgusGetPackets (src=0x30070008) at ArgusSource.c:2000
> > 2000       if (src != NULL) {
> > (gdb) next
> > 2002          ArgusDebug (4, "ArgusGetPackets (0x%x) starting\n",  
> src);
> > (gdb)
> > 2022          for (i = 0; i < src->ArgusInterfaces; i++) {
> > (gdb)
> > 2002          ArgusDebug (4, "ArgusGetPackets (0x%x) starting\n",  
> src);
> > (gdb)
> > argus[5858]: 10 Aug 09 11:13:15.638386 ArgusGetPackets  
> (0x30070008) starting
> > 2006             fds[i] = -1;
> > (gdb)
> > 2011          signal (SIGPIPE, SIG_IGN);
> > (gdb)
> > 2006             fds[i] = -1;
> > (gdb)
> > 2011          signal (SIGPIPE, SIG_IGN);
> > (gdb)
> > 0x1004fe20 in call___do_global_ctors_aux ()
> > (gdb)
> > Single stepping until exit from function call___do_global_ctors_aux,
> >
> > which has no line number information.
> > 0x0fd6c8d0 in ssignal () from /lib/libc.so.6
> > (gdb)
> > Single stepping until exit from function ssignal,
> > which has no line number information.
> > ArgusGetPackets (src=0x30070008) at ArgusSource.c:2019
> > 2019          ArgusGetInterfaceStatus(src);
> > (gdb)
> > argus[5858]: 10 Aug 09 11:13:17.669976 ArgusPopFrontList  
> (0x1012dd98) returning
> > argus[5858]: 10 Aug 09 11:13:17.670051 ArgusPushFrontList  
> (0x1012dd68, 0x1012dd98, 1) returning 0xd032
> > 2020          gettimeofday (&src->ArgusStartTime, 0L);
> > (gdb)
> > 0x10050340 in call___do_global_ctors_aux ()
> > (gdb)
> > Single stepping until exit from function call___do_global_ctors_aux,
> > which has no line number information.
> > 0x0fdd0c20 in gettimeofday () from /lib/libc.so.6
> > (gdb)
> > Single stepping until exit from function gettimeofday,
> > which has no line number information.
> > ArgusGetPackets (src=0x30070008) at ArgusSource.c:2022
> > 2022          for (i = 0; i < src->ArgusInterfaces; i++) {
> > (gdb)
> > 2023             if (src->ArgusInterface[i].ArgusPd && (fd =  
> pcap_fileno(src->ArgusInterface[i].ArgusPd) >= 0)) {
> > (gdb)
> > 307        src->ArgusInterfaceStatus = value;
> > (gdb)
> > 310        ArgusDebug (1, "setArgusInterfaceStatus(%d)\n", value);
> > (gdb)
> > 2022          for (i = 0; i < src->ArgusInterfaces; i++) {
> > (gdb)
> > 310        ArgusDebug (1, "setArgusInterfaceStatus(%d)\n", value);
> > (gdb)
> > argus[5858]: 10 Aug 09 11:13:40.771988 setArgusInterfaceStatus(0)
> > 2022          for (i = 0; i < src->ArgusInterfaces; i++) {
> > (gdb)
> > 2042          if (!(src->ArgusReadingOffLine)) {
> > (gdb)
> > 2067                   for (i = 0; i < src->ArgusInterfaces; i++) {
> > (gdb)
> > 2252             for (i = 0; i < src->ArgusInterfaces; i++) {
> > (gdb)
> > 2067                   for (i = 0; i < src->ArgusInterfaces; i++) {
> > (gdb)
> > 2069                      src->ArgusThisIndex = i;
> > (gdb)
> > 2070                      if ((fd = fds[i]) != -1) {
> > (gdb)
> > 2067                   for (i = 0; i < src->ArgusInterfaces; i++) {
> > (gdb)
> > 2093                   if (pkts == 0) {
> > (gdb)
> > 2094                      struct timespec tsbuf = {0, 25000000},  
> *ts = &tsbuf;
> > (gdb)
> > 2095                      gettimeofday (&src->ArgusModel- 
> >ArgusGlobalTime, NULL);
> > (gdb)
> > 2094                      struct timespec tsbuf = {0, 25000000},  
> *ts = &tsbuf;
> > (gdb)
> > 2095                      gettimeofday (&src->ArgusModel- 
> >ArgusGlobalTime, NULL);
> > (gdb)
> > 2094                      struct timespec tsbuf = {0, 25000000},  
> *ts = &tsbuf;
> > (gdb)
> > 2095                      gettimeofday (&src->ArgusModel- 
> >ArgusGlobalTime, NULL);
> > (gdb)
> > 0x10050340 in call___do_global_ctors_aux ()
> > (gdb)
> > Single stepping until exit from function call___do_global_ctors_aux,
> > which has no line number information.
> > 0x0fdd0c20 in gettimeofday () from /lib/libc.so.6
> > (gdb)
> > Single stepping until exit from function gettimeofday,
> > which has no line number information.
> > ArgusGetPackets (src=0x30070008) at ArgusSource.c:2096
> > 2096                      nanosleep(ts, NULL);
> > (gdb)
> > 0x1004fd50 in call___do_global_ctors_aux ()
> > (gdb)
> > Single stepping until exit from function call___do_global_ctors_aux,
> > which has no line number information.
> > 0x30014890 in _dl_runtime_resolve () from /lib/ld.so.1
> > (gdb)
> > Single stepping until exit from function _dl_runtime_resolve,
> > which has no line number information.
> > 0x0fde0c7c in nanosleep () from /lib/libc.so.6
> > (gdb)
> > Single stepping until exit from function nanosleep,
> > which has no line number information.
> > 0x0fde0c88 in __nanosleep_nocancel () from /lib/libc.so.6
> > (gdb)
> > Single stepping until exit from function __nanosleep_nocancel,
> > which has no line number information.
> > ArgusGetPackets (src=0x30070008) at ArgusSource.c:2238
> > 2238                if (!found)
> > (gdb)
> > 2259          setArgusFarReportInterval (ArgusModel, "0");
> > (gdb)
> > 2260          ArgusQueueManager(ArgusModel);
> > (gdb)
> > argus[5858]: 10 Aug 09 11:13:53.460484  
> ArgusProcessQueueTimeout(0x1012d008, 0x1012d3e8) done
> > argus[5858]: 10 Aug 09 11:13:53.460593 ArgusQueueManager() turns  
> 1    statusQueue 0    qs 0  items 0    cache 0      resort 0       
> reclaim 0      new 0      sends 0        bsends 0
> > 2262          ArgusOutputProcess(ArgusOutputTask);
> > (gdb)
> > argus[5858]: 10 Aug 09 11:13:59.161973  
> ArgusOutputProcess(0x1012d9f0) starting
> > argus[5858]: 10 Aug 09 11:13:59.162110  
> ArgusOutputStatusTime(0x1012d9f0) done
> > 2266       gettimeofday (&src->ArgusEndTime, 0L);
> > (gdb)
> > 0x10050340 in call___do_global_ctors_aux ()
> > (gdb)
> > Single stepping until exit from function call___do_global_ctors_aux,
> > which has no line number information.
> > 0x0fdd0c20 in gettimeofday () from /lib/libc.so.6
> > (gdb)
> > Single stepping until exit from function gettimeofday,
> > which has no line number information.
> > ArgusGetPackets (src=0x30070008) at ArgusSource.c:2269
> > 2269       ArgusDebug (4, "ArgusGetPackets () returning\n");
> > (gdb)
> > argus[5858]: 10 Aug 09 11:14:02.775186 ArgusGetPackets () returning
> > 2271    }
> > (gdb)
> > main (argc=13, argv=0x7fab6aa4) at argus.c:558
> > 558        ArgusDebug (1, "main() ArgusGetPackets returned:  
> shuting down");
>
> Peter Van Epp
>




More information about the argus mailing list