radium providing random user data

Tue Nov 24 12:54:47 EST 2009

Hey Jason,
If you don't mind sharing, upload to ftp://qosient.com/incoming.
This is a blind ftp repository, and I never share data files..  Never.
All I need is one record that has the bad behavior, so if you can
get a file that has a bad record with this type of command:

    ra -r bad.data.file -N 1-10 -w smaller.bad.data.file

That is all I need.

Just for completeness, you should be running radium so:
   radium -X -f this_radium.conf

Carter

On Nov 24, 2009, at 11:41 AM, Jason Carr wrote:

> Hi Carter,
> 
> We typically run radium -X -c this_radium.conf.  Here's our radium.conf file:
> 
> RADIUM_DAEMON=no
> RADIUM_MONITOR_ID=0
> RADIUM_MAR_STATUS_INTERVAL=60
> RADIUM_ARGUS_SERVER=bivio:561
> RADIUM_ARGUS_SERVER=bivio:562
> RADIUM_ARGUS_SERVER=bivio:563
> RADIUM_ARGUS_SERVER=bivio:564
> RADIUM_ACCESS_PORT=561
> RADIUM_BIND_IP=127.0.0.1
> RADIUM_OUTPUT_FILE=/data/argus/var/core.out
> 
> How can I get you a few records?  The typical files are around a few MB compressed.
> 
> Thanks,
> 
> Jason
> 
> 
> On Nov 24, 2009, at 10:46 AM, Carter Bullard wrote:
> 
>> Hey Jason,
>> Sorry for the delayed response.  Very busy but now I'm back.
>> I'll take a look.  Any chance you could share a few records, so I can
>> see what the ARGUS_DATA_DSR header looks like?  It maybe that
>> it is doing something strange.
>> 
>> What features do you have turned on in your radium.conf file?
>> If you could share that, I would be really helpful.
>> 
>> Carter
>> 
>> On Nov 18, 2009, at 4:22 PM, Jason Carr wrote:
>> 
>>> Hate to reply to my own email, but using argus-clients-3.0.2.beta.11's radium actually contains the proper data in the suser/duser fields.
>>> 
>>> Any thoughts as to what changed to make this happen?
>>> 
>>> - Jason
>>> 
>>> On Nov 16, 2009, at 1:34 PM, Jason Carr wrote:
>>> 
>>>> Hi Carter,
>>>> 
>>>> All flows are non-plaintext flows, which super confusing, even though if I connect directly there is plenty of plaintext flows.
>>>> 
>>>> Thanks,
>>>> 
>>>> Jason
>>>> 
>>>> 
>>>> On Nov 16, 2009, at 1:16 PM, Carter Bullard wrote:
>>>> 
>>>>> Hey Jason,
>>>>> With each status record, we capture another "whatever number of bytes" of
>>>>> user data.  If argus generates 5 status records for a flow, you'll get 5 sets of
>>>>> user data being captured.   You maybe seeing user data from the middle
>>>>> of a session?
>>>>> 
>>>>> Carter
>>>>> 
>>>>> On Nov 16, 2009, at 1:11 PM, Jason Carr wrote:
>>>>> 
>>>>>> Hello everyone,
>>>>>> 
>>>>>> I'm running argus-3.0.2 server and client.  The server is running on a ppc architecture machine, specifically a Bivio box.  The client portion is running on an amd64 machine.
>>>>>> 
>>>>>> I use radium on the amd64 box to connect and multiplex multiple argii running on my Bivio box and it dumps the file onto disk.  Reading this file via 'ra -r filename -s +suser:128 -s +duser:128' provides all of the normal data, such as time, IPs, ports, etc.  The user data seems to be completely off.  Oddly enough connecting directly to the argii with ra on the amd64 system that radium is running on, real data is displayed.  ra on the ppc machine displays real data as well.
>>>>>> 
>>>>>> Any thoughts as to why this is happening?
>>>>>> 
>>>>>> Thanks,
>>>>>> 
>>>>>> Jason
>>>>>> 
>>>>>> --
>>>>>> Jason Carr
>>>>>> Information Security Engineer
>>>>>> Information Security Office
>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>>> 
>>> 
>>> 
>> 
>> Carter Bullard
>> CEO/President
>> QoSient, LLC
>> 150 E 57th Street Suite 12D
>> New York, New York  10022
>> 
>> +1 212 588-9133 Phone
>> +1 212 588-9134 Fax
>> 
>> 
>> 
> 
> 

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091124/925c8052/attachment.bin>