new client code argus-clients-3.0.5.8

Carter Bullard carter at qosient.com
Fri Apr 29 12:38:28 EDT 2011 

Gentle People,
Bug fixes for most of the issues raised on the list has been posted to the dev
server as argus-clients-3.0.5.8.  You can find at:
   http://qosient.com/argus/dev/argus-clients-latest.tar.gz

Here are the relevant ChangeLog entries:

  Fixed closing when printing to stdout fails. (pipe closes)

  Reviewed state filter keyword support, and fixed a bunch of bugs there.
  'start' and 'init' are now equivalent, and we're testing the right place
  in the header, and we added ipstatus == 'con' support.
  Need to go through state output and find ways of matching using filters.

  Added support for changing storage engine in rasqlinsert.
  Fixes for memory management in clients.

Remember, all prior releases can be found in the in dev archive directory, if
you need to find a prior version.

Thanks for all the help !!!!

Carter

On Apr 29, 2011, at 12:12 PM, Carter Bullard wrote:

> Hey gentle people,
> OK, so I have fixed the 'con' filter item, and 'init' is now equivalent to 'start'.
> There is some cleanup work to do on all these states, so if you see something that is amiss,
> don't hesitate to send to the list.
> 
> This has uncovered a bug in argus, however.  argus() is reporting most records as 'status',
> even thought they may be starting records or status records.  Which means, that currently,
> some argus data is incomplete, and I have a bug to fix in argus().
> The clients should be fine now.
> 
> I'll upload new client software in an hour or so.
> 
> Just as a reminder, when there is a question on filters, be sure and use the "-b" option to the ra* program, so that we can
> see the compiler output, in the bug report.  Sometimes that helps in understanding if there is really an error.
> 
> Carter
> 
> On Apr 28, 2011, at 7:16 PM, Carter Bullard wrote:
> 
>> The 'con' term should match flows that are 'connected'.  For UDP, that would be " src pkts gt 0 and dst pkts gt 0 ".
>> I'll go through the flow state indicators tonight as well.
>> 
>> Carter
>> 
>> On Apr 28, 2011, at 10:26 AM, elof2 at sentor.se wrote:
>> 
>>> 
>>> On Thu, 28 Apr 2011, Jesper Skou Jensen wrote:
>>>> I'm trying to do a search for UDP packages that are INT, alternative not INT, but I can't quite figure out how to do this.
>>>> 
>>>> Is it possible to do this with ra directly?
>>> 
>>> Hi Jesper!
>>> 
>>> I thought that a simple 'ra -r log.argus - udp and con' would do the trick, but apparently not. :-(
>>> 
>>> 
>>> The manual only state this:
>>> Ra  filter expressions support primitives that are specific to flow states and can be used to select flow records that were in these states at the time they were generated.  normal, wait, timeout, est or con
>>> 
>>> 
>>> Apparently, flows are only associated with tcp.
>>> There seem to be no primitives for matching connected UDP connections.
>>> 
>>> 
>>> 
>>> A question related to the above:
>>> What is the difference between 'est' and 'con' ?
>>> Both seem to match the same thing, established TCP connections.
>>> 
>>> /Elof
>>> 
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110429/0a280c54/attachment.bin>

More information about the argus mailing list