Argus daemon listening on tcp/561 dies after being probed by vulnerability scanner

Carter Bullard carter at qosient.com
Mon Jul 25 23:30:27 EDT 2011


Hey Kevin,
In ./argus/ArgusOutput.c, on line 1155, if you make this change, argus should report the situation, and keep on trucking, so to speak.
Give this a run, if you have the opportunity.

osiris:argus carter$ !diff
diff ArgusOutput.c.orig ArgusOutput.c.new
1155c1155
<                   ArgusLog (LOG_ERR, "ArgusInitOutput: write(): %s", strerror(errno));
---
>                   ArgusLog (LOG_ALERT, "ArgusInitOutput: write(): %s", strerror(errno));

Carter

On Jul 25, 2011, at 2:35 PM, The Branches wrote:

> I've just started using radium and am really pleased with it so far.   I can imagine no end of cool possibilities with a bunch of remote argi sprinkled about our enterprise at strategic locations...
> 
> One small problem I experienced was that our in-house Nessus scanner appears to topple the argus daemon when it probes tcp/561 on the argus host.    Setting iptables to only allow incoming tcp/561 sessions from the radium host should solve it but I thought I'd mention the issue since I assume the intention is for argus to survive being poked at with out-of-spec data on it's listening port.
> 
> We're using argus-3.0.5.4 on a 64bit CentOS 5.6 host
> 
> Here's the argus log when the scanner hit port 561
> 
> Jul 19 18:39:02 HOST argus[31039]: 19 Jul 11 18:39:02.173127 connect from ntsc_orl.domain.org
> Jul 19 18:39:02 HOST argus[31039]: 19 Jul 11 18:39:02.276146 ArgusCheckClientMessage: received GET / HTTP/1.0
> Jul 19 18:39:05 HOST argus[31039]: 19 Jul 11 18:39:05.970579 connect from ntsc_orl.domain.org
> Jul 19 18:39:06 HOST argus[31039]: 19 Jul 11 18:39:06.073590 ArgusCheckClientMessage: received HELP
> Jul 19 18:39:46 HOST argus[31039]: warning: can't get client address: Connection reset by peer
> Jul 19 18:39:46 HOST argus[31039]: 19 Jul 11 18:39:46.137132 connect from unknown
> Jul 19 18:39:46 HOST argus[31039]: 19 Jul 11 18:39:46.137336 ArgusInitOutput: write(): Broken pipe
> Jul 19 18:39:46 HOST argus[31039]: 19 Jul 11 18:39:46.285896 stopped
> 
> 
> My /etc/argus.conf
> ARGUS_INTERFACE=eth0/"abcd"
> ARGUS_CAPTURE_DATA_LEN=2048
> ARGUS_FILTER="tcp and port 25"
> ARGUS_ACCESS_PORT=561
> ARGUS_DAEMON=yes
> ARGUS_FLOW_STATUS_INTERVAL=30
> ARGUS_GO_PROMISCUOUS=no
> ARGUS_COLLECTOR=no
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110725/9cb33378/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110725/9cb33378/attachment.bin>


More information about the argus mailing list