Corrupt flow record in argus data file locks up any ra- command

Carter Bullard carter at qosient.com
Wed Jun 8 15:01:00 EDT 2011 

Hey Kevin,
On the road, so sorry I can't test this myself.  Does the argus-clients-3.0.5.12 ra() read the file?  If that doesn't work, I'll look at it tonight.

   http://qosient.com/argus/dev/argus-clients-latest.tar.gz

Carter

<branchbunch at gmail.com> wrote:

> Carter,
> 
> I'm running argus 3.0.4 and argus-clients 3.0.4.1 on several 64bit CentOS 5.6 hosts at different sites, on each one inspecting multiple local sniffing interfaces.  On each sensor host, I store the local argus data to a native file system repository as hourly files for each sniffing interface.  Many times one of these hourly files appears to end up with a corrupt record, at which point any ra- command used against that file goes into an endless loop that eats up as much cpu time as it can get until I notice the system dragging and kill off the stuck ra- command.  The pair of argus commands I use for handling a single sniffing interface are like this:
> 
> argus -i dmz -F /opt/nids/sensor/etc/argus.conf -P 564
> rasplit -X -S 127.0.0.1:564 -M time 1h -w /argus/%m/%d/dmz-%H.arg -d
> 
> ...and my argus.conf looks like this
> 
> ARGUS_FLOW_TYPE="Bidirectional"
> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
> ARGUS_DAEMON=yes
> ARGUS_BIND_IP="127.0.0.1"
> ARGUS_GO_PROMISCUOUS=yes
> ARGUS_COLLECTOR=yes
> ARGUS_FLOW_STATUS_INTERVAL=300
> ARGUS_MAR_STATUS_INTERVAL=300
> ARGUS_DEBUG_LEVEL=0
> ARGUS_GENERATE_RESPONSE_TIME_DATA=no
> ARGUS_GENERATE_PACKET_SIZE=no
> ARGUS_GENERATE_JITTER_DATA=no
> ARGUS_GENERATE_MAC_DATA=yes
> ARGUS_GENERATE_APPBYTE_METRIC=no
> ARGUS_GENERATE_TCP_PERF_METRIC=no
> ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=no
> ARGUS_CAPTURE_DATA_LEN=0
> ARGUS_FILTER_OPTIMIZER=no
> ARGUS_SET_PID=yes
> ARGUS_PID_PATH="/var/run"
> 
> I can provide a sample argus data file that any ra, racount, or racluster instance will lock up on if you'd have a chance to look into what is behind the freezing up.
> 
> If you have any suggestion on a better way to collect and split out local argus data over hourly files, I'm all ears. For example would introducing radium between argus and rasplit help or just make things more complicated?  If you have any diagnostic steps for me to try, I'm eager to get to the bottom of this issue.
> 
> Thanks in advance for your assistance,
> Kevin Branch
> 
>

More information about the argus mailing list