Bug with filter "net 0.0.0.0/0" (0.0.0.0/0 = 0.0.0.0/32)
elof2 at sentor.se
elof2 at sentor.se
Tue Mar 29 07:48:55 EDT 2011
I assume that net "0.0.0.0/0" will match *any* IP, but apparently using
this filter, ra will only match sessions containing IP 0.0.0.0.
Example:
ra -r argus.log - net 0.0.0.0/0
16:43:38.386874 M udp 0.0.0.0.8116 -> 1.2.3.0.8116 28 2205 INT
16:43:38.387029 M udp 0.0.0.0.8116 -> 7.7.7.0.8116 28 2205 INT
In the example above I expected to see ALL traffic in my argus.log file,
not only the one matching net 0.0.0.0/32.
I know that using the net 0.0.0.0/0 is kind of odd. I don't usually do
this, but stumbled on to the bug when modifying a very long filter-string
on the bash-prompt and wanted to keep a placeholder for a net-filter while
temporarily match all traffic.
Anyhow, in my world, 0.0.0.0/0 should match any ip.
(Ra Version 3.0.4.1)
/Elof
More information about the argus
mailing list