Argus fails to start with ARGUS_INTERFACE=ind:all

Harry Hoffman hhoffman at ip-solutions.net
Mon May 23 11:55:39 EDT 2011 

Hi Carter,

So, I did a little bit more troubleshooting and it appears to be a problem
with setting the uid/gid for dropping privs.

If argus runs as root all is ok (both with and without your patch below).
But if I create a user and group called argus (and set perms on the
directory properly) then argus won't start.

Also, argusbug is in both argus and argus-clients. This causes install
conflicts with rpm/yum. Think one of them can be renamed so that argus and
argus-clients can be installed on the same box without requiring a --force
to rpm install?

Cheers,
Harry



-----Original Message-----
From: Carter Bullard [mailto:carter at qosient.com] 
Sent: Monday, May 23, 2011 10:38 AM
To: Harry Hoffman
Cc: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] Argus fails to start with ARGUS_INTERFACE=ind:all

Hey Harry,
We don't use socket(PF_INET,SOCK_PACKET) in argus, so not sure where this
problem may be.
Now that I'm looking at the code, we use AF_INET for a socket call, which
most OS's don't mind, but
if centos is persnickety, try this patch:

thoth:argus carter$ p4 diff ...
==== //depot/argus/argus/argus/ArgusSource.c#86 -
/Users/carter/argus/argus/argus/ArgusSource.c ====
3666c3666
<       if ((ArgusGetInterfaceFD = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
---
>       if ((ArgusGetInterfaceFD = socket(PF_INET, SOCK_DGRAM, 0)) < 0)

To see if that doesn't help.  If not, we'll have to find out what call we're
in when the error is generated
to figure out if it's argus() or possibly,  libpcap().

Carter


On May 23, 2011, at 10:19 AM, Harry Hoffman wrote:

> Hi,
> 
> I've downloaded the latest argus (3.0.5.3) and I'm trying to run with:
> ARGUS_INTERFACE=ind:all
> 
> And I'm getting the following error messages:
> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.195237 started
> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.214626 started
> May 23 10:02:20 usher kernel: argus uses obsolete (PF_INET,SOCK_PACKET)
> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.229757
> ArgusOpenInterface: pcap_open_live socket: Operation not permitted
> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.237115
> ArgusOpenInterface: pcap_open_live socket: Operation not permitted
> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.242792
> ArgusOpenInterface: pcap_open_live socket: Operation not permitted
> 
> 
> If I run with ARGUS_INTERFACE=any then argus starts up right away (and
seems
> to use eth0).
> 
> I've got the following live interfaces:
> Eth0 (ethernet)
> Eth1 (ethernet)
> Lo (loopback)
> Sit1 (ipv6-ipv4)
> 
> I'm running centos-5.6 x86_64. I'm happy to provide any other information.
> 
> Cheers,
> Harry
> 
> 
>

More information about the argus mailing list