Reading from named pipes with ra* clients?

Carter Bullard carter at qosient.com
Fri Jul 13 16:02:25 EDT 2012 

Hey Matt,
OK, so without any modifications to the code, this is what I'm experiencing with named pipes
and the ra* set of programs.

This is the setup that I've been testing:
   # mkfifo /tmp/testPipe
   % ra -S localhost -w /tmp/testPipe
 
In another window
   % ra -r /tmp/testPipe

OK, here is what I've got so far:
   1) if the reader starts before the writer, the reader blocks on an fopen() on the named pipe.  No-problem, but……  this may cause some issues with idle timeouts, but too early to tell.
   2) if the writer starts before the reader, the reader prints out the initial mar record and seems to block.  Seems that there is no flushing from the writer, and no records will be read until the writer closes the pipe.
   3) when the writer exits, the reader reads the stream to EOF and terminates.

So, all in all, not too bad.  The killer of course is that there doesn't appear to be any flushing
of data from the writer into the named pipe (at least it seems that way).  I'll see if I can get this
to behave a little bit better.

Carter


On Jul 13, 2012, at 2:49 PM, Matt Brown wrote:

> Thanks for your reply, Carter.
> 
> I'll take a look into using radium and look forward to the changes.
> 
> Thanks,
> 
> Matt
> 
> On Jul 13, 2012 1:51 PM, "Carter Bullard" <carter at qosient.com> wrote:
> Hey Matt,
> Two things.
>    1) you can use radium() to run your ralabel.conf labels, and provide that data through the standard ports that radium supports.  that is the official way to daemonize a ralabel() right now.
>    2) named pipes; we don't have any specific support in the file reading logic to understand that the file maybe a pipe, and to sit and wait for input rather than exit on EOF
> 
> I think we do need to provide support for named pipes.  Let me see what we need to do, and I'll get back to you later next week.
> Until then, do try to use radium() to do your labels.  Turn the feature on using the documented RADIUM_CLASSIFIER_FILE
> in your radium.conf file.  
> 
> Hope this is useful !!!!!
> 
> Carter 
> 
> On Jul 12, 2012, at 12:34 PM, Matt Brown wrote:
> 
>> Hello,
>> 
>>  
>> I am attempting to use a named pipe/fifo to be an intermediary between ralabel and rasqlinsert.
>> 
>>  
>>  
>> I created the fifo with no extraneous stuff:
>> 
>>  
>> # stat /usr/local/argus/argfifo
>> 
>>   File: `/usr/local/argus/argfifo'
>> 
>>   Size: 0           Blocks: 0          IO Block: 4096   fifo
>> 
>> Device: fd00h/64768d   Inode: 16058584    Links: 1
>> 
>> Access: (0644/prw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
>> 
>> Access: 2012-07-12 11:50:47.000000000 -0400
>> 
>> Modify: 2012-07-12 11:50:47.000000000 -0400
>> 
>> Change: 2012-07-12 11:50:47.000000000 -0400
>> 
>>  
>>  
>> I start ralabel with:
>> 
>> /usr/local/bin/ralabel -f /etc/ralabel.conf -S localhost:561 -s stime dur flgs proto saddr sport dir daddr dport spkts dpkts sbytes dbytes state sco dco -w /usr/local/argus/argfifo
>>  
>> 
>> By using cat I see that ralabel is succesfully writing to the fifo.
>> 
>>  
>> I'd like to be able to use any ra* client to read from the fifo, but have been unsuccesful with ra and rasqlinsert:
>> 
>> strace ra -r /usr/local/argus/argfifo -m none -s stime dur flgs proto saddr sport dir daddr dport spkts dpkts sbytes dbytes state sco dco &> ~/strace_ra.log
>> 
>> I have posted the strace output here: http://pastebin.com/ADvVdC3r
>> 
>>  
>> The goal is to be able to daemonize the ralabel process (maybe using daemonize http://software.clapper.org/daemonize/#introduction).
>> 
>>  
>> I'm now able to start have ralabel pipe it's binary stdout to rasqlinsert as a background job with:
>> 
>>  
>> su -c 'ralabel ... 2> /var/log/ralabel.log | rasqlinsert ... 2> /var/log/rasqlinsert.log &' root
>> 
>>  
>> I also do have PIDs being generated with the use of RA_SET_PID in /$HOME/.rarc
>>  
>> 
>> Is there a method to:
>> 
>> 1) daemonize ralabel so that it can pipe to other raclients?
>> 2) read from named pipes with ra* clients?
>>  
>> 
>> Thanks,
>> 
>> Matt
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120713/517fe5d9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120713/517fe5d9/attachment.bin>

More information about the argus mailing list