ArgusClientBug TCP Connection Direction Query
Nelson, Carl M.
cmn at leicester.ac.uk
Fri Sep 14 03:52:58 EDT 2012
>Description:
I think Argus ra sometimes reports the source of TCP connections incorrectly. I do not know if this is a limitation to be expected or a bug so I will report it anyway.
>How-To-Repeat:
The example below seems to show that the BBC website has initiated a TCP connection to one of our systems on port 64401. The web server in fact seems to be responding with "200 OK" to a previous GET request. Our router ACLs do not permit such a connection.
cmn at zeus:~$ ra -z -n -r /srv/argus/flows/2012-09-12/0.0.0.0-11:5* -s +suser:80 - host 143.210.138.129 and host 212.58.244.68
StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State srcUdata
11:56:54.142532 e tcp 143.210.138.129.64380 -> 212.58.244.68.80 86 122487 sSE s[80]=GET /news/ HTTP/1.1..Accept: application/x-ms-application, image/jpeg, applicati
11:57:06.832805 e tcp 143.210.138.129.64380 -> 212.58.244.68.80 2 120 sSEfF
11:57:19.265802 e tcp 143.210.138.129.64380 -> 212.58.244.68.80 1 60 sSEf*
11:57:25.721474 e tcp 212.58.244.68.80 -> 143.210.138.129.64401 7 3152 SE s[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:57:25 GMT..Server: Apache..Vary: Cook
11:57:36.262364 e tcp 212.58.244.68.80 -> 143.210.138.129.64401 60 80226 SE s[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:57:36 GMT..Server: Apache..Vary: Cook
11:57:48.854077 e tcp 212.58.244.68.80 -> 143.210.138.129.64401 3 180 SEfFR
11:58:48.872353 e tcp 212.58.244.68.80 <?> 143.210.138.129.64411 3 180 fR
>Fix: Unknown.
>Submitter-Id: Carl Nelson
>Originator: Carl Nelson
>Organization: University of Leicester IT Services Department.
>Argus support: none
>Release: argus-3.0.4 (note: I also downloaded 3.0.7.1 clients and the ra output was the same)
>Product: ra
>Synopsis: I think Argus ra sometimes reports the source of TCP connections incorrectly.
>Class: sw-bug
>Severity: non-critical
>Priority: low
>Environment: Debian squeeze
System: Linux zeus 2.6.32-5-xen-amd64 #1 SMP Sun May 6 08:57:29 UTC 2012 x86_64 GNU/Linux
Paths: /opt/argus/bin/ra /usr/bin/make /usr/bin/gcc /usr/bin/cc
RA: Ra Version 3.0.6
GCC: Using built-in specs.
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 4.4.5-8' --with-bugurl=file:///usr/share/doc/gcc-4.4/README.Bugs --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.4 --enable-shared --enable-multiarch --enable-linker-build-id --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.4 --libdir=/usr/lib --enable-nls --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --with-arch-32=i586 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 4.4.5 (Debian 4.4.5-8)
LIBC:
lrwxrwxrwx 1 root root 14 Jun 6 16:33 /lib/libc.so.6 -> libc-2.11.3.so
-rwxr-xr-x 1 root root 1437064 Feb 12 2012 /lib/libc-2.11.3.so
-rw-r--r-- 1 root root 4439052 Feb 12 2012 /usr/lib/libc.a
-rw-r--r-- 1 root root 247 Feb 12 2012 /usr/lib/libc.so
--
Carl Nelson, Systems Architect (Network Security) IT Services,
Computer Centre, University Road, University of Leicester,
Leicester, LE1 7RH, U.K.
Tel: +44 (0)116 229 7944; Email: cmn at le.ac.uk<mailto:cmn at le.ac.uk>
Elite Without Being Elitist
Times Higher Awards Winner 2007, 2008, 2009, 2010, 2011
Follow us on Twitter http://twitter.com/uniofleicester
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120914/9a2e5feb/attachment.html>
More information about the argus
mailing list