ArgusClientBug TCP Connection Direction Query
Carter Bullard
carter at qosient.com
Fri Sep 14 15:22:59 EDT 2012
Hey Carl,
Yes, this is a bug that we've been working on the list, driven mostly by the persistence of Rafael Barbosa.
This is not an argus problem, but a ra* problem, and we're getting close to having most of these
non-conformant protocol flows corrected. You're flow doesn't have the SYN, only a SYN_ACK ( S ),
which normally should be reversed, but the bug isn't reversing the direction in your case.
All of the flows should be corrected for direction, when the bug is obliterated, except
the last flow report you have, which has the " ? " in the direction. It should be corrected
when you do any form of aggregation, however.
Have you tried the version of argus-clients-3.0.7.2 that I sent to the list on Sept 12th?
Subject "Re: [ARGUS] Problems with racluster" . This should solve your bug, but if not,
please send more email to the list.
If you can't find that version in the archive, send me email directly and I'll forward a copy
of the version we're using to test these specific bug fixes.
Thanks !!!!!!
Carter
On Sep 14, 2012, at 3:52 AM, "Nelson, Carl M." <cmn at leicester.ac.uk> wrote:
> >Description:
> I think Argus ra sometimes reports the source of TCP connections incorrectly. I do not know if this is a limitation to be expected or a bug so I will report it anyway.
>
> >How-To-Repeat:
>
> The example below seems to show that the BBC website has initiated a TCP connection to one of our systems on port 64401. The web server in fact seems to be responding with “200 OK” to a previous GET request. Our router ACLs do not permit such a connection.
>
> cmn at zeus:~$ ra -z -n -r /srv/argus/flows/2012-09-12/0.0.0.0-11:5* -s +suser:80 - host 143.210.138.129 and host 212.58.244.68
>
> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State srcUdata
> 11:56:54.142532 e tcp 143.210.138.129.64380 -> 212.58.244.68.80 86 122487 sSE s[80]=GET /news/ HTTP/1.1..Accept: application/x-ms-application, image/jpeg, applicati
> 11:57:06.832805 e tcp 143.210.138.129.64380 -> 212.58.244.68.80 2 120 sSEfF
> 11:57:19.265802 e tcp 143.210.138.129.64380 -> 212.58.244.68.80 1 60 sSEf*
> 11:57:25.721474 e tcp 212.58.244.68.80 -> 143.210.138.129.64401 7 3152 SE s[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:57:25 GMT..Server: Apache..Vary: Cook
> 11:57:36.262364 e tcp 212.58.244.68.80 -> 143.210.138.129.64401 60 80226 SE s[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:57:36 GMT..Server: Apache..Vary: Cook
> 11:57:48.854077 e tcp 212.58.244.68.80 -> 143.210.138.129.64401 3 180 SEfFR
> 11:58:48.872353 e tcp 212.58.244.68.80 <?> 143.210.138.129.64411 3 180 fR
>
> >Fix: Unknown.
>
> >Submitter-Id: Carl Nelson
> >Originator: Carl Nelson
> >Organization: University of Leicester IT Services Department.
> >Argus support: none
> >Release: argus-3.0.4 (note: I also downloaded 3.0.7.1 clients and the ra output was the same)
> >Product: ra
> >Synopsis: I think Argus ra sometimes reports the source of TCP connections incorrectly.
> >Class: sw-bug
> >Severity: non-critical
> >Priority: low
>
> >Environment: Debian squeeze
>
> System: Linux zeus 2.6.32-5-xen-amd64 #1 SMP Sun May 6 08:57:29 UTC 2012 x86_64 GNU/Linux
> Paths: /opt/argus/bin/ra /usr/bin/make /usr/bin/gcc /usr/bin/cc
>
> RA: Ra Version 3.0.6
>
> GCC: Using built-in specs.
> Target: x86_64-linux-gnu
> Configured with: ../src/configure -v --with-pkgversion='Debian 4.4.5-8' --with-bugurl=file:///usr/share/doc/gcc-4.4/README.Bugs --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.4 --enable-shared --enable-multiarch --enable-linker-build-id --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.4 --libdir=/usr/lib --enable-nls --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --with-arch-32=i586 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
> Thread model: posix
> gcc version 4.4.5 (Debian 4.4.5-8)
>
> LIBC:
> lrwxrwxrwx 1 root root 14 Jun 6 16:33 /lib/libc.so.6 -> libc-2.11.3.so
> -rwxr-xr-x 1 root root 1437064 Feb 12 2012 /lib/libc-2.11.3.so
> -rw-r--r-- 1 root root 4439052 Feb 12 2012 /usr/lib/libc.a
> -rw-r--r-- 1 root root 247 Feb 12 2012 /usr/lib/libc.so
>
> --
> Carl Nelson, Systems Architect (Network Security) IT Services,
> Computer Centre, University Road, University of Leicester,
> Leicester, LE1 7RH, U.K.
> Tel: +44 (0)116 229 7944; Email: cmn at le.ac.uk
>
> Elite Without Being Elitist
> Times Higher Awards Winner 2007, 2008, 2009, 2010, 2011
> Follow us on Twitter http://twitter.com/uniofleicester
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120914/f2bbf7eb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120914/f2bbf7eb/attachment.bin>
More information about the argus
mailing list