Couple things...

Carter Bullard carter at qosient.com
Fri Aug 2 11:36:41 EDT 2013 

Hey Craig,
Was in Calif all last week, and just now catching up.

I really think the argus crashing issue is fixed.  At least
it works with all data that has been uploaded.  But if you have
packet data that is blowing argus up, can you send ???

There is a possibility that you may not have the most recent
version of argus-3.0.7.4.  I sometimes put up new software
without changing the number, like if I make a mistake and
put up the wrong version.  So, there could be a race condition.
Check the md5 or date times, or just grab again, if there is
any doubt.

You have to turn on keystroke detection, so, don't comment out
the ARGUS_KEYSTROKE="yes" line.  The CONF line you can comment
out.

To troubleshoot the keystroke algorithm, with argus running, but
not as a daemon, you can send a USR1 signal to it,

   # kill -USR1 argus.pid

and it will print out stats that include the keystroke algorithm
configuration, if its turned on. When you send a USR1 signal to
argus, you increment the Debug flag setting for all of argus, and
so you should start getting debug messages, if the debug facility
is compiled in. Send another USR1 and you'll increase the debug
information.  Most of the per packet keystroke debugging is at
debug level 5. 

Send a USR2 signal to argus ( # kill -USR2 argus.pid ) to turn
debug reporting off.

Carter


On Aug 1, 2013, at 7:02 PM, Craig Merchant <cmerchant at responsys.com> wrote:

> Hey, Carter…
>  
> I just wanted to check in and see if you anything else from me on the labeling issue or argus crashing when trying to convert a pcap file.  Let me know…
>  
> I’m also having some issues with keystroke detection with the latest release.  The following command used to work in my testing:
>  
> /usr/local/bin/ra -S 10.10.10.10:561 -n -u -c "," -s "+0dnstroke,+1snstroke" - host 10.1.1.1 and host 10.1.1.2
>  
> I tried both a normal and reverse SSH session between the two hosts and neither one registered keyboard strokes of varying speeds and intensity.
>  
> All I’ve done is commented out the defaults in argus.conf:
>  
> ARGUS_KEYSTROKE="yes"
> ARGUS_KEYSTROKE_CONF="GPC_MAX=4"
>  
> I performed pretty much the same testing a couple months ago and got plenty of flows where keystrokes were detected.  Please let me know what you’d recommend for troubleshooting that.
>  
> Thanks.
> 
> Craig

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130802/b750986c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130802/b750986c/attachment.bin>

More information about the argus mailing list