new argus-clients-3.0.7.14 on the server

Tue Aug 20 18:31:40 EDT 2013

Hi carter and list.

I just tried the new argus racluster 3.0.7.14 with my large dataset
and I got the segfault again.

racluster -f racluster.conf.segfault -r argus.file.test
Segmentation fault

Sorry for not sending the argus.file.test to the list, I'm only
sending it to Carter so he can debug the error.
I'm not sending an anonymized version (with ranonymize) because the
segfault does NOT occur if I ranonymize the dataset.

Again it seems to depend on the number of flows read along with the
size of the filter and size of the label.

If you need more tests just tell me.

Thanks a lot!
sebas

On Tue, Aug 20, 2013 at 9:54 PM, el draco <eldraco at gmail.com> wrote:
> It worked perfectly! Thanks a lot for that.
> It is nice to see my labels back again!
> cheers
> sebas
>
> On Tue, Aug 20, 2013 at 9:50 PM, Carter Bullard <carter at qosient.com> wrote:
>> Hey Sebas,
>> Here is a patch for your segmentation fault bug, if
>> you're comfortable making the changes yourself.
>>
>>
>> thoth:common carter$ p4 diff argus_label.c
>> ==== //depot/argus/clients/common/argus_label.c#51 - /Volumes/Users/carter/argus/clients/common/argus_label.c ====
>> 1011a1012
>>>             str = strbuf;
>>
>> If not, I've also included a new argus_label.c, so replace your ./common/argus_label.c with this one,
>> and recompile.  All should work well.
>>
>> I'll have a new client package up in a few days.
>>
>> Carter
>>
>>
>>
>> On Aug 20, 2013, at 3:21 PM, el draco <eldraco at gmail.com> wrote:
>>
>>> Hi Carter. ralabel still has the segfault
>>>
>>> RaLabeler Version 3.0.7.14
>>>
>>> ./bin/ralabel -f ralabel.segfault.conf
>>> Segmentation fault
>>>
>>> Thanks for the great job you are doing!
>>> Tell me if you need more tests.
>>> sebas
>>>
>>>
>>> On Tue, Aug 20, 2013 at 4:59 PM, Carter Bullard <carter at qosient.com> wrote:
>>>> Gentle people,
>>>> New client code up on the server.  This release fixes all
>>>> known bugs that has been reported on the list, as well as
>>>> having major modifications to rapath().
>>>>
>>>> New code has been added as guards around the reported
>>>> label problems, but I am not sure that it has fixed
>>>> the problem.  If we could test that, that would be great !!!
>>>>
>>>> We've made some big changes to rapath().  rapath() extracts
>>>> topology information from argus data.  Basically it takes all
>>>> data that has ICMP TXD messages mapped to it, and tabulates path
>>>> information where it can.  This has the effect of capturing all
>>>> traceroutes() that are observed by argus, regardless of the
>>>> techniqu;  UDP, TCP or ICMP based, weather its vanilla or paris method,
>>>> or several of the proprietary strategies seen in intrusions.
>>>>
>>>> We've changed the default output of the graph that rapath.1
>>>> generates (using the -A option) to include the srcid, saddr
>>>> and daddr, so that you can build topology from just the
>>>> graphs.  I'll add the stime and duration as well, but need
>>>> to figure out some command line options to control all these
>>>> new fields.  Also rapath() is going to get a realtime mode,
>>>> currently, its a " read a file, generate some output " type of
>>>> tool.
>>>>
>>>> Please grab this code and give it a run.  I'm hoping to
>>>> release 3.0.7.x as 3.0.8 in the next month, so if there are
>>>> any gotchas, don't hold back.
>>>>
>>>> Carter
>>>>
>>> <ralabel.segfault.conf><test-flowfilter.conf>
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: racluster.conf.segfault
Type: application/octet-stream
Size: 122 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130821/c9ca4530/attachment.obj>