new argus-clients-3.0.7.14 on the server

Wed Aug 21 06:48:59 EDT 2013

Hi all

Carter, for the racluster segfault that you ask me information.

Linux 3.10-1-686-pae #1 SMP Debian 3.10.3-1 (2013-07-27) i686 GNU/Linux
It is a 64bit computer, but I'm using it with a 32-version debian unstable.

gcc    4:4.8.1-3
g++   4:4.8.1-3

What else could I try?

thanks!
sebas

On Wed, Aug 21, 2013 at 12:43 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey Sebas,
> The configuration file does not cause fault against your
> flow sample file on my machines.  What kind of machine
> are you having problems on ?
>
> Carter
>
>
>
> On Aug 20, 2013, at 6:31 PM, el draco <eldraco at gmail.com> wrote:
>
>> Hi carter and list.
>>
>> I just tried the new argus racluster 3.0.7.14 with my large dataset
>> and I got the segfault again.
>>
>> racluster -f racluster.conf.segfault -r argus.file.test
>> Segmentation fault
>>
>> Sorry for not sending the argus.file.test to the list, I'm only
>> sending it to Carter so he can debug the error.
>> I'm not sending an anonymized version (with ranonymize) because the
>> segfault does NOT occur if I ranonymize the dataset.
>>
>> Again it seems to depend on the number of flows read along with the
>> size of the filter and size of the label.
>>
>> If you need more tests just tell me.
>>
>> Thanks a lot!
>> sebas
>>
>> On Tue, Aug 20, 2013 at 9:54 PM, el draco <eldraco at gmail.com> wrote:
>>> It worked perfectly! Thanks a lot for that.
>>> It is nice to see my labels back again!
>>> cheers
>>> sebas
>>>
>>> On Tue, Aug 20, 2013 at 9:50 PM, Carter Bullard <carter at qosient.com> wrote:
>>>> Hey Sebas,
>>>> Here is a patch for your segmentation fault bug, if
>>>> you're comfortable making the changes yourself.
>>>>
>>>>
>>>> thoth:common carter$ p4 diff argus_label.c
>>>> ==== //depot/argus/clients/common/argus_label.c#51 - /Volumes/Users/carter/argus/clients/common/argus_label.c ====
>>>> 1011a1012
>>>>>            str = strbuf;
>>>>
>>>> If not, I've also included a new argus_label.c, so replace your ./common/argus_label.c with this one,
>>>> and recompile.  All should work well.
>>>>
>>>> I'll have a new client package up in a few days.
>>>>
>>>> Carter
>>>>
>>>>
>>>>
>>>> On Aug 20, 2013, at 3:21 PM, el draco <eldraco at gmail.com> wrote:
>>>>
>>>>> Hi Carter. ralabel still has the segfault
>>>>>
>>>>> RaLabeler Version 3.0.7.14
>>>>>
>>>>> ./bin/ralabel -f ralabel.segfault.conf
>>>>> Segmentation fault
>>>>>
>>>>> Thanks for the great job you are doing!
>>>>> Tell me if you need more tests.
>>>>> sebas
>>>>>
>>>>>
>>>>> On Tue, Aug 20, 2013 at 4:59 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>>> Gentle people,
>>>>>> New client code up on the server.  This release fixes all
>>>>>> known bugs that has been reported on the list, as well as
>>>>>> having major modifications to rapath().
>>>>>>
>>>>>> New code has been added as guards around the reported
>>>>>> label problems, but I am not sure that it has fixed
>>>>>> the problem.  If we could test that, that would be great !!!
>>>>>>
>>>>>> We've made some big changes to rapath().  rapath() extracts
>>>>>> topology information from argus data.  Basically it takes all
>>>>>> data that has ICMP TXD messages mapped to it, and tabulates path
>>>>>> information where it can.  This has the effect of capturing all
>>>>>> traceroutes() that are observed by argus, regardless of the
>>>>>> techniqu;  UDP, TCP or ICMP based, weather its vanilla or paris method,
>>>>>> or several of the proprietary strategies seen in intrusions.
>>>>>>
>>>>>> We've changed the default output of the graph that rapath.1
>>>>>> generates (using the -A option) to include the srcid, saddr
>>>>>> and daddr, so that you can build topology from just the
>>>>>> graphs.  I'll add the stime and duration as well, but need
>>>>>> to figure out some command line options to control all these
>>>>>> new fields.  Also rapath() is going to get a realtime mode,
>>>>>> currently, its a " read a file, generate some output " type of
>>>>>> tool.
>>>>>>
>>>>>> Please grab this code and give it a run.  I'm hoping to
>>>>>> release 3.0.7.x as 3.0.8 in the next month, so if there are
>>>>>> any gotchas, don't hold back.
>>>>>>
>>>>>> Carter
>>>>>>
>>>>> <ralabel.segfault.conf><test-flowfilter.conf>
>>>>
>>>>
>> <racluster.conf.segfault>
>