Bug with malformed host in filter
elof2 at sentor.se
elof2 at sentor.se
Mon Feb 25 10:47:39 EST 2013
I'm using the official Argus port on a FreeBSD 9.1 amd64 machine.
Hehe, no, I have no host called "10". :)
...and speaking of resolving, I have no /etc/resolv.conf at all.
Unfortunetly I currently have no time to compile and test
argus-clients-3.0.7.5. :-/
/Elof
On Mon, 25 Feb 2013, Carter Bullard wrote:
> Hmmmm,
> That is interesting. I'm not getting the same types of errors on Mac OS X. Are you
> using Centos by any chance (just a guess). The filter should fail all the time.
> We figure out if " 10 ", which the filter things is either a digit or a string, is a good
> address by calling gethostbyname(). Any chance you have a host named " 10 "
> outthere?
>
> Does argus-clients-3.0.7.5 do a better job ?
> Carter
>
>
> On Feb 25, 2013, at 9:02 AM, elof2 at sentor.se wrote:
>
>>
>> Hi Carter!
>>
>> I stumbled on to a bug when accidentally executing a ra command with an incomplete IP address.
>> Strangely enough, the error-detection make different descisions depending of its place in the filter string.
>>
>> Example:
>>
>> #ra -Zb -nr argus.log - host 10.10.10.10 and host 10
>>
>> pid 1907 (ra), uid 0: exited on signal 11 (core dumped)
>> host 10.10.10.10 and host 10 filter syntax error
>>
>>
>>
>> The filter "tcp and host 10" and other elements before "host 10" also fail.
>>
>> However, a filter of just "host 10" by itself does not fail, nor does "host 10 and host 10.10.10.10"
>>
>>
>> (ra version 3.0.6.2)
>>
>> /Elof
>>
>
>
More information about the argus
mailing list