Bug with malformed host in filter

Carter Bullard carter at qosient.com
Mon Feb 25 11:04:14 EST 2013 

No problems.  I'll look around to see what is up.  I've got a
FreeBSD VM I can test on, will try to fire that up today.
The fault concerns me, so I'll try to recreate that first.

Do try to work with the latest at some point to see if we've
fixed the problem.

Carter

On Feb 25, 2013, at 10:47 AM, elof2 at sentor.se wrote:

> 
> I'm using the official Argus port on a FreeBSD 9.1 amd64 machine.
> 
> Hehe, no, I have no host called "10". :)
> ...and speaking of resolving, I have no /etc/resolv.conf at all.
> 
> Unfortunetly I currently have no time to compile and test argus-clients-3.0.7.5. :-/
> 
> /Elof
> 
> On Mon, 25 Feb 2013, Carter Bullard wrote:
> 
>> Hmmmm,
>> That is interesting.  I'm not getting the same types of errors on Mac OS X.  Are you
>> using Centos by any chance (just a guess).  The filter should fail all the time.
>> We figure out if " 10 ", which the filter things is either a digit or a string, is a good
>> address by calling gethostbyname().  Any chance you have a host named " 10 "
>> outthere?
>> 
>> Does argus-clients-3.0.7.5 do a better job ?
>> Carter
>> 
>> 
>> On Feb 25, 2013, at 9:02 AM, elof2 at sentor.se wrote:
>> 
>>> 
>>> Hi Carter!
>>> 
>>> I stumbled on to a bug when accidentally executing a ra command with an incomplete IP address.
>>> Strangely enough, the error-detection make different descisions depending of its place in the filter string.
>>> 
>>> Example:
>>> 
>>> #ra -Zb -nr argus.log - host 10.10.10.10 and host 10
>>> 
>>> pid 1907 (ra), uid 0: exited on signal 11 (core dumped)
>>> host 10.10.10.10 and host 10 filter syntax error
>>> 
>>> 
>>> 
>>> The filter "tcp and host 10" and other elements before "host 10" also fail.
>>> 
>>> However, a filter of just "host 10" by itself does not fail, nor does "host 10 and host 10.10.10.10"
>>> 
>>> 
>>> (ra version 3.0.6.2)
>>> 
>>> /Elof
>>> 
>> 
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130225/7056f35f/attachment.bin>

More information about the argus mailing list