Bug with malformed host in filter

elof2 at sentor.se elof2 at sentor.se
Mon Feb 25 11:51:04 EST 2013 

Sounds good. You're swift in response and action as always. :-)

Yes, I manually compile and use the latest version of argus and other 
apps when they have an important bugfix or new feature, but usually I try 
to stick with the normal FreeBSD ports, since this makes managing hundreds 
of boxes much easier.

Perhaps Paul S will deploy an update of the FreeBSD port soon, getting 
argus-clients closer to 3.0.7.5.



On your FreeBSD VM, run: portsnap fetch update

Remove any currently installed argus/ra binaries.

cd /usr/ports/net-mgmt/argus3-clients
make
make install

That should give you Ra Version 3.0.6.2 to play around with.

/Elof


On Mon, 25 Feb 2013, Carter Bullard wrote:

> No problems.  I'll look around to see what is up.  I've got a
> FreeBSD VM I can test on, will try to fire that up today.
> The fault concerns me, so I'll try to recreate that first.
>
> Do try to work with the latest at some point to see if we've
> fixed the problem.
>
> Carter
>
> On Feb 25, 2013, at 10:47 AM, elof2 at sentor.se wrote:
>
>>
>> I'm using the official Argus port on a FreeBSD 9.1 amd64 machine.
>>
>> Hehe, no, I have no host called "10". :)
>> ...and speaking of resolving, I have no /etc/resolv.conf at all.
>>
>> Unfortunetly I currently have no time to compile and test argus-clients-3.0.7.5. :-/
>>
>> /Elof
>>
>> On Mon, 25 Feb 2013, Carter Bullard wrote:
>>
>>> Hmmmm,
>>> That is interesting.  I'm not getting the same types of errors on Mac OS X.  Are you
>>> using Centos by any chance (just a guess).  The filter should fail all the time.
>>> We figure out if " 10 ", which the filter things is either a digit or a string, is a good
>>> address by calling gethostbyname().  Any chance you have a host named " 10 "
>>> outthere?
>>>
>>> Does argus-clients-3.0.7.5 do a better job ?
>>> Carter
>>>
>>>
>>> On Feb 25, 2013, at 9:02 AM, elof2 at sentor.se wrote:
>>>
>>>>
>>>> Hi Carter!
>>>>
>>>> I stumbled on to a bug when accidentally executing a ra command with an incomplete IP address.
>>>> Strangely enough, the error-detection make different descisions depending of its place in the filter string.
>>>>
>>>> Example:
>>>>
>>>> #ra -Zb -nr argus.log - host 10.10.10.10 and host 10
>>>>
>>>> pid 1907 (ra), uid 0: exited on signal 11 (core dumped)
>>>> host 10.10.10.10 and host 10 filter syntax error
>>>>
>>>>
>>>>
>>>> The filter "tcp and host 10" and other elements before "host 10" also fail.
>>>>
>>>> However, a filter of just "host 10" by itself does not fail, nor does "host 10 and host 10.10.10.10"
>>>>
>>>>
>>>> (ra version 3.0.6.2)
>>>>
>>>> /Elof
>>>>
>>>
>>>
>>
>
>

More information about the argus mailing list