Bug with malformed host in filter

Dave Edelman dedelman at iname.com
Tue Feb 26 20:53:11 EST 2013 

I can verify that under FC14 ra 3.0.7.3 does not segfault but it does
complain about a filter syntax error.

# ra -S localhost:561 - host 10
ra[458]: Wed 2013-02-27 01:14:42.277 host 10 filter syntax error

This is strange because according to the inet(3) man page, 10 is a perfectly
acceptable IPv4 address. 
Just to make things even stranger, I do have a valid DNS resolution for 10
which is no surprise given Cablevision's level of technical acumen. (At
least they aren't claiming to be authoritative.) 

#  dig 10

; <<>> DiG 9.7.4-P1-RedHat-9.7.4-2.P1.fc14 <<>> 10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54672
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;10.                            IN      A

;; ANSWER SECTION:
10.                     0       IN      A       67.63.55.3

;; Query time: 54 msec
;; SERVER: 167.206.245.130#53(167.206.245.130)
;; WHEN: Wed Feb 27 01:15:15 2013
;; MSG SIZE  rcvd: 36


--Dave


> -----Original Message-----
> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu]
> On Behalf Of elof2 at sentor.se
> Sent: Monday, February 25, 2013 11:51 AM
> To: Carter Bullard
> Cc: pauls at utdallas.edu; Argus Development
> Subject: Re: [ARGUS] Bug with malformed host in filter
> 
> 
> Sounds good. You're swift in response and action as always. :-)
> 
> Yes, I manually compile and use the latest version of argus and other apps
> when they have an important bugfix or new feature, but usually I try to
stick
> with the normal FreeBSD ports, since this makes managing hundreds of
> boxes much easier.
> 
> Perhaps Paul S will deploy an update of the FreeBSD port soon, getting
argus-
> clients closer to 3.0.7.5.
> 
> 
> 
> On your FreeBSD VM, run: portsnap fetch update
> 
> Remove any currently installed argus/ra binaries.
> 
> cd /usr/ports/net-mgmt/argus3-clients
> make
> make install
> 
> That should give you Ra Version 3.0.6.2 to play around with.
> 
> /Elof
> 
> 
> On Mon, 25 Feb 2013, Carter Bullard wrote:
> 
> > No problems.  I'll look around to see what is up.  I've got a
> > FreeBSD VM I can test on, will try to fire that up today.
> > The fault concerns me, so I'll try to recreate that first.
> >
> > Do try to work with the latest at some point to see if we've
> > fixed the problem.
> >
> > Carter
> >
> > On Feb 25, 2013, at 10:47 AM, elof2 at sentor.se wrote:
> >
> >>
> >> I'm using the official Argus port on a FreeBSD 9.1 amd64 machine.
> >>
> >> Hehe, no, I have no host called "10". :)
> >> ...and speaking of resolving, I have no /etc/resolv.conf at all.
> >>
> >> Unfortunetly I currently have no time to compile and test
argus-clients-
> 3.0.7.5. :-/
> >>
> >> /Elof
> >>
> >> On Mon, 25 Feb 2013, Carter Bullard wrote:
> >>
> >>> Hmmmm,
> >>> That is interesting.  I'm not getting the same types of errors on Mac
OS X.
> Are you
> >>> using Centos by any chance (just a guess).  The filter should fail all
the
> time.
> >>> We figure out if " 10 ", which the filter things is either a digit or
a string, is
> a good
> >>> address by calling gethostbyname().  Any chance you have a host named
> " 10 "
> >>> outthere?
> >>>
> >>> Does argus-clients-3.0.7.5 do a better job ?
> >>> Carter
> >>>
> >>>
> >>> On Feb 25, 2013, at 9:02 AM, elof2 at sentor.se wrote:
> >>>
> >>>>
> >>>> Hi Carter!
> >>>>
> >>>> I stumbled on to a bug when accidentally executing a ra command with
> an incomplete IP address.
> >>>> Strangely enough, the error-detection make different descisions
> depending of its place in the filter string.
> >>>>
> >>>> Example:
> >>>>
> >>>> #ra -Zb -nr argus.log - host 10.10.10.10 and host 10
> >>>>
> >>>> pid 1907 (ra), uid 0: exited on signal 11 (core dumped)
> >>>> host 10.10.10.10 and host 10 filter syntax error
> >>>>
> >>>>
> >>>>
> >>>> The filter "tcp and host 10" and other elements before "host 10" also
> fail.
> >>>>
> >>>> However, a filter of just "host 10" by itself does not fail, nor does
"host
> 10 and host 10.10.10.10"
> >>>>
> >>>>
> >>>> (ra version 3.0.6.2)
> >>>>
> >>>> /Elof
> >>>>
> >>>
> >>>
> >>
> >
> >

More information about the argus mailing list