Bug with malformed host in filter
Carter Bullard
carter at qosient.com
Wed Feb 27 11:42:05 EST 2013
Hey Dave,
So found the bug, but more interesting question is what is the right thing here?
If you say " host 10 ", what do we expect, is the 10 a number or a name?
Currently we treat it as a number. The only way to get it to be a hostname
is for it to be an FQDN, such as 10.qosient.com.
The problem is this type of call:
ra - host "10"
Currently, that still comes up as a number, not a name.
Any opinions?
Carter
On Feb 26, 2013, at 8:53 PM, "Dave Edelman" <dedelman at iname.com> wrote:
> I can verify that under FC14 ra 3.0.7.3 does not segfault but it does
> complain about a filter syntax error.
>
> # ra -S localhost:561 - host 10
> ra[458]: Wed 2013-02-27 01:14:42.277 host 10 filter syntax error
>
> This is strange because according to the inet(3) man page, 10 is a perfectly
> acceptable IPv4 address.
> Just to make things even stranger, I do have a valid DNS resolution for 10
> which is no surprise given Cablevision's level of technical acumen. (At
> least they aren't claiming to be authoritative.)
>
> # dig 10
>
> ; <<>> DiG 9.7.4-P1-RedHat-9.7.4-2.P1.fc14 <<>> 10
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54672
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;10. IN A
>
> ;; ANSWER SECTION:
> 10. 0 IN A 67.63.55.3
>
> ;; Query time: 54 msec
> ;; SERVER: 167.206.245.130#53(167.206.245.130)
> ;; WHEN: Wed Feb 27 01:15:15 2013
> ;; MSG SIZE rcvd: 36
>
>
> --Dave
>
>
>> -----Original Message-----
>> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
>> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu]
>> On Behalf Of elof2 at sentor.se
>> Sent: Monday, February 25, 2013 11:51 AM
>> To: Carter Bullard
>> Cc: pauls at utdallas.edu; Argus Development
>> Subject: Re: [ARGUS] Bug with malformed host in filter
>>
>>
>> Sounds good. You're swift in response and action as always. :-)
>>
>> Yes, I manually compile and use the latest version of argus and other apps
>> when they have an important bugfix or new feature, but usually I try to
> stick
>> with the normal FreeBSD ports, since this makes managing hundreds of
>> boxes much easier.
>>
>> Perhaps Paul S will deploy an update of the FreeBSD port soon, getting
> argus-
>> clients closer to 3.0.7.5.
>>
>>
>>
>> On your FreeBSD VM, run: portsnap fetch update
>>
>> Remove any currently installed argus/ra binaries.
>>
>> cd /usr/ports/net-mgmt/argus3-clients
>> make
>> make install
>>
>> That should give you Ra Version 3.0.6.2 to play around with.
>>
>> /Elof
>>
>>
>> On Mon, 25 Feb 2013, Carter Bullard wrote:
>>
>>> No problems. I'll look around to see what is up. I've got a
>>> FreeBSD VM I can test on, will try to fire that up today.
>>> The fault concerns me, so I'll try to recreate that first.
>>>
>>> Do try to work with the latest at some point to see if we've
>>> fixed the problem.
>>>
>>> Carter
>>>
>>> On Feb 25, 2013, at 10:47 AM, elof2 at sentor.se wrote:
>>>
>>>>
>>>> I'm using the official Argus port on a FreeBSD 9.1 amd64 machine.
>>>>
>>>> Hehe, no, I have no host called "10". :)
>>>> ...and speaking of resolving, I have no /etc/resolv.conf at all.
>>>>
>>>> Unfortunetly I currently have no time to compile and test
> argus-clients-
>> 3.0.7.5. :-/
>>>>
>>>> /Elof
>>>>
>>>> On Mon, 25 Feb 2013, Carter Bullard wrote:
>>>>
>>>>> Hmmmm,
>>>>> That is interesting. I'm not getting the same types of errors on Mac
> OS X.
>> Are you
>>>>> using Centos by any chance (just a guess). The filter should fail all
> the
>> time.
>>>>> We figure out if " 10 ", which the filter things is either a digit or
> a string, is
>> a good
>>>>> address by calling gethostbyname(). Any chance you have a host named
>> " 10 "
>>>>> outthere?
>>>>>
>>>>> Does argus-clients-3.0.7.5 do a better job ?
>>>>> Carter
>>>>>
>>>>>
>>>>> On Feb 25, 2013, at 9:02 AM, elof2 at sentor.se wrote:
>>>>>
>>>>>>
>>>>>> Hi Carter!
>>>>>>
>>>>>> I stumbled on to a bug when accidentally executing a ra command with
>> an incomplete IP address.
>>>>>> Strangely enough, the error-detection make different descisions
>> depending of its place in the filter string.
>>>>>>
>>>>>> Example:
>>>>>>
>>>>>> #ra -Zb -nr argus.log - host 10.10.10.10 and host 10
>>>>>>
>>>>>> pid 1907 (ra), uid 0: exited on signal 11 (core dumped)
>>>>>> host 10.10.10.10 and host 10 filter syntax error
>>>>>>
>>>>>>
>>>>>>
>>>>>> The filter "tcp and host 10" and other elements before "host 10" also
>> fail.
>>>>>>
>>>>>> However, a filter of just "host 10" by itself does not fail, nor does
> "host
>> 10 and host 10.10.10.10"
>>>>>>
>>>>>>
>>>>>> (ra version 3.0.6.2)
>>>>>>
>>>>>> /Elof
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130227/158aa78b/attachment.bin>
More information about the argus
mailing list