Bug with malformed host in filter

elof2 at sentor.se elof2 at sentor.se
Wed Feb 27 11:50:57 EST 2013 

I think it should be treated as a number.
I have never seen anyone naming a host with just a number without any 
alpha characters in it. It's like begging for any kind of trouble. :-)

/Elof

On Wed, 27 Feb 2013, Carter Bullard wrote:

> Hey Dave,
> So found the bug, but more interesting question is what is the right thing here?
> If you say " host 10 ", what do we expect, is the 10 a number or a name?
> Currently we treat it as a number.  The only way to get it to be a hostname
> is for it to be an FQDN, such as  10.qosient.com.
>
> The problem is this type of call:
>
>   ra - host "10"
>
> Currently, that still comes up as a number, not a name.
> Any opinions?
>
> Carter
>
> On Feb 26, 2013, at 8:53 PM, "Dave Edelman" <dedelman at iname.com> wrote:
>
>> I can verify that under FC14 ra 3.0.7.3 does not segfault but it does
>> complain about a filter syntax error.
>>
>> # ra -S localhost:561 - host 10
>> ra[458]: Wed 2013-02-27 01:14:42.277 host 10 filter syntax error
>>
>> This is strange because according to the inet(3) man page, 10 is a perfectly
>> acceptable IPv4 address.
>> Just to make things even stranger, I do have a valid DNS resolution for 10
>> which is no surprise given Cablevision's level of technical acumen. (At
>> least they aren't claiming to be authoritative.)
>>
>> #  dig 10
>>
>> ; <<>> DiG 9.7.4-P1-RedHat-9.7.4-2.P1.fc14 <<>> 10
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54672
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;10.                            IN      A
>>
>> ;; ANSWER SECTION:
>> 10.                     0       IN      A       67.63.55.3
>>
>> ;; Query time: 54 msec
>> ;; SERVER: 167.206.245.130#53(167.206.245.130)
>> ;; WHEN: Wed Feb 27 01:15:15 2013
>> ;; MSG SIZE  rcvd: 36
>>
>>
>> --Dave
>>
>>
>>> -----Original Message-----
>>> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
>>> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu]
>>> On Behalf Of elof2 at sentor.se
>>> Sent: Monday, February 25, 2013 11:51 AM
>>> To: Carter Bullard
>>> Cc: pauls at utdallas.edu; Argus Development
>>> Subject: Re: [ARGUS] Bug with malformed host in filter
>>>
>>>
>>> Sounds good. You're swift in response and action as always. :-)
>>>
>>> Yes, I manually compile and use the latest version of argus and other apps
>>> when they have an important bugfix or new feature, but usually I try to
>> stick
>>> with the normal FreeBSD ports, since this makes managing hundreds of
>>> boxes much easier.
>>>
>>> Perhaps Paul S will deploy an update of the FreeBSD port soon, getting
>> argus-
>>> clients closer to 3.0.7.5.
>>>
>>>
>>>
>>> On your FreeBSD VM, run: portsnap fetch update
>>>
>>> Remove any currently installed argus/ra binaries.
>>>
>>> cd /usr/ports/net-mgmt/argus3-clients
>>> make
>>> make install
>>>
>>> That should give you Ra Version 3.0.6.2 to play around with.
>>>
>>> /Elof
>>>
>>>
>>> On Mon, 25 Feb 2013, Carter Bullard wrote:
>>>
>>>> No problems.  I'll look around to see what is up.  I've got a
>>>> FreeBSD VM I can test on, will try to fire that up today.
>>>> The fault concerns me, so I'll try to recreate that first.
>>>>
>>>> Do try to work with the latest at some point to see if we've
>>>> fixed the problem.
>>>>
>>>> Carter
>>>>
>>>> On Feb 25, 2013, at 10:47 AM, elof2 at sentor.se wrote:
>>>>
>>>>>
>>>>> I'm using the official Argus port on a FreeBSD 9.1 amd64 machine.
>>>>>
>>>>> Hehe, no, I have no host called "10". :)
>>>>> ...and speaking of resolving, I have no /etc/resolv.conf at all.
>>>>>
>>>>> Unfortunetly I currently have no time to compile and test
>> argus-clients-
>>> 3.0.7.5. :-/
>>>>>
>>>>> /Elof
>>>>>
>>>>> On Mon, 25 Feb 2013, Carter Bullard wrote:
>>>>>
>>>>>> Hmmmm,
>>>>>> That is interesting.  I'm not getting the same types of errors on Mac
>> OS X.
>>> Are you
>>>>>> using Centos by any chance (just a guess).  The filter should fail all
>> the
>>> time.
>>>>>> We figure out if " 10 ", which the filter things is either a digit or
>> a string, is
>>> a good
>>>>>> address by calling gethostbyname().  Any chance you have a host named
>>> " 10 "
>>>>>> outthere?
>>>>>>
>>>>>> Does argus-clients-3.0.7.5 do a better job ?
>>>>>> Carter
>>>>>>
>>>>>>
>>>>>> On Feb 25, 2013, at 9:02 AM, elof2 at sentor.se wrote:
>>>>>>
>>>>>>>
>>>>>>> Hi Carter!
>>>>>>>
>>>>>>> I stumbled on to a bug when accidentally executing a ra command with
>>> an incomplete IP address.
>>>>>>> Strangely enough, the error-detection make different descisions
>>> depending of its place in the filter string.
>>>>>>>
>>>>>>> Example:
>>>>>>>
>>>>>>> #ra -Zb -nr argus.log - host 10.10.10.10 and host 10
>>>>>>>
>>>>>>> pid 1907 (ra), uid 0: exited on signal 11 (core dumped)
>>>>>>> host 10.10.10.10 and host 10 filter syntax error
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> The filter "tcp and host 10" and other elements before "host 10" also
>>> fail.
>>>>>>>
>>>>>>> However, a filter of just "host 10" by itself does not fail, nor does
>> "host
>>> 10 and host 10.10.10.10"
>>>>>>>
>>>>>>>
>>>>>>> (ra version 3.0.6.2)
>>>>>>>
>>>>>>> /Elof
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>
>>
>
>

More information about the argus mailing list