rafilteraddr broken in 3.0.7.6 and later

Carter Bullard carter at qosient.com
Wed Jul 10 12:34:52 EDT 2013 

Hey Terry,
Hmmmmmm, I hate bugs ;O)  must not be updating the hash properly.
Cool, if I can't reproduce it here, can you send a file with the two record types, that demonstrates the bug ?

Hope all is most excellent,
Carter


On Jul 10, 2013, at 12:11 PM, Terry Burton <tez at terryburton.co.uk> wrote:

> Hi,
> 
>> From argus-clients version 3.0.7.6 onwards rafilteraddr appears to
> match only the first CIDR pattern from the address.spec file, as shown
> below...
> 
> 
> All the best,
> 
> Terry
> 
> 
> ----
> 
> 
> $ cat address.spec
> 143.210.9.0/24
> 143.210.12.0/24
> 
> $ argus-clients-3.0.7.5/bin/rafilteraddr -m saddr -f address.spec -r
> $FLOWS/2013-07-10/0.0.0.0-16\:30\:00.arg.gz - ipv4
>         StartTime      Flgs  Proto            SrcAddr  Sport   Dir
>        DstAddr  Dport  TotPkts   TotBytes State
>   16:29:55.374787  e           udp     143.210.12.161.60819    <->
>  192.52.178.30.domain        2        900   CON
>   16:29:55.377486  e          icmp      143.210.9.111.0x0103    ->
> 17.172.232.132.0x8fd2        5        618   URH
>   16:29:55.378994  e           udp     143.210.12.161.42447    <->
>   54.216.60.36.domain        2        370   CON
>   16:29:56.804826  e           udp     143.210.12.161.45549    <->
>   31.25.98.253.domain        2        245   CON
>   16:29:56.805570  e          icmp      143.210.9.111.0x0103    ->
> 74.125.136.188.0x8fd2        2        188   URH
>   16:29:56.888013  e           udp     143.210.12.161.11128    <->
> 213.248.117.201.domain        2        191   CON
>   16:29:56.889250  e           udp     143.210.12.160.50230    <->
>   128.86.8.120.domain        2        477   CON
>   16:29:56.889412  e           udp     143.210.12.160.61717    <->
> 213.199.180.53.domain        2        207   CON
>   16:29:56.889458  e          icmp      143.210.9.111.0x0103    ->
>  78.141.179.13.0x8fd2        1         94   URH
>   16:29:56.889703  e           udp     143.210.12.161.26369    <->
>  194.83.56.244.domain        2        284   CON
>   16:29:57.544225  e           udp     143.210.12.161.30309    <->
> 66.135.215.134.domain        2        226   CON
>   16:29:57.545429  e          icmp      143.210.9.111.0x0103    ->
>  69.171.248.65.0x8fd2        1        121   URH
>   16:29:57.545459  e          icmp      143.210.9.111.0x0103    ->
>  69.171.235.64.0x8fd2        1        121   URH
> ...
> 
> $ argus-clients-3.0.7.6/bin/rafilteraddr -m saddr -f address.spec -r
> $FLOWS/2013-07-10/0.0.0.0-16\:30\:00.arg.gz - ipv4
>         StartTime      Flgs  Proto            SrcAddr  Sport   Dir
>        DstAddr  Dport  TotPkts   TotBytes State
>   16:29:55.377486  e          icmp      143.210.9.111.0x0103    ->
> 17.172.232.132.0x8fd2        5        618   URH
>   16:29:56.805570  e          icmp      143.210.9.111.0x0103    ->
> 74.125.136.188.0x8fd2        2        188   URH
>   16:29:56.889458  e          icmp      143.210.9.111.0x0103    ->
>  78.141.179.13.0x8fd2        1         94   URH
>   16:29:57.545429  e          icmp      143.210.9.111.0x0103    ->
>  69.171.248.65.0x8fd2        1        121   URH
>   16:29:57.545459  e          icmp      143.210.9.111.0x0103    ->
>  69.171.235.64.0x8fd2        1        121   URH
> ...
> 
> $ uname -a
> Linux argus 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux
>

More information about the argus mailing list