rafilteraddr broken in 3.0.7.6 and later
Carter Bullard
carter at qosient.com
Mon Jul 15 22:45:23 EDT 2013
Hey Terry,
Testing / debugging your bug report where rafilteraddr() only matches
flows that match the first entry in the address.spec.
The patricia tree that we build out of the address.spec file seems correct.
You can test this using:
thoth:Desktop carter$ rafilteraddr -M debug.tree -f address.spec
|+143.210.9.0/24
|
+143.210.8.0/21
|
|+143.210.12.0/24
This is pretty handy when debugging the configurations. Regardless,
and fortunately, I also get your bug here, so I'll be fixing it
tonight / tomorrow. Just wanted you to have an update.
Carter
On Jul 10, 2013, at 12:34 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Terry,
> Hmmmmmm, I hate bugs ;O) must not be updating the hash properly.
> Cool, if I can't reproduce it here, can you send a file with the two record types, that demonstrates the bug ?
>
> Hope all is most excellent,
> Carter
>
>
> On Jul 10, 2013, at 12:11 PM, Terry Burton <tez at terryburton.co.uk> wrote:
>
>> Hi,
>>
>>> From argus-clients version 3.0.7.6 onwards rafilteraddr appears to
>> match only the first CIDR pattern from the address.spec file, as shown
>> below...
>>
>>
>> All the best,
>>
>> Terry
>>
>>
>> ----
>>
>>
>> $ cat address.spec
>> 143.210.9.0/24
>> 143.210.12.0/24
>>
>> $ argus-clients-3.0.7.5/bin/rafilteraddr -m saddr -f address.spec -r
>> $FLOWS/2013-07-10/0.0.0.0-16\:30\:00.arg.gz - ipv4
>> StartTime Flgs Proto SrcAddr Sport Dir
>> DstAddr Dport TotPkts TotBytes State
>> 16:29:55.374787 e udp 143.210.12.161.60819 <->
>> 192.52.178.30.domain 2 900 CON
>> 16:29:55.377486 e icmp 143.210.9.111.0x0103 ->
>> 17.172.232.132.0x8fd2 5 618 URH
>> 16:29:55.378994 e udp 143.210.12.161.42447 <->
>> 54.216.60.36.domain 2 370 CON
>> 16:29:56.804826 e udp 143.210.12.161.45549 <->
>> 31.25.98.253.domain 2 245 CON
>> 16:29:56.805570 e icmp 143.210.9.111.0x0103 ->
>> 74.125.136.188.0x8fd2 2 188 URH
>> 16:29:56.888013 e udp 143.210.12.161.11128 <->
>> 213.248.117.201.domain 2 191 CON
>> 16:29:56.889250 e udp 143.210.12.160.50230 <->
>> 128.86.8.120.domain 2 477 CON
>> 16:29:56.889412 e udp 143.210.12.160.61717 <->
>> 213.199.180.53.domain 2 207 CON
>> 16:29:56.889458 e icmp 143.210.9.111.0x0103 ->
>> 78.141.179.13.0x8fd2 1 94 URH
>> 16:29:56.889703 e udp 143.210.12.161.26369 <->
>> 194.83.56.244.domain 2 284 CON
>> 16:29:57.544225 e udp 143.210.12.161.30309 <->
>> 66.135.215.134.domain 2 226 CON
>> 16:29:57.545429 e icmp 143.210.9.111.0x0103 ->
>> 69.171.248.65.0x8fd2 1 121 URH
>> 16:29:57.545459 e icmp 143.210.9.111.0x0103 ->
>> 69.171.235.64.0x8fd2 1 121 URH
>> ...
>>
>> $ argus-clients-3.0.7.6/bin/rafilteraddr -m saddr -f address.spec -r
>> $FLOWS/2013-07-10/0.0.0.0-16\:30\:00.arg.gz - ipv4
>> StartTime Flgs Proto SrcAddr Sport Dir
>> DstAddr Dport TotPkts TotBytes State
>> 16:29:55.377486 e icmp 143.210.9.111.0x0103 ->
>> 17.172.232.132.0x8fd2 5 618 URH
>> 16:29:56.805570 e icmp 143.210.9.111.0x0103 ->
>> 74.125.136.188.0x8fd2 2 188 URH
>> 16:29:56.889458 e icmp 143.210.9.111.0x0103 ->
>> 78.141.179.13.0x8fd2 1 94 URH
>> 16:29:57.545429 e icmp 143.210.9.111.0x0103 ->
>> 69.171.248.65.0x8fd2 1 121 URH
>> 16:29:57.545459 e icmp 143.210.9.111.0x0103 ->
>> 69.171.235.64.0x8fd2 1 121 URH
>> ...
>>
>> $ uname -a
>> Linux argus 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130715/9331f01b/attachment.bin>
More information about the argus
mailing list