Fwd: rafilteraddr broken in 3.0.7.6 and later

Carter Bullard carter at qosient.com
Wed Jul 17 16:37:47 EDT 2013 

Hey Terry,
If you don't mind a patch, if you apply this, things maybe better.
Seems that we're doing an EXACT_MATCH, and with the /24 terminating
nodes in the tree, it seems to have forgotten to do the CIDR test.

Carter

==== //depot/argus/clients/common/argus_label.c#49 - /Volumes/Users/carter/argus/clients/common/argus_label.c ====
1067,1069c1067,1076
<                      if ((tree->l == NULL) && (tree->r == NULL))
<                         retn = NULL;
<                      else {
---
>                     if ((tree->l == NULL) && (tree->r == NULL)) {
>                        if (node->addr.masklen != tree->addr.masklen) {
>                           if (taddr == naddr)
>                              retn = tree;
>                           else
>                              retn = NULL;
>                        } else
>                           retn = NULL;
> 
>                     } else {


On Jul 16, 2013, at 9:39 AM, Terry Burton <tez at terryburton.co.uk> wrote:

> On 16 July 2013 03:45, Carter Bullard <carter at qosient.com> wrote:
>> Hey Terry,
>> Testing / debugging your bug report where rafilteraddr() only matches
>> flows that match the first entry in the address.spec.
>> 
>> The patricia tree that we build out of the address.spec file seems correct.
>> You can test this using:
>> 
>> thoth:Desktop carter$ rafilteraddr -M debug.tree -f address.spec
>>  |+143.210.9.0/24
>>  |
>> +143.210.8.0/21
>>  |
>>  |+143.210.12.0/24
>> 
>> This is pretty handy when debugging the configurations. Regardless,
>> and fortunately, I also get your bug here, so I'll be fixing it
>> tonight / tomorrow.  Just wanted you to have an update.
> 
> Hey Carter. Thanks for the information and the update.
> 
> All the best,
> 
> Terry
> 
> 
>> On Jul 10, 2013, at 12:34 PM, Carter Bullard <carter at qosient.com> wrote:
>>> Hey Terry,
>>> Hmmmmmm, I hate bugs ;O)  must not be updating the hash properly.
>>> Cool, if I can't reproduce it here, can you send a file with the two record types, that demonstrates the bug ?
>>> 
>>> Hope all is most excellent,
>>> Carter
>>> 
>>> 
>>> On Jul 10, 2013, at 12:11 PM, Terry Burton <tez at terryburton.co.uk> wrote:
>>> 
>>>> Hi,
>>>> 
>>>>> From argus-clients version 3.0.7.6 onwards rafilteraddr appears to
>>>> match only the first CIDR pattern from the address.spec file, as shown
>>>> below...
>>>> 
>>>> 
>>>> All the best,
>>>> 
>>>> Terry
>>>> 
>>>> 
>>>> ----
>>>> 
>>>> 
>>>> $ cat address.spec
>>>> 143.210.9.0/24
>>>> 143.210.12.0/24
>>>> 
>>>> $ argus-clients-3.0.7.5/bin/rafilteraddr -m saddr -f address.spec -r
>>>> $FLOWS/2013-07-10/0.0.0.0-16\:30\:00.arg.gz - ipv4
>>>>      StartTime      Flgs  Proto            SrcAddr  Sport   Dir
>>>>     DstAddr  Dport  TotPkts   TotBytes State
>>>> 16:29:55.374787  e           udp     143.210.12.161.60819    <->
>>>> 192.52.178.30.domain        2        900   CON
>>>> 16:29:55.377486  e          icmp      143.210.9.111.0x0103    ->
>>>> 17.172.232.132.0x8fd2        5        618   URH
>>>> 16:29:55.378994  e           udp     143.210.12.161.42447    <->
>>>> 54.216.60.36.domain        2        370   CON
>>>> 16:29:56.804826  e           udp     143.210.12.161.45549    <->
>>>> 31.25.98.253.domain        2        245   CON
>>>> 16:29:56.805570  e          icmp      143.210.9.111.0x0103    ->
>>>> 74.125.136.188.0x8fd2        2        188   URH
>>>> 16:29:56.888013  e           udp     143.210.12.161.11128    <->
>>>> 213.248.117.201.domain        2        191   CON
>>>> 16:29:56.889250  e           udp     143.210.12.160.50230    <->
>>>> 128.86.8.120.domain        2        477   CON
>>>> 16:29:56.889412  e           udp     143.210.12.160.61717    <->
>>>> 213.199.180.53.domain        2        207   CON
>>>> 16:29:56.889458  e          icmp      143.210.9.111.0x0103    ->
>>>> 78.141.179.13.0x8fd2        1         94   URH
>>>> 16:29:56.889703  e           udp     143.210.12.161.26369    <->
>>>> 194.83.56.244.domain        2        284   CON
>>>> 16:29:57.544225  e           udp     143.210.12.161.30309    <->
>>>> 66.135.215.134.domain        2        226   CON
>>>> 16:29:57.545429  e          icmp      143.210.9.111.0x0103    ->
>>>> 69.171.248.65.0x8fd2        1        121   URH
>>>> 16:29:57.545459  e          icmp      143.210.9.111.0x0103    ->
>>>> 69.171.235.64.0x8fd2        1        121   URH
>>>> ...
>>>> 
>>>> $ argus-clients-3.0.7.6/bin/rafilteraddr -m saddr -f address.spec -r
>>>> $FLOWS/2013-07-10/0.0.0.0-16\:30\:00.arg.gz - ipv4
>>>>      StartTime      Flgs  Proto            SrcAddr  Sport   Dir
>>>>     DstAddr  Dport  TotPkts   TotBytes State
>>>> 16:29:55.377486  e          icmp      143.210.9.111.0x0103    ->
>>>> 17.172.232.132.0x8fd2        5        618   URH
>>>> 16:29:56.805570  e          icmp      143.210.9.111.0x0103    ->
>>>> 74.125.136.188.0x8fd2        2        188   URH
>>>> 16:29:56.889458  e          icmp      143.210.9.111.0x0103    ->
>>>> 78.141.179.13.0x8fd2        1         94   URH
>>>> 16:29:57.545429  e          icmp      143.210.9.111.0x0103    ->
>>>> 69.171.248.65.0x8fd2        1        121   URH
>>>> 16:29:57.545459  e          icmp      143.210.9.111.0x0103    ->
>>>> 69.171.235.64.0x8fd2        1        121   URH
>>>> ...
>>>> 
>>>> $ uname -a
>>>> Linux argus 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130717/e8b716fb/attachment.bin>

More information about the argus mailing list