rafilteraddr broken in 3.0.7.6 and later
Carter Bullard
carter at qosient.com
Wed Jul 17 16:40:11 EDT 2013
From: Terry Burton <tez at terryburton.co.uk>
Subject: Re: [ARGUS] rafilteraddr broken in 3.0.7.6 and later
Date: July 16, 2013 10:11:29 AM EDT
To: Carter Bullard <carter at qosient.com>
On 16 July 2013 14:57, Carter Bullard <carter at qosient.com> wrote:
> If you don't mind a patch, if you apply this, things maybe better.
> Seems that we're doing an EXACT_MATCH, and with the /24 terminating
> nodes in the tree, it seems to have forgotten to do the CIDR test.
Hey Carter,
The patched rafilteraddr appears to work perfectly. I've diffed the
output between 3.0.7.5 (last working version) and 3.0.7.9+patch using
10GB of flow data for a sparsely populated /16 and they match except
for a few flows where the recent client correctly determines the
direction of some ICMP traffic.
Thanks again!
Terry
> ==== //depot/argus/clients/common/argus_label.c#49 - /Volumes/Users/carter/argus/clients/common/argus_label.c ====
> 1067,1069c1067,1076
> < if ((tree->l == NULL) && (tree->r == NULL))
> < retn = NULL;
> < else {
> ---
>> if ((tree->l == NULL) && (tree->r == NULL)) {
>> if (node->addr.masklen != tree->addr.masklen) {
>> if (taddr == naddr)
>> retn = tree;
>> else
>> retn = NULL;
>> } else
>> retn = NULL;
>>
>> } else {
>
>
> On Jul 16, 2013, at 9:39 AM, Terry Burton <tez at terryburton.co.uk> wrote:
>
>> On 16 July 2013 03:45, Carter Bullard <carter at qosient.com> wrote:
>>> Hey Terry,
>>> Testing / debugging your bug report where rafilteraddr() only matches
>>> flows that match the first entry in the address.spec.
>>>
>>> The patricia tree that we build out of the address.spec file seems correct.
>>> You can test this using:
>>>
>>> thoth:Desktop carter$ rafilteraddr -M debug.tree -f address.spec
>>> |+143.210.9.0/24
>>> |
>>> +143.210.8.0/21
>>> |
>>> |+143.210.12.0/24
>>>
>>> This is pretty handy when debugging the configurations. Regardless,
>>> and fortunately, I also get your bug here, so I'll be fixing it
>>> tonight / tomorrow. Just wanted you to have an update.
>>
>> Hey Carter. Thanks for the information and the update.
>>
>> All the best,
>>
>> Terry
>>
>>
>>> On Jul 10, 2013, at 12:34 PM, Carter Bullard <carter at qosient.com> wrote:
>>>> Hey Terry,
>>>> Hmmmmmm, I hate bugs ;O) must not be updating the hash properly.
>>>> Cool, if I can't reproduce it here, can you send a file with the two record types, that demonstrates the bug ?
>>>>
>>>> Hope all is most excellent,
>>>> Carter
>>>>
>>>>
>>>> On Jul 10, 2013, at 12:11 PM, Terry Burton <tez at terryburton.co.uk> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>>> From argus-clients version 3.0.7.6 onwards rafilteraddr appears to
>>>>> match only the first CIDR pattern from the address.spec file, as shown
>>>>> below...
>>>>>
>>>>>
>>>>> All the best,
>>>>>
>>>>> Terry
>>>>>
>>>>>
>>>>> ----
>>>>>
>>>>>
>>>>> $ cat address.spec
>>>>> 143.210.9.0/24
>>>>> 143.210.12.0/24
>>>>>
>>>>> $ argus-clients-3.0.7.5/bin/rafilteraddr -m saddr -f address.spec -r
>>>>> $FLOWS/2013-07-10/0.0.0.0-16\:30\:00.arg.gz - ipv4
>>>>> StartTime Flgs Proto SrcAddr Sport Dir
>>>>> DstAddr Dport TotPkts TotBytes State
>>>>> 16:29:55.374787 e udp 143.210.12.161.60819 <->
>>>>> 192.52.178.30.domain 2 900 CON
>>>>> 16:29:55.377486 e icmp 143.210.9.111.0x0103 ->
>>>>> 17.172.232.132.0x8fd2 5 618 URH
>>>>> 16:29:55.378994 e udp 143.210.12.161.42447 <->
>>>>> 54.216.60.36.domain 2 370 CON
>>>>> 16:29:56.804826 e udp 143.210.12.161.45549 <->
>>>>> 31.25.98.253.domain 2 245 CON
>>>>> 16:29:56.805570 e icmp 143.210.9.111.0x0103 ->
>>>>> 74.125.136.188.0x8fd2 2 188 URH
>>>>> 16:29:56.888013 e udp 143.210.12.161.11128 <->
>>>>> 213.248.117.201.domain 2 191 CON
>>>>> 16:29:56.889250 e udp 143.210.12.160.50230 <->
>>>>> 128.86.8.120.domain 2 477 CON
>>>>> 16:29:56.889412 e udp 143.210.12.160.61717 <->
>>>>> 213.199.180.53.domain 2 207 CON
>>>>> 16:29:56.889458 e icmp 143.210.9.111.0x0103 ->
>>>>> 78.141.179.13.0x8fd2 1 94 URH
>>>>> 16:29:56.889703 e udp 143.210.12.161.26369 <->
>>>>> 194.83.56.244.domain 2 284 CON
>>>>> 16:29:57.544225 e udp 143.210.12.161.30309 <->
>>>>> 66.135.215.134.domain 2 226 CON
>>>>> 16:29:57.545429 e icmp 143.210.9.111.0x0103 ->
>>>>> 69.171.248.65.0x8fd2 1 121 URH
>>>>> 16:29:57.545459 e icmp 143.210.9.111.0x0103 ->
>>>>> 69.171.235.64.0x8fd2 1 121 URH
>>>>> ...
>>>>>
>>>>> $ argus-clients-3.0.7.6/bin/rafilteraddr -m saddr -f address.spec -r
>>>>> $FLOWS/2013-07-10/0.0.0.0-16\:30\:00.arg.gz - ipv4
>>>>> StartTime Flgs Proto SrcAddr Sport Dir
>>>>> DstAddr Dport TotPkts TotBytes State
>>>>> 16:29:55.377486 e icmp 143.210.9.111.0x0103 ->
>>>>> 17.172.232.132.0x8fd2 5 618 URH
>>>>> 16:29:56.805570 e icmp 143.210.9.111.0x0103 ->
>>>>> 74.125.136.188.0x8fd2 2 188 URH
>>>>> 16:29:56.889458 e icmp 143.210.9.111.0x0103 ->
>>>>> 78.141.179.13.0x8fd2 1 94 URH
>>>>> 16:29:57.545429 e icmp 143.210.9.111.0x0103 ->
>>>>> 69.171.248.65.0x8fd2 1 121 URH
>>>>> 16:29:57.545459 e icmp 143.210.9.111.0x0103 ->
>>>>> 69.171.235.64.0x8fd2 1 121 URH
>>>>> ...
>>>>>
>>>>> $ uname -a
>>>>> Linux argus 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130717/4bf69985/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130717/4bf69985/attachment.bin>
More information about the argus
mailing list