argus-clients-3.0.7.16 now available

Carter Bullard carter at qosient.com
Tue Oct 1 11:45:13 EDT 2013


Hey Dave,
OK, this is fixed.  We were trying to parse the GeoIP metro value
as a string, rather than an integer.  Seems that MaxMind is changing
things in their data structures.  I just downloaded 1.5.1, and a few
things are different, like having a netmask value, etc..

I've updated argus-3.0.7.17 to reflect the modifications.


Here is a quick fix patch:

==== //depot/argus/clients/include/argus_label.h#20 - //argus/clients/include/argus_label.h ====

159c159
<    { "metro", "%s", 5, 16, 0, ARGUS_GEOIP_METRO_CODE},
---
>    { "metro", "%d", 5, 16, 0, ARGUS_GEOIP_METRO_CODE},

Carter


On Sep 30, 2013, at 7:50 PM, David Edelman <dedelman at iname.com> wrote:

> Carter the problem that I see with the GeoIP labeling is triggered only if I
> include the metro attribute. I get a segfault as follows:
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x001ac38b in strlen () from /lib/libc.so.6
> Missing separate debuginfos, use: debuginfo-install glibc-2.9-3.i686
> libgcc-4.3.2-7.i386 tcp_wrappers-libs-7.6-53.fc10.i386
> zlib-1.2.3-18.fc9.i386
> (gdb) info threads
>  3 Thread 0xb66adb90 (LWP 10053)  0x00b65424 in __kernel_vsyscall ()
>  2 Thread 0xb70aeb90 (LWP 10052)  0x00b65424 in __kernel_vsyscall ()
> * 1 Thread 0xb7fe7b00 (LWP 10043)  0x001ac38b in strlen () from
> /lib/libc.so.6
> (gdb) thread 1
> [Switching to thread 1 (Thread 0xb7fe7b00 (LWP 10043))]#0  0x001ac38b in
> strlen () from /lib/libc.so.6
> (gdb) where
> #0  0x001ac38b in strlen () from /lib/libc.so.6
> #1  0x001784e0 in vfprintf () from /lib/libc.so.6
> #2  0x0019cfc4 in vsnprintf () from /lib/libc.so.6
> #3  0x0017e972 in snprintf () from /lib/libc.so.6
> #4  0x080d7360 in ArgusPrintGeoIPRecord (parser=0xb7f74008, gir=0xa7cd118,
> label=0xbffaf14c
> "sname=laccolbogwipc001.lac.nsroot.net:dname=198.41.0.4:dport=domain:scity=R
> eston,", found=3,
>    prefix=0x80fc702 "scity=") at ./argus_label.c:467
> #5  0x080d8100 in ArgusLabelRecord (parser=0xb7f74008, argus=0xa7cc280) at
> ./argus_label.c:780
> #6  0x0804c266 in RaProcessRecord (parser=0xb7f74008, argus=0xb7e50554) at
> ./radium.c:532
> #7  0x08054015 in RaScheduleRecord (parser=0xb7f74008, ns=0xb7e50554) at
> ./argus_util.c:2578
> #8  0x080545e8 in ArgusHandleDatum (parser=0xb7f74008, input=0xb7e50008,
> ptr=0xb3a68008, filter=0xb7fc4d9c) at ./argus_util.c:2689
> #9  0x080a265a in ArgusReadStreamSocket (parser=0xb7f74008,
> input=0xb7e50008) at ./argus_client.c:440
> #10 0x080a3119 in ArgusReadStream (parser=0xb7f74008, queue=0x85e7128) at
> ./argus_client.c:755
> #11 0x0804ddfc in main (argc=3, argv=0xbffff694) at ./argus_main.c:365
> 
> 
> I looked at the other two threads and they don't show any signs of
> contributing to the problem. If I remove metro from the attributes list,
> everything is fine. If I add two other attributes, (region and cco) that
> seems fine. GDB break at ArgusPrintGeoIPRecord and then at the case item for
> the metro code shows that there is a value for the metro code (613) and that
> all of the parameters seem to be valid including the format (%s) 
> 
> 
> 
> --Dave
> 
> 
> 
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Monday, September 30, 2013 10:20 AM
> To: David Edelman
> Cc: Argus
> Subject: Re: [ARGUS] argus-clients-3.0.7.16 now available
> 
> Hey Dave,
> Thanks !!!!!!
> I'll fix these today / this week.
> 
> I don't get the problems you see with GeoIP.
> If you could do the gdb() thing that would be great, if not, I'll
> need to know machine / OS type, how radium is called, etc.  For
> me to replicate the problem to debug, I'll also need the label
> configuration files you are using.
> 
> I'll look at the Netflow issue, do you expect the output to be:
>   00:00:00:00:00:03
> 
> or would you rather it be:
>   3
> 
> I can make an exception for Netflow data and L2 data types, but
> there isn't a real L2 type of (short int), so I'll have
> to think of what to do to make this exception throughout the
> whole system.
> 
> Carter
> 
> 
> 
> On Sep 28, 2013, at 1:10 PM, David Edelman <dedelman at iname.com> wrote:
> 
>> Carter,
>> 
>> This version looks pretty good. I've been hammering on rasqlinsert and it
>> looks very stable. I have seen two problems:
>> 
>> 1 - If .rarc is set to only translate proto then using :n in ratop and
>> setting the value to all or port does not get the port names to display.
>> Setting it to all will do the hostname translation but not port. If .rarc
>> is set to port, then it all works
>> 2 - If I specify any of the GeoIP labeling options then radium seg faults.
>> I downloaded the latest libraries and data files from MaxMind and rebuild
>> the clients, but no luck. As far as ldd can tell, I am linked with the
>> correct library. If you need me to, I can do some debugging on this later
>> today.
>> 
>> 
>> A nit, but not really a problem - dmac and smac have the NetFlow port
>> index numbers but it looks like you may be doing hton conversion on the
>> value so the display is a bit odd. I get 00:00:00:00:03:00  for port index
>> 3
>> 
>> 
>> 
>> 
>> --Dave
>> 
>> 
>> 
>> On 9/27/13 3:32 AM, "Carter Bullard" <carter at qosient.com> wrote:
>> 
>>> Gentle people,
>>> New clients are on the development server, which fixes all known bugs,
>>> well, at least the ones that I'm aware of that needed to be fixed.
>>> However, if you download the code, and your problem is not resolved,
>>> please holler, as I'd like to get the code ready for stable release.
>>> 
>>> http://qosient.com/argus/dev/argus-clients-latest.tar.gz
>>> 
>>> 
>>> This version has failed and now passed a large number of memory tests,
>>> as we had a serious stack corruption problem after fixing the big label
>>> merging and processing bugs a few weeks back.
>>> 
>>> Lots of little nits are now working, and of course, filtering and sorting
>>> with -0.0 as a valid value, are now working.
>>> 
>>> I still need to work on ranonymize() performance, and followup on SQL
>>> database performance issues.
>>> 
>>> And then on to argus-3.0.7.5Š.
>>> 
>>> Hope all is most excellent, and thanks for all the help !!!!!
>>> 
>>> Carter
>>> 
>>> 
>>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20131001/63f9d4c2/attachment.bin>


More information about the argus mailing list