pcr filtering
Carter Bullard
carter at qosient.com
Thu Apr 24 12:47:20 EDT 2014
Hey CS Lee,
Yep, here is the patch. We’re doing all this signbit() operations,
as we have a number of metrics that need to test for -0.0.
I’ll put up 3.0.7.25 later this week with this patch in.
horus:common carter$ diff argus_filter.c.orig argus_filter.c
203c203
< return ((F == f) ? ((F == 0) ? (signbit(F) == signbit(f)) : 0) : 0);
---
> return ((F == f) ? ((F == 0) ? (signbit(F) == signbit(f)) : 1) : 0);
If you could give this a run, that would be great !!!
Carter
On Apr 23, 2014, at 11:54 PM, CS Lee <geek00l at gmail.com> wrote:
> hi Carter,
>
> The filter behaves in odd way, the "eq" is not working.
>
> ra -nr ssh-file-transfer.arg3 -s saddr daddr pcr
> SrcAddr DstAddr PCRatio
> 192.168.221.1 192.168.221.128 -0.319952
> 192.168.221.1 192.168.221.128 -0.138358
> 192.168.221.1 192.168.221.128 0.814701
> 192.168.221.1 192.168.221.128 0.996873
> 192.168.221.1 192.168.221.128 1.000000
>
> analyzt at nsmon:~/i-Pcaps$ ra -nr ssh-file-transfer.arg3 -s saddr daddr pcr - 'pcr lt 0.5'
> SrcAddr DstAddr PCRatio
> 192.168.221.1 192.168.221.128 -0.319952
> 192.168.221.1 192.168.221.128 -0.138358
>
> analyzt at nsmon:~/i-Pcaps$ ra -nr ssh-file-transfer.arg3 -s saddr daddr pcr - 'pcr eq 1'
>
> ra -b -nr ssh-file-transfer.arg3 -s saddr daddr pcr - 'pcr eq 1'
> (000) ldb hdr[0]
> (001) and #16
> (002) jeq #0x10 jt 3 jf 6
> (003) ldf hdr[216]
> (004) jeq #1.000000 jt 5 jf 6
> (005) ret #150
> (006) ret #0
>
> I have the record with pcr = 1 but it doesn't come out, I tried with other value as well and the result is the same. However the gte/lte/gt/lt seems to work.
>
>
>
> On Tue, Apr 22, 2014 at 11:32 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey CS Lee, et. al.
>
> A new argus-clients-3.0.7.24 is on the server. Available here:
> http://qosient.com/argus/dev/argus-clients-latest.tar.gz
>
> Fixes all the filter issues with pcr, which also affected some
> of other metadata filters, like rate, load, etc…
> This also has a lot of man page additions.
>
> This version should be good for release. If you find anything
> wrong, please holler !!!!
>
> Thanks !!!
>
> Carter
>
> On Apr 21, 2014, at 6:42 AM, Carter Bullard <carter at qosient.com> wrote:
>
>> Hey CS Lee,
>> Yes, I have a fix in the 24 code, just haven't had a chance to push it up. My fault, should get something up, hopefully today/tonight !!!
>>
>> Carter
>>
>> On Apr 19, 2014, at 10:20 AM, CS Lee <geek00l at gmail.com> wrote:
>>
>>> hi Carter,
>>>
>>> I think I encountered same issue as jess regarding pcr filtering -
>>>
>>> ra -nr test.arg3 -s saddr daddr pcr - 'pcr lt 0.5'
>>> SrcAddr DstAddr PCRatio
>>> 192.168.221.1 192.168.221.128 -0.319952
>>> 192.168.221.1 192.168.221.128 -0.138358
>>> 192.168.221.1 192.168.221.128 0.814701
>>> 192.168.221.1 192.168.221.128 0.996873
>>> 192.168.221.1 192.168.221.128 1.000000
>>>
>>> ra -b -nr test.arg3 -s saddr daddr pcr - 'pcr lt 0.5'
>>> (000) ldb hdr[0]
>>> (001) and #16
>>> (002) jeq #0x10 jt 3 jf 6
>>> (003) ldf hdr[360]
>>> (004) jge #0.500000 jt 6 jf 5
>>> (005) ret #150
>>> (006) ret #0
>>>
>>> Non-matching flow also shows up in the filter, by the way I'm using argus client 3.0.7.23 on ubuntu linux.
>>>
>>>
>>> --
>>> Best Regards,
>>>
>>> CS Lee<geek00L[at]gmail.com>
>>>
>>> http://geek00l.blogspot.com
>>> http://defcraft.com.my
>
>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140424/cf6cf69d/attachment.bin>
More information about the argus
mailing list