racluster 3.0.6 vs 3.0.8 default aggregation?

David Edelman via Argus-info argus-info at lists.andrew.cmu.edu
Tue Dec 20 16:00:21 EST 2016 

The classic 5-tuple includes the protocol as the third element and that is what's set in the configuration file as well. When you specified the cluster model on the command line you didn't include the proto field.

If I'm not mistaken, since the classic 5-tuple is the default, you don't even need to include it in the configuration file but I've been bitten before and I'm not a big fan of defaults.

--Dave

-----Original Message-----
From: Argus-info [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of Patrick Forsberg via Argus-info
Sent: Tuesday, December 20, 2016 6:22 AM
To: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] racluster 3.0.6 vs 3.0.8 default aggregation?

On 12/20/2016 10:31 AM, Patrick Forsberg via Argus-info wrote:
> Hi,
> 
> I'm going nuts over aggregation in 3.0.6 and 3.0.8 and realize that I obviously haven't understood a thing.
> 
> Given a simple UDP flow between two hosts
> # ra -X -r /tmp/ratest 
>          StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State 
>    09:04:56.941624  e           udp          100.0.1.1.42461     ->          100.0.2.1.59307         1         77   INT
>    09:04:57.064776  e           udp          100.0.2.1.59307     ->          100.0.1.1.42461         1         62   INT
>
> Running 3.0.8 with "-M correct" gives the same result as for 3.0.6
> 
> #  /usr/local/src/Argus/argus-clients-3.0.8/bin/racluster -X -M correct -s+trans -r /tmp/ratest
>          StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
>    09:04:56.941624  e           udp          100.0.1.1.42461    <->          100.0.2.1.59307         2        139   CON      2
> 
> This implies that 3.0.8 doesn't use the classic 5-tuple (what is the classic 5-tuple by the way?) and I thought I was on to something until I tried
> 
> #  /usr/local/src/Argus/argus-clients-3.0.8/bin/racluster -X -m saddr daddr sport dport -M correct -s+trans -r /tmp/ratest
>          StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
>    09:04:56.941624  e           udp          100.0.1.1.42461     ->          100.0.2.1.59307         1         77   INT      1
>    09:04:57.064776  e           udp          100.0.2.1.59307     ->          100.0.1.1.42461         1         62   INT      1
> 
> Now all of a sudden "-M correct" doesn't seem to help in aggregating the records.

Now I've done some tests with racluster.conf and I am not less confused unless there's a bug in here somewhere.

## racluster.conf ##
RACLUSTER_AUTO_CORRECTION=yes
filter=""              model="saddr daddr proto dport sport “
## racluster.conf ##

#  /usr/local/src/Argus/argus-clients-3.0.8/bin/racluster -r /tmp/ratest  -f racluster.conf -s+trans 
         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
   09:04:56.941624  e           udp          100.0.1.1.42461    <->          100.0.2.1.59307         2        139   CON      2

So why does options in racluster.conf work differently from those given on the command line?

/Patrick

More information about the argus mailing list