racluster 3.0.6 vs 3.0.8 default aggregation?

Patrick Forsberg via Argus-info argus-info at lists.andrew.cmu.edu
Wed Dec 21 04:02:22 EST 2016 


On 12/20/2016 04:38 PM, Carter Bullard wrote:
> Hey Patrick,
> Try argus-clients-3.0.8.2, which is the latest version.
> 
> You aren’t going too crazy … 3.0.6 is correct, 3.0.8 is also correct, in that it does aggregate correctly, but testing reverse flow directions is not the default.   I believe that that was changed back in argus-clients-3.0.8.2.   Add “proto” to the mask definition in your last call, as the ports don’t really decode properly if we’ve thrown out the proto field.
> 
> Carter

There's no difference between 3.0.8 and 3.0.8.2 as far as I can see.

Without -M correct no reverse flow matching

# /usr/local/src/Argus/argus-clients-3.0.8.2/bin/racluster -X -m saddr daddr proto sport dport -s+trans -r /tmp/ratest
         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
   09:04:56.941624  e           udp          100.0.1.1.42461     ->          100.0.2.1.59307         1         77   INT      1
   09:04:57.064776  e           udp          100.0.2.1.59307     ->          100.0.1.1.42461         1         62   INT      1

With -M correct there also does not seem to be reverse flow matching which is odd.

# /usr/local/src/Argus/argus-clients-3.0.8.2/bin/racluster -X -m saddr daddr proto sport dport -M correct -s+trans -r /tmp/ratest
         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
   09:04:56.941624  e           udp          100.0.1.1.42461     ->          100.0.2.1.59307         1         77   INT      1
   09:04:57.064776  e           udp          100.0.2.1.59307     ->          100.0.1.1.42461         1         62   INT      1

Finally, I run it with racluster.conf and as I have understood things this is the same as the above command line but now it works as I expect.

#### racluster.conf ####
RACLUSTER_AUTO_CORRECTION=yes
filter=""              model="saddr daddr proto dport sport"
########################

# /usr/local/src/Argus/argus-clients-3.0.8.2/bin/racluster -X -f /tmp/racluster.conf -s+trans -r /tmp/ratest
         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
   09:04:56.941624  e           udp          100.0.1.1.42461    <->          100.0.2.1.59307         2        139   CON      2


> 
>> On Dec 20, 2016, at 4:31 AM, Patrick Forsberg via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>>
>> Hi,
>>
>> I'm going nuts over aggregation in 3.0.6 and 3.0.8 and realize that I obviously haven't understood a thing.
>>
>> Given a simple UDP flow between two hosts
>> # ra -X -r /tmp/ratest 
>>         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State 
>>   09:04:56.941624  e           udp          100.0.1.1.42461     ->          100.0.2.1.59307         1         77   INT
>>   09:04:57.064776  e           udp          100.0.2.1.59307     ->          100.0.1.1.42461         1         62   INT
>>
>> Simply running racluster with no configuration files (-X) gives different results on 3.0.6 and 3.0.8
>>
>> #  /usr/local/src/Argus/argus-clients-3.0.6/bin/racluster -X -s+trans -r /tmp/ratest
>>         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
>>   09:04:56.941624  e           udp          100.0.1.1.42461    <->          100.0.2.1.59307         2        139   CON      2
>>
>> #  /usr/local/src/Argus/argus-clients-3.0.8/bin/racluster -X -s+trans -r /tmp/ratest
>>         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
>>   09:04:56.941624  e           udp          100.0.1.1.42461     ->          100.0.2.1.59307         1         77   INT      1
>>   09:04:57.064776  e           udp          100.0.2.1.59307     ->          100.0.1.1.42461         1         62   INT      1
>>
>> It seems that 3.0.6 has the "expected behavior" for me.
>>
>> Running 3.0.8 with "-M correct" gives the same result as for 3.0.6
>>
>> #  /usr/local/src/Argus/argus-clients-3.0.8/bin/racluster -X -M correct -s+trans -r /tmp/ratest
>>         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
>>   09:04:56.941624  e           udp          100.0.1.1.42461    <->          100.0.2.1.59307         2        139   CON      2
>>
>> This implies that 3.0.8 doesn't use the classic 5-tuple (what is the classic 5-tuple by the way?) and I thought I was on to something until I tried
>>
>> #  /usr/local/src/Argus/argus-clients-3.0.8/bin/racluster -X -m saddr daddr sport dport -M correct -s+trans -r /tmp/ratest
>>         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
>>   09:04:56.941624  e           udp          100.0.1.1.42461     ->          100.0.2.1.59307         1         77   INT      1
>>   09:04:57.064776  e           udp          100.0.2.1.59307     ->          100.0.1.1.42461         1         62   INT      1
>>
>> Now all of a sudden "-M correct" doesn't seem to help in aggregating the records.
>>
>> What am I missing here?
>>
>> /Patrick
>>
>

More information about the argus mailing list