BUG: ra output extra delimiter char for isis traffic
elof2 at sentor.se
elof2 at sentor.se
Thu Apr 13 10:49:27 EDT 2017
Hi Carter!
Bug report:
Today my argus sensor started seeing isis packets in its monitored
traffic.
This made my ra cronjob constantly fail, since it suddenly received more
output columns than expected.
I narrowed it down to this:
When you use the -c option to 'ra'
AND
you print the "dport" field
AND
your argus logfile contain isis traffic
then 'ra' erroneously adds an extra delimiter char after the dport value.
Example:
ra -c ',' -nr /usr/sentor/48h/argus-20170413.1341.log -s stime proto dport
smac dmac saddr daddr | grep -C2 'isis' | head -5
13:36:40.251669,udp,53,00:15:5d:01:22:02,00:00:5e:00:01:17,10.10.10.10,222.222.222.222
13:36:40.251739,udp,53,0c:c4:7a:59:32:62,02:e0:52:3d:5e:01,111.111.111.111,222.222.222.222
13:36:40.257987,isis,0x74ba,,74:8e:f8:a9:e9:83,09:00:2b:00:00:05,748e.f8a9.c540.00-00,0x7f650000
13:36:40.259831,tcp,58918,dc:4a:3e:77:56:2c,00:00:5e:00:01:09,10.11.11.11,10.100.100.100
13:36:40.262557,tcp,443,dc:4a:3e:77:56:2c,00:00:5e:00:01:09,10.22.22.22,55.55.55.55
See the third column in the middle line, it says "0x74ba," instead of
"0x74ba".
This makes this line #3 contain 8 columns while lines #1, #2, #4 and #5
contain 7 columns.
Other protocols are printed just fine, only isis seem to be affected.
Ra Version 3.0.8.2 on FreeBSD 10.3 amd64
My temporary workaround is now to filter out this traffic from entering
the argus logfile in the first place:
/etc/argus.conf:
ARGUS_FILTER="not ether dst 09:00:2b:00:00:05"
/Elof
More information about the argus
mailing list