Argus on FreeBSD

Monah Baki monahbaki at gmail.com
Tue Jul 4 13:14:54 EDT 2017 

root at devsrvr:/usr/local/argus/sbin #   ./radium -XD 4 -S localhost:562 -P
561
     ArgusInfo: 04 Jul 17 13:14:01.449596 connect from localhost


On Tue, Jul 4, 2017 at 1:12 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Monah,
> Seems like its not either in this case.  I suspect either a firewall rule
> or a tcp_wrappers issue.
> You can run radium with -D4 and not the “-d” and let radium tell you want
> it going on ???
>
>    ./radium -XD 4 -S localhost:562 -P 561
>
> Carter
>
> On Jul 4, 2017, at 1:08 PM, Monah Baki <monahbaki at gmail.com> wrote:
>
> root at devsrvr:/usr/local/argus/bin # cat /etc/radium.conf
> RADIUM_CLASSIFIER_FILE=/etc/ralabel.conf
>
>
> Added the -X per your request,no luck.
>
> root at devsrvr:/usr/local/argus/bin # ps -ax
> 59324  -  Ss      0:00.39 ./radium -XS localhost:562 -P 561 -d
> 59241  0  S       0:01.43 ./argus -s -m -U 256 -i em0 -P 562 -d
>
>
> No results while running, but still getting results on 562
>  ./ratop -S localhost:561 -s time saddr sport daddr dport sco dco suser:45
> duser:30
>
> Monah
>
> On Tue, Jul 4, 2017 at 1:00 PM, Carter Bullard <carter at qosient.com> wrote:
>
>> Sure there isn’t an /etc/radium.conf file ??
>> Just to be sure, try putting a ‘X’ as the first argument to radium.
>>
>>    ./radium -XS localhost:562 -P 561 -d
>>
>> Carter
>>
>> On Jul 4, 2017, at 12:31 PM, Monah Baki <monahbaki at gmail.com> wrote:
>>
>> Hi Carter,
>>
>> This is what I am running (argus, radium and ratop) on the freebsd
>> locally:
>>
>>  ./argus -s -m -U 256 -i em0 -P 562 -d
>>  ./radium -S localhost:562 -P 561 -d
>>
>> Now if I run on the freebsd locally:
>>  ./ratop -S localhost:562
>> I get results
>>
>> Else if I run
>>  ./ratop -S localhost:561
>> No results
>>
>> Also if I run:
>> ./ratop -S 192.168.1.253:561
>> No results
>>
>> I get none
>>
>> Thanks
>> Monah
>>
>>
>> On Tue, Jul 4, 2017 at 11:53 AM, Carter Bullard <carter at qosient.com>
>> wrote:
>>
>>> You need to BIND to localhost, if you want to access via localhost.  If
>>> BIND is to a specific address, you’ll need to “-S “ to the address.  If you
>>> want to access from localhost and the specific IP address, don’t use BIND …
>>> use a firewall to control who can get to argus or radium.  With radium and
>>> argus running together, usually argus BINDS to localhost, so anything
>>> external to the machine has to go through radium.
>>>
>>> The v6 vs v4 shouldn't really be an issue, both argus and radium put
>>> down a “generic” listen down on the port (layer 4), which the os can
>>> support on any transport layer it likes (layer 3), so either v4 or v6 works
>>> fine.
>>>
>>> All clients will try both v6 and v4 when it tries to get a connection,
>>> this is controlled by the os, so it shouldn’t matter.
>>>
>>> Hope all is most excellent,
>>> Carter
>>>
>>>
>>> On Jul 4, 2017, at 11:38 AM, Monah Baki <monahbaki at gmail.com> wrote:
>>>
>>> root     radium     49424 3  tcp6   *:561                 *:*
>>>
>>>
>>> On Tue, Jul 4, 2017 at 11:37 AM, mike tancsa <mike at sentex.ca> wrote:
>>>
>>>>
>>>> Try
>>>> sockstat | grep 561
>>>>
>>>> to see what is bound on port 561 as it does not seem to be argus
>>>>
>>>>         ---Mike
>>>>
>>>> On 7/4/2017 11:29 AM, Monah Baki wrote:
>>>> > root     argus      49407 3  tcp4   192.168.1.253:562
>>>> > <http://192.168.1.253:562>     *:*
>>>> > root     argus      49407 6  udp4   *:*                   *:*
>>>> > root     argus      49407 7  tcp4   192.168.1.253:562
>>>> > <http://192.168.1.253:562>     192.168.1.253:40196
>>>> > <http://192.168.1.253:40196>
>>>> >
>>>> >
>>>> > In my argus.conf, I did specify the IP address to bind to.
>>>> > ARGUS_BIND_IP="192.168.1.253"
>>>> >
>>>> >
>>>> >
>>>> > Thanks
>>>> > Monah
>>>> >
>>>> > On Tue, Jul 4, 2017 at 11:07 AM, Mike Tancsa <mike at sentex.net
>>>> > <mailto:mike at sentex.net>> wrote:
>>>> >
>>>> >     On 7/3/2017 11:42 AM, Monah Baki wrote:
>>>> >     >
>>>> >     > Compiled yesterday argus 3.0.8.2 on FreeBSD 10.3-RELEASE-p18. I
>>>> noticed
>>>> >     > that running:
>>>> >     >
>>>> >     > netstat -an
>>>> >     > tcp4       0      0 *.562
>>>> >     > tcp6       0      0 *.561
>>>> >
>>>> >     > Is it possible that tcp6 might be the issue, not sure why it's
>>>> running
>>>> >     > on tcp6 when in my rc.cong I have the following:
>>>> >     I usually tell it to bind to a specific IP in my argus config to
>>>> make it
>>>> >     more predictable. But what does
>>>> >
>>>> >     sockstat | grep argus
>>>> >
>>>> >     show ?
>>>> >
>>>> >             ---Mike
>>>> >
>>>> >
>>>> >     --
>>>> >     -------------------
>>>> >     Mike Tancsa, tel +1 519 651 3400 <tel:%2B1%20519%20651%203400
>>>> <%2B1%20519%20651%203400>>
>>>> >     Sentex Communications, mike at sentex.net <mailto:mike at sentex.net>
>>>> >     Providing Internet services since 1994 www.sentex.net
>>>> >     <http://www.sentex.net>
>>>> >     Cambridge, Ontario Canada   http://www.tancsa.com/
>>>> >
>>>> >
>>>>
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20170704/9f3beed6/attachment.html>

More information about the argus mailing list