[ARGUS] argus-clients JSON output

Sat Aug 28 19:41:06 EDT 2021

Hey Darren,
If you chroot, the /dev/ filesystem doesn’t exist in your new rooted filesystem and would be unreachable, so you won’t be able to open anything.
Argus normally doesn’t chroot until it has opened everything, if the chroot and the interface definitions are in the same argus.conf file … order does matter, so if you have an argus.conf file in say /etc that chroots, then the interface definitions on the command line or in subsequent argus.conf files will fail … at least that is how it is designed to work …

Use the -D option to see when does argus chroot, compared to when it attempts to open the interfaces ...

Carter

> On Aug 28, 2021, at 4:03 AM, Darren S. <phatbuckett at gmail.com> wrote:
> 
> On Fri, Aug 27, 2021 at 12:06 AM Darren S. <phatbuckett at gmail.com <mailto:phatbuckett at gmail.com>> wrote:
>> 
>> OpenBSD 6.9 amd64
>> argus-3.0.8.2 (argus-3.0.8.2p2 OS package)
>> argus-clients-3.0.8.3
>> 
>> I'm interested in leveraging future JSON output from argus-clients to
>> support a streaming analytics workflow, and noted that
>> argus-clients-3.0.8.3 was in need of testing [1].
>> 
>> argus-clients build commands:
>> 
>> ./configure --prefix=/usr/argus --with-libft=yes --without-mysql
>> --without-GeoIP --without-sasl
>> make CCOPT="-I/usr/local/include" COMPATLIB="-lm -lz -L/usr/local/lib -lft"
>> 
>> With these options I got a partially successful build, enough to
>> produce an ra(1) binary to test. (The complete output of the build is
>> at [2], if there are suggestions to complete a build without error. I
>> could have botched the options passed to configure script or make,
>> just trying to mimic the OS port [3]).
>> 
>> I did a little basic testing with ra(1) and got JSON output as expected:
>> 
>> $ /usr/argus/bin/ra -M json -nr test.argus -- 'dst port 443'
>> { "type":"flow","stime":"06:01:03.612223","flgs":" e
>> ","proto":"tcp","saddr":"x.x.97.55","sport":46984,"dir":"<?>","daddr":"44.234.221.91","dport":443,"pkts":"4","bytes":"295","state":"FIN"}
>> { "type":"flow","stime":"06:01:03.616187","flgs":" e
>> ","proto":"tcp","saddr":"x.x.97.55","sport":23157,"dir":"
>> ->","daddr":"44.234.221.91","dport":443,"pkts":"17","bytes":"9322","state":"CON"}
>> { "type":"flow","stime":"06:01:08.991243","flgs":" e
>> ","proto":"tcp","saddr":"x.x.97.55","sport":23157,"dir":"
>> ->","daddr":"44.234.221.91","dport":443,"pkts":"7","bytes":"4114","state":"CON"}
>> { "type":"flow","stime":"06:01:14.546578","flgs":" e
>> ","proto":"tcp","saddr":"x.x.97.55","sport":5862,"dir":"
>> ->","daddr":"44.234.221.91","dport":443,"pkts":"20","bytes":"11358","state":"CON"}
>> { "type":"flow","stime":"06:01:15.087293","flgs":" e
>> ","proto":"tcp","saddr":"162.142.125.20","sport":50643,"dir":"
>> ->","daddr":"x.x.97.55","dport":443,"pkts":"1","bytes":"58","state":"REQ"}
>> 
>> ...and validated that it loaded/parsed correctly in jq(1), as an
>> example. If I'm not mistaken, the output of 'ra --help' doesn't yet
>> document the 'json' option. There's an unexpected space after the
>> opening '{' of the record. This seems promising!
>> 
>> [1] https://qosient.com/argus/src/argus-clients-3.0.8.3.tar.gz
>> [2] https://pastebin.com/raw/0uGTR7iv
>> [3] https://github.com/openbsd/ports/blob/master/net/argus-clients/Makefile
> 
> Further details:
> 
> ### /etc/argus.conf
> ARGUS_FLOW_TYPE=Bidirectional
> ARGUS_FLOW_KEY=CLASSIC_5_TUPLE
> ARGUS_DAEMON=yes
> ARGUS_MONITOR_ID=`hostname`    // IPv4 address returned
> ARGUS_ACCESS_PORT=561
> ARGUS_BIND_IP="::1,127.0.0.1"
> ARGUS_INTERFACE=vio0
> ARGUS_GO_PROMISCUOUS=yes
> #ARGUS_CHROOT_DIR=/var/empty
> ARGUS_SETUSER_ID=_argus
> ARGUS_SETGROUP_ID=_argus
> ARGUS_SET_PID=no
> ARGUS_FLOW_STATUS_INTERVAL=5
> ARGUS_MAR_STATUS_INTERVAL=300
> #ARGUS_IP_TIMEOUT=30
> #ARGUS_TCP_TIMEOUT=60
> #ARGUS_ICMP_TIMEOUT=5
> #ARGUS_IGMP_TIMEOUT=30
> #ARGUS_FRAG_TIMEOUT=5
> #ARGUS_ARP_TIMEOUT=5
> #ARGUS_OTHER_TIMEOUT=30
> #ARGUS_DEBUG_LEVEL=0
> ARGUS_GENERATE_TCP_PERF_METRIC=no
> #ARGUS_FILTER=""
> 
> The failure initially described (ArgusOpenInterface vio0: (cannot open
> BPF device): No
> such file or directory) occurs when ARGUS_CHROOT_DIR=/var/empty is
> activated. When this option is not set, argus runs without issue. Does
> opening the BPF device fail when chroot'd?
> 
> -- 
> Darren Spruell
> phatbuckett at gmail.com <mailto:phatbuckett at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20210828/83cd1897/attachment-0001.htm>