[ARGUS] Question about merging flows (racluster) and effect of srcid

[Carter Bullard]

Hey Patrick,
Here is a fix for the racluster issue … the mod set "rather than being clever as to when to do the reverse search, just do it anyway.”
So in racluster.c, remove the logic to set parser->ArgusReverse and replace with “parser->ArgusReverse = 1;”.  I provided a diff below.

With this change to ./clients/racluster.c , you’ll need to call it as you were:

   racluster -m saddr daddr proto sport sport -M correct -r the.two.files.out

And all should be good ...
Carter

diff --git a/clients/racluster.c b/clients/racluster.c
index 506fdcd..1422236 100644
--- a/clients/racluster.c
+++ b/clients/racluster.c
@@ -129,10 +129,7 @@ ArgusClientInit (struct ArgusParserStruct *parser)
          }
       }
 
-      if ((parser->ArgusMaskList) == NULL)
-         parser->ArgusReverse = 1;
-      else
-         parser->ArgusReverse = 0;
+      parser->ArgusReverse = 1;
 
       if (parser->ArgusFlowModelFile) {
          if ((parser->ArgusAggregator = ArgusParseAggregator(parser, parser->ArgusFlowModelFile, NULL)) == NULL)



> On Feb 12, 2021, at 3:12 AM, Patrick Forsberg <fors at chalmers.se> wrote:
> 
> On 2021-02-11 22:07, Carter Bullard wrote:
> 
>> If you were to racluster this group with “-m saddr daddr proto sport
>> dport”  it should stitch them together correctly … regardless of sort ...
>> If not,  if you wanted to share just these 6 flow records, I’d be
>> happy to check it out …
>> Carter
>> 
>>