[ARGUS] Question about merging flows (racluster) and effect of srcid

[Patrick Forsberg]

On 2021-02-12 15:01, Carter Bullard wrote:

> Hey Patrick,
> Here is a fix for the racluster issue … the mod set "rather than being clever as to when to do the reverse search, just do it anyway.”
> So in racluster.c, remove the logic to set parser->ArgusReverse and replace with “parser->ArgusReverse = 1;”.  I provided a diff below.
>
> With this change to ./clients/racluster.c , you’ll need to call it as you were:
>
>    racluster -m saddr daddr proto sport sport -M correct -r the.two.files.out
>
> And all should be good ...
> Carter

Thanks, that fixed the command line vs config file discrepancy.
But without rasort, the order of the input files still affects the
apparent direction of the flow. I still have src/dst to tell me that
it's probably wrong when the flow is src <- dst (unless it's a flow that
started in a previous set of files)

I just might run rasort first, it just takes longer to finish
aggregation that way.

/Patrick

>
> diff --git a/clients/racluster.c b/clients/racluster.c
> index 506fdcd..1422236 100644
> --- a/clients/racluster.c
> +++ b/clients/racluster.c
> @@ -129,10 +129,7 @@ ArgusClientInit (struct ArgusParserStruct *parser)
>           }
>        }
>  
> -      if ((parser->ArgusMaskList) == NULL)
> -         parser->ArgusReverse = 1;
> -      else
> -         parser->ArgusReverse = 0;
> +      parser->ArgusReverse = 1;
>  
>        if (parser->ArgusFlowModelFile) {
>           if ((parser->ArgusAggregator = ArgusParseAggregator(parser, parser->ArgusFlowModelFile, NULL)) == NULL)
>
>
>
>> On Feb 12, 2021, at 3:12 AM, Patrick Forsberg <fors at chalmers.se> wrote:
>>
>> On 2021-02-11 22:07, Carter Bullard wrote:
>>
>>> If you were to racluster this group with “-m saddr daddr proto sport
>>> dport”  it should stitch them together correctly … regardless of sort ...
>>> If not,  if you wanted to share just these 6 flow records, I’d be
>>> happy to check it out …
>>> Carter
>>>
>>>