[ARGUS] github version of argus 3.x not working on FreeBSD tun interfaces
mike tancsa
mike at sentex.ca
Mon Dec 18 15:45:38 EST 2023
And confirming with head and debug enabled, I see in the logs with debug =1
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.105415 ArgusInitSource(0x8349d2bc0) returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.106789 ArgusOpenInterface(0x834ed3b40, 'tun88')
returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.106802 ArgusInitSource: no packet sources for this
device.
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.106807 ArgusInitSource(0x834ed3b40) returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.108136 ArgusOpenInterface(0x8353d4c00, 'tun151')
returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.108149 ArgusInitSource: no packet sources for this
device.
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.108157 ArgusInitSource(0x8353d4c00) returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.109505 ArgusOpenInterface(0x8367fe500, 'tun86')
returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.109518 ArgusInitSource: no packet sources for this
device.
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.109526 ArgusInitSource(0x8367fe500) returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.110861 ArgusOpenInterface(0x836cffb40, 'tun94')
returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.110873 ArgusInitSource: no packet sources for this
device.
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.110881 ArgusInitSource(0x836cffb40) returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.112229 ArgusOpenInterface(0x837200140, 'tun85')
returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.112242 ArgusInitSource: no packet sources for this
device.
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.112248 ArgusInitSource(0x837200140) returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.113605 ArgusOpenInterface(0x8377016c0, 'ipsec3')
returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.113617 ArgusInitSource: no packet sources for this
device.
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.113623 ArgusInitSource(0x8377016c0) returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.114988 ArgusOpenInterface(0x838a4ba00, 'ipsec2')
returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.115001 ArgusInitSource: no packet sources for this
device.
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.115007 ArgusInitSource(0x838a4ba00) returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.116370 ArgusOpenInterface(0x838f4c280, 'ipsec1')
returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.116382 ArgusInitSource: no packet sources for this
device.
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.116387 ArgusInitSource(0x838f4c280) returning 0
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.117765 ArgusOpenInterface(0x83944dac0, 'igb1')
returning 1
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.118164 ArgusInitModeler(0x82cc53880) done
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.118174 ArgusInitSource(0x83944dac0) returning 1
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00d5d22608000000]:
18 Dec 23 15:43:15.118223 setArgusInterfaceStatus(0x83944dac0, 1)
Dec 18 15:43:15 collector13 argus[42005]: ArgusGetInterfaceStatus:
interface igb1 is up
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00d5d22608000000]:
18 Dec 23 15:43:15.118292 ArgusGetPackets: interface igb1 is selectable
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00d5d22608000000]:
18 Dec 23 15:43:15.118298 setArgusInterfaceStatus(0x83944dac0, 1)
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00d5d22608000000]:
18 Dec 23 15:43:15.118303 setArgusInterfaceStatus(0x83944dac0, 0)
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.119530 ArgusOpenInterface(0x83994e680, 'igb0')
returning 1
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.119741 ArgusInitModeler(0x82df03500) done
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00c0d22608000000]:
18 Dec 23 15:43:15.119748 ArgusInitSource(0x83994e680) returning 1
Dec 18 15:43:15 collector13 argus[42005]: argus[42005.00dcd22608000000]:
18 Dec 23 15:43:15.119775 setArgusInterfaceStatus(0x83994e680, 1)
On 12/18/2023 3:35 PM, mike tancsa wrote:
>
> If I
>
> git reset --hard bcf80f24efe5099404b39da9534ec821961b7e03
>
> that version seems to work correctly with tun interfaces
>
> ---Mike
>
> On 12/18/2023 3:07 PM, mike tancsa wrote:
>>
>> Hi Carter et al,
>>
>> I was trying the new version of argus 3.x from github and ran
>> into a problem with FreeBSD12 and 13. For some reason, it no longer
>> is able to bind to a tun interface, only ethernet interfaces.
>>
>> Using a simple test config
>>
>> ARGUS_FLOW_TYPE="Bidirectional"
>> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
>> ARGUS_MONITOR_ID=127.0.0.1
>> ARGUS_INTERFACE=tun97
>> ARGUS_OUTPUT_FILE=/var/log/argus/argus-test.out
>> ARGUS_DEBUG_LEVEL=9
>>
>> fails on FreeBSD 12 and 13.
>>
>> running it through truss, the last bits are below. Not sure if that
>> helps or not. Any idea what might be up ?
>>
>> ---Mike
>>
>>
>> R1|SIGUSR2 },{ }) = 0 (0x0)
>> sigaction(SIGTERM,{ 0x800317020 SA_RESTART|SA_SIGINFO ss_t },{
>> SIG_DFL SA_RESTART ss_t }) = 0 (0x0)
>> sigprocmask(SIG_SETMASK,{ },0x0) = 0 (0x0)
>> sigprocmask(SIG_SETMASK,{
>> SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|SIGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUS
>> R1|SIGUSR2 },{ }) = 0 (0x0)
>> sigaction(SIGUSR1,{ 0x800317020 SA_RESTART|SA_SIGINFO ss_t },{
>> SIG_DFL 0x0 ss_t }) = 0 (0x0)
>> sigprocmask(SIG_SETMASK,{ },0x0) = 0 (0x0)
>> sigprocmask(SIG_SETMASK,{
>> SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|SIGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2
>> },{ }) = 0 (0x0)
>> sigaction(SIGUSR2,{ 0x800317020 SA_RESTART|SA_SIGINFO ss_t },{
>> SIG_DFL 0x0 ss_t }) = 0 (0x0)
>> sigprocmask(SIG_SETMASK,{ },0x0) = 0 (0x0)
>> getpid() = 25636 (0x6424)
>> access("/etc/localtime",R_OK) = 0 (0x0)
>> open("/etc/localtime",O_RDONLY,012342134) = 4 (0x4)
>> fstat(4,{ mode=-r--r--r-- ,inode=229825,size=3477,blksize=4096 }) = 0
>> (0x0)
>> read(4,"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0"...,41448) = 3477 (0xd95)
>> close(4) = 0 (0x0)
>> issetugid() = 0 (0x0)
>> open("/usr/share/zoneinfo/posixrules",O_RDONLY,00) = 4 (0x4)
>> fstat(4,{ mode=-r--r--r-- ,inode=229824,size=3535,blksize=4096 }) = 0
>> (0x0)
>> mmap(0x0,53248,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =
>> 34381910016 (0x801525000)
>> read(4,"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0"...,41448) = 3535 (0xdcf)
>> close(4) = 0 (0x0)
>> ArgusAlert: argus[25636.00307c0008000000]: 18 Dec 23
>> 15:01:09.591885 started
>> write(2," ArgusAlert: argus[25636.0030"...,81) = 81 (0x51)
>> mmap(0x0,5246976,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =
>> 34381963264 (0x801532000)
>> openat(AT_FDCWD,"/dev/bpf",O_RDWR,00) = 4 (0x4)
>> ioctl(4,BIOCVERSION,0x7fffffffdc18) = 0 (0x0)
>> __sysctl("kern.ostype",2,0x7fffffffdc20,0x7fffffffdb80,0x0,0) = 0 (0x0)
>> __sysctl("kern.hostname",2,0x7fffffffdd20,0x7fffffffdb80,0x0,0) = 0 (0x0)
>> __sysctl("kern.osrelease",2,0x7fffffffde20,0x7fffffffdb80,0x0,0) = 0
>> (0x0)
>> __sysctl("kern.version",2,0x7fffffffdf20,0x7fffffffdb80,0x0,0) = 0 (0x0)
>> __sysctl("hw.machine",2,0x7fffffffe020,0x7fffffffdb80,0x0,0) = 0 (0x0)
>> ioctl(4,BIOCGBLEN,0x7fffffffdbfc) = 0 (0x0)
>> ioctl(4,BIOCSBLEN,0x7fffffffdbfc) = 0 (0x0)
>> ioctl(4,BIOCSETIF,0x7fffffffe120) = 0 (0x0)
>> ioctl(4,BIOCGDLT,0x7fffffffdbfc) = 0 (0x0)
>> ioctl(4,BIOCGDLTLIST,0x7fffffffdc08) = 0 (0x0)
>> ioctl(4,BIOCGDLTLIST,0x7fffffffdc08) = 0 (0x0)
>> ioctl(4,BIOCSHDRCMPLT,0x7fffffffdc00) = 0 (0x0)
>> ioctl(4,BIOCSRTIMEOUT,0x7fffffffdbe0) = 0 (0x0)
>> ioctl(4,BIOCPROMISC,0x0) = 0 (0x0)
>> ioctl(4,BIOCSTSTAMP,0x7fffffffdbfc) = 0 (0x0)
>> ioctl(4,BIOCGBLEN,0x7fffffffdbfc) = 0 (0x0)
>> mmap(0x0,528384,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =
>> 34387210240 (0x801a33000)
>> ioctl(4,BIOCSETF,0x7fffffffdbe0) = 0 (0x0)
>> fcntl(4,F_GETFL,) = 2 (0x2)
>> fcntl(4,F_SETFL,O_RDWR|O_NONBLOCK) = 0 (0x0)
>> socket(PF_INET,SOCK_DGRAM,0) = 5 (0x5)
>> ioctl(5,SIOCGIFADDR,0x7fffffffe150) = 0 (0x0)
>> ioctl(5,SIOCGIFNETMASK,0x7fffffffe150) = 0 (0x0)
>> close(5) = 0 (0x0)
>> close(4) = 0 (0x0)
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>> ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>> ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>> ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>> ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>> ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>> ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>> ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>> ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>> ERR#60 'Operation timed out'
>> _umtx_op(0x80032fc10,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffffffe3d8)
>> ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>> ERR#60 'Operation timed out'
>>
>>
>>
>> On 11/21/2023 4:43 PM, Carter Bullard wrote:
>>> Gentle persons,
>>> I’m preparing to transition a significant part of the commercial
>>> version of argus into the open source project. I’m going to move
>>> the commercial sensor into the open source, and a few of the
>>> commercial client programs, including complete passive DNS, a lot of
>>> large scale deployment collection and processing, and the argus
>>> python client library to enable AI/ML work. I’m hoping that this
>>> will be a big addition to the open source argus collection, and
>>> hopefully useful for the community.
>>>
>>> This version is a significant upgrade, designed primarily to provide
>>> a zero configuration approach for comprehensive network auditing in
>>> endpoints, ie laptops, workstations and mobile devices. The core of
>>> the zero configuration approach is support for a UUID argus source
>>> identifier, so you don’t have to assign a source id in your
>>> argus.conf, and support for monitoring all the physical and virtual
>>> interfaces on the system independently. This has caused us to
>>> modify the argus record header to support the much larger scrid and
>>> to add an interface identifier. Bigger identifiers mean a bigger
>>> header, and thus the reason for the major version change of the
>>> software.
>>>
>>> There are a lot of new features and fixes that come from the
>>> commercial argus. This version should be able to run at 100Gbps
>>> with hardware support, as it does at Stanford. It is also very
>>> efficient, so that the cpu and memory utilization is very small on
>>> end systems that use a lot of real and dynamic virtual interfaces.
>>> And of course we’ve rung out a lot of bugs that are in the
>>> argus-3.0 distros.
>>>
>>> I had thought to distribute this release as argus-4.0, but there is
>>> a lot of commercial argus data out there at various sites, so I
>>> think the best path is to release it as argus-5.0, which is the
>>> designation for commercial argus.
>>>
>>> While argus-5.0 data is incompatible with argus-3.0 processing, all
>>> argus-5.0 components currently read and write argus-3.0 formats, so
>>> there is a lot of backward compatibility, and hopefully an easy
>>> transition path for upgrading.
>>>
>>> I've setup the current 3.0.8 argus repositories at
>>> https://github.com/openargus and I have the core of argus-5.0
>>> already setup in private repos on GitHub. I will make the private
>>> repos available before the end of the year as a distinct set of
>>> distributions. The commercial code is called ‘gargoyle’ and I’ll
>>> keep that name until we make it just argus-5.0.
>>>
>>> I am very interested in comments / suggestions / opinions and even
>>> flames … so send email or go to the GitHub sites and make some noise
>>> there.
>>>
>>> Hope all is most excellent,
>>>
>>> Carter
>>>
>>> Carter Bullard • QoSient • Founder/CEO
>>> 330 Mountain Rest Road, POBox 1201, New Paltz, New York 12561
>>> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20231218/6f9d15d9/attachment-0001.htm>
More information about the argus
mailing list