[ARGUS] github version of argus 3.x not working on FreeBSD tun interfaces

Carter Bullard carter at qosient.com
Mon Dec 18 18:24:02 EST 2023


Hey Mike,
Glad to hear that you got it working … not sure what it means,  in that I’m not sure if I need to make any changes ???
Carter


> On Dec 18, 2023, at 3:35 PM, mike tancsa <mike at sentex.ca> wrote:
> 
> If I
> 
> git reset --hard bcf80f24efe5099404b39da9534ec821961b7e03
> 
> that version seems to work correctly with tun interfaces
> 
>     ---Mike
> 
> On 12/18/2023 3:07 PM, mike tancsa wrote:
>> Hi Carter et al,
>> 
>>     I was trying the new version of argus 3.x from github and ran into a problem with FreeBSD12 and 13. For some reason, it no longer is able to bind to a tun interface, only ethernet interfaces.
>> 
>> Using a simple test config
>> 
>> ARGUS_FLOW_TYPE="Bidirectional"
>> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
>> ARGUS_MONITOR_ID=127.0.0.1
>> ARGUS_INTERFACE=tun97
>> ARGUS_OUTPUT_FILE=/var/log/argus/argus-test.out
>> ARGUS_DEBUG_LEVEL=9
>> 
>> fails on FreeBSD 12 and 13.
>> 
>> running it through truss, the last bits are below. Not sure if that helps or not. Any idea what might be up ?
>> 
>>     ---Mike
>> 
>> 
>> 
>> R1|SIGUSR2 },{ }) = 0 (0x0)
>> sigaction(SIGTERM,{ 0x800317020 SA_RESTART|SA_SIGINFO ss_t },{ SIG_DFL SA_RESTART ss_t }) = 0 (0x0)
>> sigprocmask(SIG_SETMASK,{ },0x0)                 = 0 (0x0)
>> sigprocmask(SIG_SETMASK,{ SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|SIGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUS
>> R1|SIGUSR2 },{ }) = 0 (0x0)
>> sigaction(SIGUSR1,{ 0x800317020 SA_RESTART|SA_SIGINFO ss_t },{ SIG_DFL 0x0 ss_t }) = 0 (0x0)
>> sigprocmask(SIG_SETMASK,{ },0x0)                 = 0 (0x0)
>> sigprocmask(SIG_SETMASK,{ SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|SIGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2 },{ }) = 0 (0x0)
>> sigaction(SIGUSR2,{ 0x800317020 SA_RESTART|SA_SIGINFO ss_t },{ SIG_DFL 0x0 ss_t }) = 0 (0x0)
>> sigprocmask(SIG_SETMASK,{ },0x0)                 = 0 (0x0)
>> getpid()                                         = 25636 (0x6424)
>> access("/etc/localtime",R_OK)                    = 0 (0x0)
>> open("/etc/localtime",O_RDONLY,012342134)        = 4 (0x4)
>> fstat(4,{ mode=-r--r--r-- ,inode=229825,size=3477,blksize=4096 }) = 0 (0x0)
>> read(4,"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0"...,41448) = 3477 (0xd95)
>> close(4)                                         = 0 (0x0)
>> issetugid()                                      = 0 (0x0)
>> open("/usr/share/zoneinfo/posixrules",O_RDONLY,00) = 4 (0x4)
>> fstat(4,{ mode=-r--r--r-- ,inode=229824,size=3535,blksize=4096 }) = 0 (0x0)
>> mmap(0x0,53248,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34381910016 (0x801525000)
>> read(4,"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0"...,41448) = 3535 (0xdcf)
>> close(4)                                         = 0 (0x0)
>>     ArgusAlert: argus[25636.00307c0008000000]: 18 Dec 23 15:01:09.591885 started
>> write(2,"    ArgusAlert: argus[25636.0030"...,81) = 81 (0x51)
>> mmap(0x0,5246976,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34381963264 (0x801532000)
>> openat(AT_FDCWD,"/dev/bpf",O_RDWR,00)            = 4 (0x4)
>> ioctl(4,BIOCVERSION,0x7fffffffdc18)              = 0 (0x0)
>> __sysctl("kern.ostype",2,0x7fffffffdc20,0x7fffffffdb80,0x0,0) = 0 (0x0)
>> __sysctl("kern.hostname",2,0x7fffffffdd20,0x7fffffffdb80,0x0,0) = 0 (0x0)
>> __sysctl("kern.osrelease",2,0x7fffffffde20,0x7fffffffdb80,0x0,0) = 0 (0x0)
>> __sysctl("kern.version",2,0x7fffffffdf20,0x7fffffffdb80,0x0,0) = 0 (0x0)
>> __sysctl("hw.machine",2,0x7fffffffe020,0x7fffffffdb80,0x0,0) = 0 (0x0)
>> ioctl(4,BIOCGBLEN,0x7fffffffdbfc)                = 0 (0x0)
>> ioctl(4,BIOCSBLEN,0x7fffffffdbfc)                = 0 (0x0)
>> ioctl(4,BIOCSETIF,0x7fffffffe120)                = 0 (0x0)
>> ioctl(4,BIOCGDLT,0x7fffffffdbfc)                 = 0 (0x0)
>> ioctl(4,BIOCGDLTLIST,0x7fffffffdc08)             = 0 (0x0)
>> ioctl(4,BIOCGDLTLIST,0x7fffffffdc08)             = 0 (0x0)
>> ioctl(4,BIOCSHDRCMPLT,0x7fffffffdc00)            = 0 (0x0)
>> ioctl(4,BIOCSRTIMEOUT,0x7fffffffdbe0)            = 0 (0x0)
>> ioctl(4,BIOCPROMISC,0x0)                         = 0 (0x0)
>> ioctl(4,BIOCSTSTAMP,0x7fffffffdbfc)              = 0 (0x0)
>> ioctl(4,BIOCGBLEN,0x7fffffffdbfc)                = 0 (0x0)
>> mmap(0x0,528384,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34387210240 (0x801a33000)
>> ioctl(4,BIOCSETF,0x7fffffffdbe0)                 = 0 (0x0)
>> fcntl(4,F_GETFL,)                                = 2 (0x2)
>> fcntl(4,F_SETFL,O_RDWR|O_NONBLOCK)               = 0 (0x0)
>> socket(PF_INET,SOCK_DGRAM,0)                     = 5 (0x5)
>> ioctl(5,SIOCGIFADDR,0x7fffffffe150)              = 0 (0x0)
>> ioctl(5,SIOCGIFNETMASK,0x7fffffffe150)           = 0 (0x0)
>> close(5)                                         = 0 (0x0)
>> close(4)                                         = 0 (0x0)
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) ERR#60 'Operation timed out'
>> _umtx_op(0x80032fc10,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffffffe3d8) ERR#60 'Operation timed out'
>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) ERR#60 'Operation timed out'
>> 
>> 
>> 
>> 
>> 
>> On 11/21/2023 4:43 PM, Carter Bullard wrote:
>>> Gentle persons,
>>> I’m preparing to transition a significant part of the commercial version of argus into the open source project.  I’m going to move the commercial sensor into the open source, and a few of the commercial client programs, including complete passive DNS, a lot of large scale deployment collection and processing, and the argus python client library to enable AI/ML work.  I’m hoping that this will be a big addition to the open source argus collection, and hopefully useful for the community.
>>> 
>>> This version is a significant upgrade, designed primarily to provide a zero configuration approach for comprehensive network auditing in endpoints, ie laptops, workstations and mobile devices.  The core of the zero configuration approach is support for a UUID argus source identifier, so you don’t have to assign a source id in your argus.conf, and support for monitoring all the physical and virtual interfaces on the system independently.  This has caused us to modify the argus record header to support the much larger scrid and to add an interface identifier.  Bigger identifiers mean a bigger header, and thus the reason for the major version change of the software.
>>> 
>>> There are a lot of new features and fixes that come from the commercial argus.  This version should be able to run at 100Gbps with hardware support, as it does at Stanford.  It is also very efficient, so that the cpu and memory utilization is very small on end systems that use a lot of real and dynamic virtual interfaces.  And of course we’ve rung out a lot of bugs that are in the argus-3.0 distros.
>>> 
>>> I had thought to distribute this release as argus-4.0, but there is a lot of commercial argus data out there at various sites, so I think the best path is to release it as argus-5.0, which is the designation for commercial argus.
>>> 
>>> While argus-5.0 data is incompatible with argus-3.0 processing, all argus-5.0 components currently read and write argus-3.0 formats, so there is a lot of backward compatibility, and hopefully an easy transition path for upgrading.
>>> 
>>> I've setup the current 3.0.8 argus repositories at https://github.com/openargus and I have the core of argus-5.0 already setup in private repos on GitHub.  I will make the private repos available before the end of the year as a distinct set of distributions.  The commercial code is called ‘gargoyle’ and I’ll keep that name until we make it just argus-5.0.
>>> 
>>> I am very interested in comments / suggestions / opinions and even flames … so send email or go to the GitHub sites and make some noise there.
>>> 
>>> Hope all is most excellent,
>>> 
>>> Carter
>>> 
>>> Carter Bullard  •  QoSient  •  Founder / CEO
>>> 330 Mountain Rest Road, POBox 1201, New Paltz, New York 12561
>>> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20231218/3900fbff/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1385 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20231218/3900fbff/attachment-0001.bin>


More information about the argus mailing list