[ARGUS] github version of argus 3.x not working on FreeBSD tun interfaces
mike tancsa
mike at sentex.ca
Tue Dec 19 11:25:52 EST 2023
Hi Carter,
Rewinding to commit bcf80f24efe5099404b39da9534ec821961b7e03 works.
Its the one after that which breaks things. I would be happy to try out
5.x in the new year when it comes out!
---Mike
On 12/19/2023 11:20 AM, Carter Bullard wrote:
> Ahhhhhh … tun interfaces are IP interfaces … we have callbacks to
> decode this type, so it should be finding them …. Hmmmm …
> I’ll check it out, should be trivial ...
>
> This is working in argus-5.0, which is coming out in Jan … would you
> be willing to be a guinea pig ???
> Hope all is most excellent,
>
> Carter
>
>
>> On Dec 18, 2023, at 6:56 PM, mike tancsa <mike at sentex.ca> wrote:
>>
>> On 12/18/2023 6:24 PM, Carter Bullard wrote:
>>> Hey Mike,
>>> Glad to hear that you got it working … not sure what it means, in
>>> that I’m not sure if I need to make any changes ???
>>> Carter
>>>
>>
>> Hi Carter,
>>
>> I had to revert to an *earlier* version in the repo to get it to
>> work. What is in there does not work with tun interfaces on FreeBSD
>> 12 and 13
>>
>>
>> ---Mike
>>
>>
>>>
>>>> On Dec 18, 2023, at 3:35 PM, mike tancsa <mike at sentex.ca> wrote:
>>>>
>>>> If I
>>>>
>>>> git reset --hard bcf80f24efe5099404b39da9534ec821961b7e03
>>>>
>>>> that version seems to work correctly with tun interfaces
>>>>
>>>> ---Mike
>>>>
>>>> On 12/18/2023 3:07 PM, mike tancsa wrote:
>>>>>
>>>>> Hi Carter et al,
>>>>>
>>>>> I was trying the new version of argus 3.x from github and ran
>>>>> into a problem with FreeBSD12 and 13. For some reason, it no
>>>>> longer is able to bind to a tun interface, only ethernet interfaces.
>>>>>
>>>>> Using a simple test config
>>>>>
>>>>> ARGUS_FLOW_TYPE="Bidirectional"
>>>>> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
>>>>> ARGUS_MONITOR_ID=127.0.0.1
>>>>> ARGUS_INTERFACE=tun97
>>>>> ARGUS_OUTPUT_FILE=/var/log/argus/argus-test.out
>>>>> ARGUS_DEBUG_LEVEL=9
>>>>>
>>>>> fails on FreeBSD 12 and 13.
>>>>>
>>>>> running it through truss, the last bits are below. Not sure if
>>>>> that helps or not. Any idea what might be up ?
>>>>>
>>>>> ---Mike
>>>>>
>>>>>
>>>>> R1|SIGUSR2 },{ }) = 0 (0x0)
>>>>> sigaction(SIGTERM,{ 0x800317020 SA_RESTART|SA_SIGINFO ss_t },{
>>>>> SIG_DFL SA_RESTART ss_t }) = 0 (0x0)
>>>>> sigprocmask(SIG_SETMASK,{ },0x0) = 0 (0x0)
>>>>> sigprocmask(SIG_SETMASK,{
>>>>> SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|SIGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUS
>>>>> R1|SIGUSR2 },{ }) = 0 (0x0)
>>>>> sigaction(SIGUSR1,{ 0x800317020 SA_RESTART|SA_SIGINFO ss_t },{
>>>>> SIG_DFL 0x0 ss_t }) = 0 (0x0)
>>>>> sigprocmask(SIG_SETMASK,{ },0x0) = 0 (0x0)
>>>>> sigprocmask(SIG_SETMASK,{
>>>>> SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|SIGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2
>>>>> },{ }) = 0 (0x0)
>>>>> sigaction(SIGUSR2,{ 0x800317020 SA_RESTART|SA_SIGINFO ss_t },{
>>>>> SIG_DFL 0x0 ss_t }) = 0 (0x0)
>>>>> sigprocmask(SIG_SETMASK,{ },0x0) = 0 (0x0)
>>>>> getpid() = 25636 (0x6424)
>>>>> access("/etc/localtime",R_OK) = 0 (0x0)
>>>>> open("/etc/localtime",O_RDONLY,012342134) = 4 (0x4)
>>>>> fstat(4,{ mode=-r--r--r-- ,inode=229825,size=3477,blksize=4096 })
>>>>> = 0 (0x0)
>>>>> read(4,"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0"...,41448) = 3477 (0xd95)
>>>>> close(4) = 0 (0x0)
>>>>> issetugid() = 0 (0x0)
>>>>> open("/usr/share/zoneinfo/posixrules",O_RDONLY,00) = 4 (0x4)
>>>>> fstat(4,{ mode=-r--r--r-- ,inode=229824,size=3535,blksize=4096 })
>>>>> = 0 (0x0)
>>>>> mmap(0x0,53248,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =
>>>>> 34381910016 (0x801525000)
>>>>> read(4,"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0"...,41448) = 3535 (0xdcf)
>>>>> close(4) = 0 (0x0)
>>>>> ArgusAlert: argus[25636.00307c0008000000]: 18 Dec 23
>>>>> 15:01:09.591885 started
>>>>> write(2," ArgusAlert: argus[25636.0030"...,81) = 81 (0x51)
>>>>> mmap(0x0,5246976,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0)
>>>>> = 34381963264 (0x801532000)
>>>>> openat(AT_FDCWD,"/dev/bpf",O_RDWR,00) = 4 (0x4)
>>>>> ioctl(4,BIOCVERSION,0x7fffffffdc18) = 0 (0x0)
>>>>> __sysctl("kern.ostype",2,0x7fffffffdc20,0x7fffffffdb80,0x0,0) = 0
>>>>> (0x0)
>>>>> __sysctl("kern.hostname",2,0x7fffffffdd20,0x7fffffffdb80,0x0,0) =
>>>>> 0 (0x0)
>>>>> __sysctl("kern.osrelease",2,0x7fffffffde20,0x7fffffffdb80,0x0,0) =
>>>>> 0 (0x0)
>>>>> __sysctl("kern.version",2,0x7fffffffdf20,0x7fffffffdb80,0x0,0) = 0
>>>>> (0x0)
>>>>> __sysctl("hw.machine",2,0x7fffffffe020,0x7fffffffdb80,0x0,0) = 0 (0x0)
>>>>> ioctl(4,BIOCGBLEN,0x7fffffffdbfc) = 0 (0x0)
>>>>> ioctl(4,BIOCSBLEN,0x7fffffffdbfc) = 0 (0x0)
>>>>> ioctl(4,BIOCSETIF,0x7fffffffe120) = 0 (0x0)
>>>>> ioctl(4,BIOCGDLT,0x7fffffffdbfc) = 0 (0x0)
>>>>> ioctl(4,BIOCGDLTLIST,0x7fffffffdc08) = 0 (0x0)
>>>>> ioctl(4,BIOCGDLTLIST,0x7fffffffdc08) = 0 (0x0)
>>>>> ioctl(4,BIOCSHDRCMPLT,0x7fffffffdc00) = 0 (0x0)
>>>>> ioctl(4,BIOCSRTIMEOUT,0x7fffffffdbe0) = 0 (0x0)
>>>>> ioctl(4,BIOCPROMISC,0x0) = 0 (0x0)
>>>>> ioctl(4,BIOCSTSTAMP,0x7fffffffdbfc) = 0 (0x0)
>>>>> ioctl(4,BIOCGBLEN,0x7fffffffdbfc) = 0 (0x0)
>>>>> mmap(0x0,528384,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0)
>>>>> = 34387210240 (0x801a33000)
>>>>> ioctl(4,BIOCSETF,0x7fffffffdbe0) = 0 (0x0)
>>>>> fcntl(4,F_GETFL,) = 2 (0x2)
>>>>> fcntl(4,F_SETFL,O_RDWR|O_NONBLOCK) = 0 (0x0)
>>>>> socket(PF_INET,SOCK_DGRAM,0) = 5 (0x5)
>>>>> ioctl(5,SIOCGIFADDR,0x7fffffffe150) = 0 (0x0)
>>>>> ioctl(5,SIOCGIFNETMASK,0x7fffffffe150) = 0 (0x0)
>>>>> close(5) = 0 (0x0)
>>>>> close(4) = 0 (0x0)
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x80032fc10,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffffffe3d8)
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18)
>>>>> ERR#60 'Operation timed out'
>>>>>
>>>>>
>>>>>
>>>>> On 11/21/2023 4:43 PM, Carter Bullard wrote:
>>>>>> Gentle persons,
>>>>>> I’m preparing to transition a significant part of the commercial
>>>>>> version of argus into the open source project. I’m going to move
>>>>>> the commercial sensor into the open source, and a few of the
>>>>>> commercial client programs, including complete passive DNS, a lot
>>>>>> of large scale deployment collection and processing, and the
>>>>>> argus python client library to enable AI/ML work. I’m hoping
>>>>>> that this will be a big addition to the open source argus
>>>>>> collection, and hopefully useful for the community.
>>>>>>
>>>>>> This version is a significant upgrade, designed primarily to
>>>>>> provide a zero configuration approach for comprehensive network
>>>>>> auditing in endpoints, ie laptops, workstations and mobile
>>>>>> devices. The core of the zero configuration approach is support
>>>>>> for a UUID argus source identifier, so you don’t have to assign a
>>>>>> source id in your argus.conf, and support for monitoring all the
>>>>>> physical and virtual interfaces on the system independently.
>>>>>> This has caused us to modify the argus record header to support
>>>>>> the much larger scrid and to add an interface identifier. Bigger
>>>>>> identifiers mean a bigger header, and thus the reason for the
>>>>>> major version change of the software.
>>>>>>
>>>>>> There are a lot of new features and fixes that come from the
>>>>>> commercial argus. This version should be able to run at 100Gbps
>>>>>> with hardware support, as it does at Stanford. It is also very
>>>>>> efficient, so that the cpu and memory utilization is very small
>>>>>> on end systems that use a lot of real and dynamic virtual
>>>>>> interfaces. And of course we’ve rung out a lot of bugs that are
>>>>>> in the argus-3.0 distros.
>>>>>>
>>>>>> I had thought to distribute this release as argus-4.0, but there
>>>>>> is a lot of commercial argus data out there at various sites, so
>>>>>> I think the best path is to release it as argus-5.0, which is the
>>>>>> designation for commercial argus.
>>>>>>
>>>>>> While argus-5.0 data is incompatible with argus-3.0 processing,
>>>>>> all argus-5.0 components currently read and write argus-3.0
>>>>>> formats, so there is a lot of backward compatibility, and
>>>>>> hopefully an easy transition path for upgrading.
>>>>>>
>>>>>> I've setup the current 3.0.8 argus repositories at
>>>>>> https://github.com/openargus and I have the core of argus-5.0
>>>>>> already setup in private repos on GitHub. I will make the
>>>>>> private repos available before the end of the year as a distinct
>>>>>> set of distributions. The commercial code is called ‘gargoyle’
>>>>>> and I’ll keep that name until we make it just argus-5.0.
>>>>>>
>>>>>> I am very interested in comments / suggestions / opinions and
>>>>>> even flames … so send email or go to the GitHub sites and make
>>>>>> some noise there.
>>>>>>
>>>>>> Hope all is most excellent,
>>>>>>
>>>>>> Carter
>>>>>>
>>>>>> Carter Bullard • QoSient • Founder/CEO
>>>>>> 330 Mountain Rest Road, POBox 1201, New Paltz, New York 12561
>>>>>> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>>>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20231219/6fccadb1/attachment-0001.htm>
More information about the argus
mailing list