[ARGUS] github version of argus 3.x not working on FreeBSD tun interfaces

mike tancsa mike at sentex.ca
Tue Dec 19 11:25:52 EST 2023


Hi Carter,

     Rewinding to commit bcf80f24efe5099404b39da9534ec821961b7e03 works. 
Its the one after that which breaks things.  I would be happy to try out 
5.x in the new year when it comes out!

     ---Mike

On 12/19/2023 11:20 AM, Carter Bullard wrote:
> Ahhhhhh … tun interfaces are IP interfaces … we have callbacks to 
> decode this type, so it should be finding them …. Hmmmm …
> I’ll check it out, should be trivial ...
>
> This is working in argus-5.0, which is coming out in Jan … would you 
> be willing to be a guinea pig ???
> Hope all is most excellent,
>
> Carter
>
>
>> On Dec 18, 2023, at 6:56 PM, mike tancsa <mike at sentex.ca> wrote:
>>
>> On 12/18/2023 6:24 PM, Carter Bullard wrote:
>>> Hey Mike,
>>> Glad to hear that you got it working … not sure what it means,  in 
>>> that I’m not sure if I need to make any changes ???
>>> Carter
>>>
>>
>> Hi Carter,
>>
>>     I had to revert to an *earlier* version in the repo to get it to 
>> work. What is in there does not work with tun interfaces on FreeBSD 
>> 12 and 13
>>
>>
>>     ---Mike
>>
>>
>>>
>>>> On Dec 18, 2023, at 3:35 PM, mike tancsa <mike at sentex.ca> wrote:
>>>>
>>>> If I
>>>>
>>>> git reset --hard bcf80f24efe5099404b39da9534ec821961b7e03
>>>>
>>>> that version seems to work correctly with tun interfaces
>>>>
>>>>     ---Mike
>>>>
>>>> On 12/18/2023 3:07 PM, mike tancsa wrote:
>>>>>
>>>>> Hi Carter et al,
>>>>>
>>>>>     I was trying the new version of argus 3.x from github and ran 
>>>>> into a problem with FreeBSD12 and 13. For some reason, it no 
>>>>> longer is able to bind to a tun interface, only ethernet interfaces.
>>>>>
>>>>> Using a simple test config
>>>>>
>>>>> ARGUS_FLOW_TYPE="Bidirectional"
>>>>> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
>>>>> ARGUS_MONITOR_ID=127.0.0.1
>>>>> ARGUS_INTERFACE=tun97
>>>>> ARGUS_OUTPUT_FILE=/var/log/argus/argus-test.out
>>>>> ARGUS_DEBUG_LEVEL=9
>>>>>
>>>>> fails on FreeBSD 12 and 13.
>>>>>
>>>>> running it through truss, the last bits are below. Not sure if 
>>>>> that helps or not. Any idea what might be up ?
>>>>>
>>>>>     ---Mike
>>>>>
>>>>>
>>>>> R1|SIGUSR2 },{ }) = 0 (0x0)
>>>>> sigaction(SIGTERM,{ 0x800317020 SA_RESTART|SA_SIGINFO ss_t },{ 
>>>>> SIG_DFL SA_RESTART ss_t }) = 0 (0x0)
>>>>> sigprocmask(SIG_SETMASK,{ },0x0)                 = 0 (0x0)
>>>>> sigprocmask(SIG_SETMASK,{ 
>>>>> SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|SIGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUS
>>>>> R1|SIGUSR2 },{ }) = 0 (0x0)
>>>>> sigaction(SIGUSR1,{ 0x800317020 SA_RESTART|SA_SIGINFO ss_t },{ 
>>>>> SIG_DFL 0x0 ss_t }) = 0 (0x0)
>>>>> sigprocmask(SIG_SETMASK,{ },0x0)                 = 0 (0x0)
>>>>> sigprocmask(SIG_SETMASK,{ 
>>>>> SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|SIGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2 
>>>>> },{ }) = 0 (0x0)
>>>>> sigaction(SIGUSR2,{ 0x800317020 SA_RESTART|SA_SIGINFO ss_t },{ 
>>>>> SIG_DFL 0x0 ss_t }) = 0 (0x0)
>>>>> sigprocmask(SIG_SETMASK,{ },0x0)                 = 0 (0x0)
>>>>> getpid()                                         = 25636 (0x6424)
>>>>> access("/etc/localtime",R_OK)                    = 0 (0x0)
>>>>> open("/etc/localtime",O_RDONLY,012342134)        = 4 (0x4)
>>>>> fstat(4,{ mode=-r--r--r-- ,inode=229825,size=3477,blksize=4096 }) 
>>>>> = 0 (0x0)
>>>>> read(4,"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0"...,41448) = 3477 (0xd95)
>>>>> close(4)                                         = 0 (0x0)
>>>>> issetugid()                                      = 0 (0x0)
>>>>> open("/usr/share/zoneinfo/posixrules",O_RDONLY,00) = 4 (0x4)
>>>>> fstat(4,{ mode=-r--r--r-- ,inode=229824,size=3535,blksize=4096 }) 
>>>>> = 0 (0x0)
>>>>> mmap(0x0,53248,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 
>>>>> 34381910016 (0x801525000)
>>>>> read(4,"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0"...,41448) = 3535 (0xdcf)
>>>>> close(4)                                         = 0 (0x0)
>>>>>     ArgusAlert: argus[25636.00307c0008000000]: 18 Dec 23 
>>>>> 15:01:09.591885 started
>>>>> write(2,"    ArgusAlert: argus[25636.0030"...,81) = 81 (0x51)
>>>>> mmap(0x0,5246976,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) 
>>>>> = 34381963264 (0x801532000)
>>>>> openat(AT_FDCWD,"/dev/bpf",O_RDWR,00)            = 4 (0x4)
>>>>> ioctl(4,BIOCVERSION,0x7fffffffdc18)              = 0 (0x0)
>>>>> __sysctl("kern.ostype",2,0x7fffffffdc20,0x7fffffffdb80,0x0,0) = 0 
>>>>> (0x0)
>>>>> __sysctl("kern.hostname",2,0x7fffffffdd20,0x7fffffffdb80,0x0,0) = 
>>>>> 0 (0x0)
>>>>> __sysctl("kern.osrelease",2,0x7fffffffde20,0x7fffffffdb80,0x0,0) = 
>>>>> 0 (0x0)
>>>>> __sysctl("kern.version",2,0x7fffffffdf20,0x7fffffffdb80,0x0,0) = 0 
>>>>> (0x0)
>>>>> __sysctl("hw.machine",2,0x7fffffffe020,0x7fffffffdb80,0x0,0) = 0 (0x0)
>>>>> ioctl(4,BIOCGBLEN,0x7fffffffdbfc)                = 0 (0x0)
>>>>> ioctl(4,BIOCSBLEN,0x7fffffffdbfc)                = 0 (0x0)
>>>>> ioctl(4,BIOCSETIF,0x7fffffffe120)                = 0 (0x0)
>>>>> ioctl(4,BIOCGDLT,0x7fffffffdbfc)                 = 0 (0x0)
>>>>> ioctl(4,BIOCGDLTLIST,0x7fffffffdc08)             = 0 (0x0)
>>>>> ioctl(4,BIOCGDLTLIST,0x7fffffffdc08)             = 0 (0x0)
>>>>> ioctl(4,BIOCSHDRCMPLT,0x7fffffffdc00)            = 0 (0x0)
>>>>> ioctl(4,BIOCSRTIMEOUT,0x7fffffffdbe0)            = 0 (0x0)
>>>>> ioctl(4,BIOCPROMISC,0x0)                         = 0 (0x0)
>>>>> ioctl(4,BIOCSTSTAMP,0x7fffffffdbfc)              = 0 (0x0)
>>>>> ioctl(4,BIOCGBLEN,0x7fffffffdbfc)                = 0 (0x0)
>>>>> mmap(0x0,528384,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) 
>>>>> = 34387210240 (0x801a33000)
>>>>> ioctl(4,BIOCSETF,0x7fffffffdbe0)                 = 0 (0x0)
>>>>> fcntl(4,F_GETFL,)                                = 2 (0x2)
>>>>> fcntl(4,F_SETFL,O_RDWR|O_NONBLOCK)               = 0 (0x0)
>>>>> socket(PF_INET,SOCK_DGRAM,0)                     = 5 (0x5)
>>>>> ioctl(5,SIOCGIFADDR,0x7fffffffe150)              = 0 (0x0)
>>>>> ioctl(5,SIOCGIFNETMASK,0x7fffffffe150)           = 0 (0x0)
>>>>> close(5)                                         = 0 (0x0)
>>>>> close(4)                                         = 0 (0x0)
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) 
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) 
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) 
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) 
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) 
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) 
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) 
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) 
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) 
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x80032fc10,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffffffe3d8) 
>>>>> ERR#60 'Operation timed out'
>>>>> _umtx_op(0x801501008,UMTX_OP_WAIT_UINT_PRIVATE,0x0,0x18,0x7fffdfffde18) 
>>>>> ERR#60 'Operation timed out'
>>>>>
>>>>>
>>>>>
>>>>> On 11/21/2023 4:43 PM, Carter Bullard wrote:
>>>>>> Gentle persons,
>>>>>> I’m preparing to transition a significant part of the commercial 
>>>>>> version of argus into the open source project.  I’m going to move 
>>>>>> the commercial sensor into the open source, and a few of the 
>>>>>> commercial client programs, including complete passive DNS, a lot 
>>>>>> of large scale deployment collection and processing, and the 
>>>>>> argus python client library to enable AI/ML work.  I’m hoping 
>>>>>> that this will be a big addition to the open source argus 
>>>>>> collection, and hopefully useful for the community.
>>>>>>
>>>>>> This version is a significant upgrade, designed primarily to 
>>>>>> provide a zero configuration approach for comprehensive network 
>>>>>> auditing in endpoints, ie laptops, workstations and mobile 
>>>>>> devices.  The core of the zero configuration approach is support 
>>>>>> for a UUID argus source identifier, so you don’t have to assign a 
>>>>>> source id in your argus.conf, and support for monitoring all the 
>>>>>> physical and virtual interfaces on the system independently. 
>>>>>>  This has caused us to modify the argus record header to support 
>>>>>> the much larger scrid and to add an interface identifier.  Bigger 
>>>>>> identifiers mean a bigger header, and thus the reason for the 
>>>>>> major version change of the software.
>>>>>>
>>>>>> There are a lot of new features and fixes that come from the 
>>>>>> commercial argus.  This version should be able to run at 100Gbps 
>>>>>> with hardware support, as it does at Stanford.  It is also very 
>>>>>> efficient, so that the cpu and memory utilization is very small 
>>>>>> on end systems that use a lot of real and dynamic virtual 
>>>>>> interfaces.  And of course we’ve rung out a lot of bugs that are 
>>>>>> in the argus-3.0 distros.
>>>>>>
>>>>>> I had thought to distribute this release as argus-4.0, but there 
>>>>>> is a lot of commercial argus data out there at various sites, so 
>>>>>> I think the best path is to release it as argus-5.0, which is the 
>>>>>> designation for commercial argus.
>>>>>>
>>>>>> While argus-5.0 data is incompatible with argus-3.0 processing, 
>>>>>> all argus-5.0 components currently read and write argus-3.0 
>>>>>> formats, so there is a lot of backward compatibility, and 
>>>>>> hopefully an easy transition path for upgrading.
>>>>>>
>>>>>> I've setup the current 3.0.8 argus repositories at 
>>>>>> https://github.com/openargus and I have the core of argus-5.0 
>>>>>> already setup in private repos on GitHub.  I will make the 
>>>>>> private repos available before the end of the year as a distinct 
>>>>>> set of distributions.  The commercial code is called ‘gargoyle’ 
>>>>>> and I’ll keep that name until we make it just argus-5.0.
>>>>>>
>>>>>> I am very interested in comments / suggestions / opinions and 
>>>>>> even flames … so send email or go to the GitHub sites and make 
>>>>>> some noise there.
>>>>>>
>>>>>> Hope all is most excellent,
>>>>>>
>>>>>> Carter
>>>>>>
>>>>>> Carter Bullard • QoSient  • Founder/CEO
>>>>>> 330 Mountain Rest Road, POBox 1201, New Paltz, New York 12561
>>>>>> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>>>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20231219/6fccadb1/attachment-0001.htm>


More information about the argus mailing list