[ARGUS] Argus 5.0.0. archive filter by ip protocol problem.
Carter Bullard
carter at qosient.com
Tue Jul 23 08:44:40 EDT 2024
Hey Ming,
Yes, this is a bug, and I’ll fix this this week …
For those that like to experiment, reverting to argus-clients-3.0.5.8’s ./common argus_code.c, grammar.y and scanner.l should get the legacy filters back.
The filter was modified so that ethernet and ip protocols could be specified without the “ip proto” or “ether proto” keywords, but that dropped out the number specifications …
Sorry that got through testing, should be fixed soon ...
Carter
PS Just for clarification, the filters used by the argus-clients are not BPF filters. They are more like a BPF-like filter, as they have extensions for bi-directional flow semantics.
> On Jul 22, 2024, at 4:56 PM, Ming Fu via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>
> Hi,
>
> The argus 5.0.0 fails to parse the BPF filter 'ip proto <num>'
>
> A few samples of the error message:
> ra -X -F /opt/pkgs/argus-clients-e/argus/rarc -n -c, -s stime saddr dir daddr dport state -r /archive/2024-07/16/* -- 'ip proto 50'
> ArgusError: 2024-07-22 20:40:20.716884 filter syntax error: 'ip proto 50
> ra -X -F /opt/pkgs/argus-clients-e/argus/rarc -n -c, -s stime saddr dir daddr dport state -r /archive/2024-07/16/* -- 'ip proto esp'
> ArgusError: 2024-07-22 20:40:24.940294 filter syntax error: 'ip proto esp'
>
> Regards,
> Ming
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1385 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20240723/5c7c4421/attachment.bin>
More information about the argus
mailing list