[ARGUS] Argus 5.0.0. archive filter by ip protocol problem.
Carter Bullard
carter at qosient.com
Tue Jul 23 11:27:38 EDT 2024
I have created a branch to v5.0.0, carter/filterFix, that restores the 3.0.8.4 filter strategy.
For compatibility, this only modifies ./common/grammar.y, and not the supporting scanner or filter itself.
This removes undocumented filter features that we haven’t talked about yet, so it shouldn’t break anything.
In the clients distro from GitHub ...
% git checkout carter/filterFix
% make
Please test this out in your environment, and if it works for you, we’ll add it to the main release.
Carter
> On Jul 22, 2024, at 4:56 PM, Ming Fu via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>
> Hi,
>
> The argus 5.0.0 fails to parse the BPF filter 'ip proto <num>'
>
> A few samples of the error message:
> ra -X -F /opt/pkgs/argus-clients-e/argus/rarc -n -c, -s stime saddr dir daddr dport state -r /archive/2024-07/16/* -- 'ip proto 50'
> ArgusError: 2024-07-22 20:40:20.716884 filter syntax error: 'ip proto 50
> ra -X -F /opt/pkgs/argus-clients-e/argus/rarc -n -c, -s stime saddr dir daddr dport state -r /archive/2024-07/16/* -- 'ip proto esp'
> ArgusError: 2024-07-22 20:40:24.940294 filter syntax error: 'ip proto esp'
>
> Regards,
> Ming
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1385 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20240723/c02e0a07/attachment.bin>
More information about the argus
mailing list