[ARGUS] Argus 5.0.0. archive filter by ip protocol problem.
Ming Fu via Argus-info
argus-info at lists.andrew.cmu.edu
Tue Jul 23 14:18:00 EDT 2024
Hi Carter,
This fix works!
Thanks,
Ming
-----Original Message-----
From: Carter Bullard <carter at qosient.com>
Sent: Tuesday, July 23, 2024 11:28 AM
To: Ming Fu <Ming.Fu at esentire.com>
Cc: Argus <argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] Argus 5.0.0. archive filter by ip protocol problem.
I have created a branch to v5.0.0, carter/filterFix, that restores the 3.0.8.4 filter strategy.
For compatibility, this only modifies ./common/grammar.y, and not the supporting scanner or filter itself.
This removes undocumented filter features that we haven’t talked about yet, so it shouldn’t break anything.
In the clients distro from GitHub ...
% git checkout carter/filterFix
% make
Please test this out in your environment, and if it works for you, we’ll add it to the main release.
Carter
> On Jul 22, 2024, at 4:56 PM, Ming Fu via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>
> Hi,
>
> The argus 5.0.0 fails to parse the BPF filter 'ip proto <num>'
>
> A few samples of the error message:
> ra -X -F /opt/pkgs/argus-clients-e/argus/rarc -n -c, -s stime saddr dir daddr dport state -r /archive/2024-07/16/* -- 'ip proto 50'
> ArgusError: 2024-07-22 20:40:20.716884 filter syntax error: 'ip proto 50
> ra -X -F /opt/pkgs/argus-clients-e/argus/rarc -n -c, -s stime saddr dir daddr dport state -r /archive/2024-07/16/* -- 'ip proto esp'
> ArgusError: 2024-07-22 20:40:24.940294 filter syntax error: 'ip proto esp'
>
> Regards,
> Ming
More information about the argus
mailing list