[ARGUS] Argus 5.0.0. archive filter by ip protocol problem.

Carter Bullard carter at qosient.com
Tue Jul 23 15:15:54 EDT 2024 

OK … 1 vote for next release …  we’re shooting for a 2-3 month interval for new releases … 
We now have a Dockerfile that pulls from v5.0.0 release ( I’ll update that to pull from the most recent release) … it may benefit from the fix … should all things wait for 5.0.2 ??

Carter

> On Jul 23, 2024, at 2:55 PM, Ming Fu <Ming.Fu at esentire.com> wrote:
> 
> Hi Carter,
> 
> We would prefer a v5.0.2, but merge to v5.0.0 will be good as well.
> 
> Thanks,
> Ming
> 
> -----Original Message-----
> From: Carter Bullard <carter at qosient.com> 
> Sent: Tuesday, July 23, 2024 2:51 PM
> To: Ming Fu <Ming.Fu at esentire.com>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Subject: Re: [ARGUS] Argus 5.0.0. archive filter by ip protocol problem.
> 
> Great … I’ve integrated the fall back strategy into the ‘main’ branch, and I’ve created a branch that has the new features we’d like to fix … but …, how should we manage the v5.0.0 release ??
> I know Ming, you preferred to deploy an official release, so would you want us to edit the v5.0.0 release with these bug fixes, or would you like to see a new release, or can you wait until we get to v5.0.2 ???
> 
> I’ve posted an issue and a discussion on GitHub/openargus/clients … wonder if anyone on the list has an opinion on this ...
> 
> Carter
> 
>> On Jul 23, 2024, at 2:18 PM, Ming Fu <Ming.Fu at esentire.com> wrote:
>> 
>> Hi Carter,
>> 
>> This fix works!
>> 
>> Thanks,
>> Ming
>> 
>> -----Original Message-----
>> From: Carter Bullard <carter at qosient.com> 
>> Sent: Tuesday, July 23, 2024 11:28 AM
>> To: Ming Fu <Ming.Fu at esentire.com>
>> Cc: Argus <argus-info at lists.andrew.cmu.edu>
>> Subject: Re: [ARGUS] Argus 5.0.0. archive filter by ip protocol problem.
>> 
>> I have created a branch to v5.0.0, carter/filterFix, that restores the 3.0.8.4 filter strategy.
>> For compatibility, this only modifies ./common/grammar.y, and not the supporting scanner or filter itself.
>> This removes undocumented filter features that we haven’t talked about yet, so it shouldn’t break anything.
>> 
>> In the clients distro from GitHub ...
>>  % git checkout carter/filterFix
>>  % make
>> 
>> Please test this out in your environment, and if it works for you, we’ll add it to the main release.
>> 
>> Carter
>> 
>>> On Jul 22, 2024, at 4:56 PM, Ming Fu via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>>> 
>>> Hi,
>>> 
>>> The argus 5.0.0 fails to parse the BPF filter 'ip proto <num>'
>>> 
>>> A few samples of the error message:
>>> ra -X -F /opt/pkgs/argus-clients-e/argus/rarc -n -c, -s stime saddr dir daddr dport state -r /archive/2024-07/16/* --  'ip proto 50'
>>> ArgusError: 2024-07-22 20:40:20.716884 filter syntax error: 'ip proto 50
>>> ra -X -F /opt/pkgs/argus-clients-e/argus/rarc -n -c, -s stime saddr dir daddr dport state -r /archive/2024-07/16/* --  'ip proto esp'
>>> ArgusError: 2024-07-22 20:40:24.940294 filter syntax error: 'ip proto esp'
>>> 
>>> Regards,
>>> Ming
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1385 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20240723/eef02439/attachment-0001.bin>

More information about the argus mailing list