headers
Peter Van Epp | 1 Aug 2000 02:13
Picon
Picon
Favicon

patch for 1.8.1

	Below is a patch file against the argus-1.8.1.gz distribution from the
ftp site. It includes both Carter's longjump and icmp fixes from the list 
plus a patch to make 1.8.1 compile cleanly on FreeBSD 4.1-RELEASE (essentially
comment out a definition it was objecting to if the version is 4.1 or greater,
I checked that 4.0-RELEASE is still happy). 

cd argus-1.8.1 
patch -p < ../argus.patch 

will apply it.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

argus.patch:

*** common/argus_util.c.old	Thu Apr  6 05:24:09 2000
--- common/argus_util.c	Tue Jul 18 07:36:43 2000
***************
*** 1683,1689 ****
  static int count_blocks(struct block *);
  static void number_blks_r(struct block *);
  static int count_stmts(struct block *);
! static void convert_code_r(struct block *);

  static int n_blocks;
  struct block **blocks;
--- 1683,1689 ----
  static int count_blocks(struct block *);
  static void number_blks_r(struct block *);
(Continue reading)

Permalink | Reply | 3 comments |
headers
Peter Van Epp | 1 Aug 2000 05:43
Picon
Picon
Favicon

yet another patch

	If you append the following patch to the end of the last one (or apply
this one by itself as you choose) it will fix the bug in 1.8.1 where the
following ra command fails to read the second file:

ra -r t1 -r t2

there is an exit(0) after argus_parse_complete() that of course exits instead
of returning to the calling routine to pick up the next file in the file 
list and process it as 1.8 did. I've tested it and it appears to work for me 
with no ugly side effects (at least that I've found :-)). Since it is what the 
code used to do it should be pretty safe I think.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

*** common/argus_parse.c.orig	Wed Apr  5 10:58:18 2000
--- common/argus_parse.c	Mon Jul 31 19:51:42 2000
***************
*** 734,740 ****

     if ((status & ARGUSCONTROL) &&  (status & CLOSE)) {
        argus_parse_complete();
-       exit(0);
     }
  }

--- 734,739 ----
Permalink | Reply | 0 comments |
headers
Mark Poepping | 1 Aug 2000 06:22
Picon
Favicon

RE: patch for 1.8.1


I combined the two patches and posted..

ftp://ftp.andrew.cmu.edu/pub/argus/argus-1.8.1

One of these days we'll do the sig stamps again..
mark.
Permalink | Reply | 2 comments |
headers
Russell Fulton | 1 Aug 2000 07:08
Picon
Picon
Favicon

Re: RE: patch for 1.8.1


On Tue, 1 Aug 2000 00:22:08 -0400 Mark Poepping <poepping <at> cmu.edu> 
wrote:

> 
> I combined the two patches and posted..
> 
> ftp://ftp.andrew.cmu.edu/pub/argus/argus-1.8.1
> 
> One of these days we'll do the sig stamps again..
> mark.
> 
> 

Hmmm... since we are talking patches...

I have a patch which affects ra output

a/ changes the format of the date displayed in ra.  It does this by 
replacing static strings passed to strftime with a define which is set 
in one of the top level includes.  My format looks like this:
'31 Jul 00 00:41:31' and avoids the ambiguity of english/american 
format.

I changed this after several occasions when I missreported incident 
times/dates by cut/pasting times from argus logs.  Sigh...

So the current patch allows one to set the timestamp format at compile 
time.  An alternative/addition would be to use yet another flag to pass 
the format string to ra.  This is probably the best way to do it.  I.e.
(Continue reading)

Permalink | Reply | 1 comment |
headers
David Brumley | 4 Aug 2000 18:36
Picon

argus monitoring scripts

Hi,
Does anyone have example scripts they could send me for monitoring the
argus processes? I'm particularly interested in scripts that rotate files
on one machine, then sync them to another.

I'm using rsync right now, but keep running into race conditions.

signed,
david

#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security -      dbrumley <at> Stanford.EDU
Phone: +1-650-723-2445           WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121     PGP: finger dbrumley-pgp <at> sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
  Securing NT.  Insert Linux boot disk to continue......
Permalink | Reply | 4 comments |
headers
Carter Bullard | 4 Aug 2000 19:25

RE: argus monitoring scripts

Hey David,
   What kind of process monitoring are you looking for?
Is Argus still running? That kind of thing?

Carter

-----Original Message-----
From: owner-argus <at> lists.andrew.cmu.edu
[mailto:owner-argus <at> lists.andrew.cmu.edu]On Behalf Of David Brumley
Sent: Friday, August 04, 2000 12:37 PM
To: Argus (E-mail)
Subject: argus monitoring scripts

Hi,
Does anyone have example scripts they could send me for monitoring the
argus processes? I'm particularly interested in scripts that rotate files
on one machine, then sync them to another.

I'm using rsync right now, but keep running into race conditions.

signed,
david

#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security -      dbrumley <at> Stanford.EDU
Phone: +1-650-723-2445           WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121     PGP: finger dbrumley-pgp <at> sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
  Securing NT.  Insert Linux boot disk to continue......
(Continue reading)

Permalink | Reply | 3 comments |
headers
Peter Van Epp | 4 Aug 2000 20:26
Picon
Picon
Favicon

Re: argus monitoring scripts

> 
> Hey David,
>    What kind of process monitoring are you looking for?
> Is Argus still running? That kind of thing?
> 
> Carter

	If so I have some partly done perl scripts (ripped of from shadow) 
that will eventually do monitor the argus and gzip tasks from cron
and restart them if they look to be dead, cycle log files from cron and
at reboot time (in to the current logfile if one is already going). An
early version is running on my systems now (simple log rolling and restart
in a new log file) and there are partly finished versions with more checking
around which I'm willing to part with if you have time to work on them. 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada
Permalink | Reply | 2 comments |
headers
David Brumley | 4 Aug 2000 22:02
Picon

Re: argus monitoring scripts


Sorry for not being specific.  I'm running argus on several DMZ's.  Every
night I rotate the argus file.  Then, the file from each DMZ is brought
over to a central machine.  There have been several times when disk space
problems, race conditions, etc have caused problems.

Basically, i was looking to see if anyone had a similar setup, and how
they were handling it.  It seems that there are several steps:
host 1:
1. Kill argus
2. restart with new logfile name
3. notify other host that yesterdays argus file is ready for xfer

host 2:
4. wait for notification
5. when received, pull over argus file
6. run various extracts

It's nothing difficult, but i hate reinventing the wheel.

-djb

On Fri, 4 Aug 2000, Peter Van Epp wrote:

> > 
> > Hey David,
> >    What kind of process monitoring are you looking for?
> > Is Argus still running? That kind of thing?
> > 
> > Carter
(Continue reading)

Permalink | Reply | 1 comment |
headers
David Brumley | 4 Aug 2000 22:11
Picon

another question

Since I'm revamping how or logging system works, I've been taking another
looks at argus options, paricularly -d and -D.

Using argus-1.8.1, if I simply count the number of flows, i get:
root <at> rtfm# ./ra -r /log1/argus.000805 not man | wc -l
    1536

However, the debug records show:
Fri 08/04 13:07:21      man  pkts        1  drops     0   flows     1533
CLO

I was wondering why these two numbers don't match?

Also, it seems inconsistent to reset the packet count for each man record,
but not the flow count.  Perhaps reseting the flow count also is
appropriate?

Oh, and while I remember it, one more feature I'd like added to argus is
it writing out the PID of the process to stdout.  It makes killing,
restarting, etc easier :)

signed,
david

#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security -      dbrumley <at> Stanford.EDU
Phone: +1-650-723-2445           WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121     PGP: finger dbrumley-pgp <at> sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
(Continue reading)

Permalink | Reply | 0 comments |
headers
David Brumley | 4 Aug 2000 22:13
Picon

follow up

Argh, i didn't sleep well last night.  After looking through the man
records, I noticed that the last one printed out (what appears to
be) total flows, yet all other flows are reset.

Fri 08/04 13:06:38      man  pkts        7  drops     0   flows       77
STA
Fri 08/04 13:06:43      man  pkts        6  drops     0   flows       77
STA
Fri 08/04 13:06:48      man  pkts        4  drops     0   flows       76
STA
Fri 08/04 13:06:54      man  pkts        9  drops     0   flows       55
STA
Fri 08/04 13:07:00      man  pkts       23  drops     0   flows       59
STA
Fri 08/04 13:07:05      man  pkts        3  drops     0   flows       59
STA
Fri 08/04 13:07:10      man  pkts       53  drops     0   flows       66
STA
Fri 08/04 13:07:15      man  pkts       17  drops     0   flows       64
STA
Fri 08/04 13:07:21      man  pkts        5  drops     0   flows       34
STA
Fri 08/04 13:07:21      man  pkts        1  drops     0   flows     1533
CLO

I guess I don't get the output format here.  pkt's obviously isn't the
total.  Is droppped going to be (when I have dropped packets)?

signed,
david
(Continue reading)

Permalink | Reply | 0 comments |

Gmane