headers
Carter Bullard | 1 Mar 2006 22:11

Re: ra printing bug?

Hey Phil,
   The assignement of rtp is different from other protocols, as its 
discovered,
rather than just a lookup out of the IP protocol table.  So, it misses 
the logic
of checking for -nn or -nnn and just prints the string.   Thats an easy one.
You can fix this by modifying the line in ArgusPrintProto so that it 
puts out
the udp protocol number instead of "rtp".  Not sure about rtsp?

Carter

Phillip G Deneault wrote:

>Has anyone else noticed a problem where one can try to use the -nnn
>switches in ra to not resolve protocols and ra continues to resolve some
>flows as things like 'rtp' and 'rtsp'?  Is there a way to stop this and
>just have it give me the numbers?
>
>This seems like inconsistant behavior with what happens for all other
>traffic that gets returned, since I really want protocol numbers.
>
>Phil
>
>  
>
Permalink | Reply | 2 comments |
headers
Peter Moody | 8 Mar 2006 20:36
Picon

latest argus?

So the latest version of argus from the site is argus-2.0.6.  This is
from May of 2004.  There are  <at> diety knows how many patches applied to
this which have, to my knowledge, only been posted to the mailing
list.

There was a "release" of a 2.0.6-fixes on Feb 23 of this year, but
there already appears to have been two *large* patches sent in to the
list, so we're back to a situation where what's posted is not what's
current.

I really like argus and its capabilities, but it's very hard to stay
current when current means constantly patching from the mailing list
(not to mention when current means options changing meaning...).

So, is there an official version somewhere?  Is the official version
actually 2 years old and everything on the mailing list is just bonus?
 Are there plans to have an official version?  Can I hope for options
to maintain meaning between versions, or at least be slowly deprecated
w/ warning?

</rant>

Cheers,
-Peter
Permalink | Reply | 23 comments |
headers
Gabriel L. Somlo | 8 Mar 2006 23:07
Picon
Favicon

Re: latest argus?

On Wed, Mar 08, 2006 at 11:36:24AM -0800, Peter Moody wrote:
> So, is there an official version somewhere?

No official version here, but 2.0.6.fixes.1 with Peter Van Epp's
printing bug patches posted to the list earlier, plus whatever
was needed to get the thing compiled on FC4 (gcc 4.0.2) and get
make w. DESTDIR to do the right thing.

Check out

http://www.contrib.andrew.cmu.edu/~somlo/argus-2.0.6.fixes.1-5.src.rpm

for the FC4 source RPM file. You can either build it yourself if you
use Fedora, or pull out the patches and build manually if you use
something else.

I'm actually trying to get this added to Fedora Extras, so any
comments re. the packaging are welcome.

Cheers,
Gabriel
Permalink | Reply | 2 comments |
headers
Steve McInerney | 8 Mar 2006 23:23
Picon

Re: latest argus?


on 09/03/06 09:07 Gabriel L. Somlo said the following:
> http://www.contrib.andrew.cmu.edu/~somlo/argus-2.0.6.fixes.1-5.src.rpm
> 
> for the FC4 source RPM file. You can either build it yourself if you
> use Fedora, or pull out the patches and build manually if you use
> something else.
> 
> I'm actually trying to get this added to Fedora Extras, so any
> comments re. the packaging are welcome.

Is it worth getting it Extras? Or perhaps in DAG/Freshrpms and co?
It may be an easier sell that way.

???

- Steve
Permalink | Reply | 1 comment |
headers
Gabriel L. Somlo | 8 Mar 2006 23:32
Picon
Favicon

Re: latest argus?

On Thu, Mar 09, 2006 at 09:23:41AM +1100, Steve McInerney wrote:
> 
> Is it worth getting it Extras?

I've managed to get one other package into Extras, and it didn't end
up being very painful. Took a couple of weeks or so to make it through
the review process.

> Or perhaps in DAG/Freshrpms and co?
> It may be an easier sell that way.

Certainly worth looking into, if the Extras thing doesn't work out...

Cheers,
Gabriel
Permalink | Reply | 0 comments |
headers
Peter Van Epp | 9 Mar 2006 01:06
Picon
Picon
Favicon

Re: latest argus?

	Can you tell me where the fixes release of Feb 23 is on the 
qosient site? The only one I know of /dev/argus-2.0/argus-clients-2.0.6.fixes.1.tar.gz is from May of
2004 (and thats the one I'm patching against). I'm
working on (fairly slowly obviously :-)) a set of all the patches since fixes.1
that I'm aware of which I will send to the list and then Carter may choose to
put out a fixes.2 release if we are lucky. 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Wed, Mar 08, 2006 at 11:36:24AM -0800, Peter Moody wrote:
> So the latest version of argus from the site is argus-2.0.6.  This is
> from May of 2004.  There are  <at> diety knows how many patches applied to
> this which have, to my knowledge, only been posted to the mailing
> list.
> 
> There was a "release" of a 2.0.6-fixes on Feb 23 of this year, but
> there already appears to have been two *large* patches sent in to the
> list, so we're back to a situation where what's posted is not what's
> current.
> 
> I really like argus and its capabilities, but it's very hard to stay
> current when current means constantly patching from the mailing list
> (not to mention when current means options changing meaning...).
> 
> So, is there an official version somewhere?  Is the official version
> actually 2 years old and everything on the mailing list is just bonus?
>  Are there plans to have an official version?  Can I hope for options
> to maintain meaning between versions, or at least be slowly deprecated
> w/ warning?
(Continue reading)

Permalink | Reply | 19 comments |
headers
slif | 9 Mar 2006 01:40

Re: Re: latest argus?

Well, the author might be given a chance to speak to providing an updated version.
It appeared a newer version was imminent back in November 2004.

What do you think, Carter?

> 
> From: Steve McInerney <spm <at> healthinsite.gov.au>
> Date: 2006/03/08 Wed PM 05:23:41 EST
> To: "Gabriel L. Somlo" <somlo <at> cmu.edu>
> CC: argus-info <at> lists.andrew.cmu.edu
> Subject: Re: [ARGUS] latest argus?
> 
> 
> on 09/03/06 09:07 Gabriel L. Somlo said the following:
> > http://www.contrib.andrew.cmu.edu/~somlo/argus-2.0.6.fixes.1-5.src.rpm
> > 
> > for the FC4 source RPM file. You can either build it yourself if you
> > use Fedora, or pull out the patches and build manually if you use
> > something else.
> > 
> > I'm actually trying to get this added to Fedora Extras, so any
> > comments re. the packaging are welcome.
> 
> Is it worth getting it Extras? Or perhaps in DAG/Freshrpms and co?
> It may be an easier sell that way.
> 
> 
> ???
> 
> - Steve
(Continue reading)

Permalink | Reply | 1 comment |
headers
Carter Bullard | 9 Mar 2006 01:58

Re: latest argus?

Hmmmmmm, seems like there is a barb there somewhere.

On Mar 8, 2006, at 7:40 PM, <slif <at> bellsouth.net> wrote:

> Well, the author might be given a chance to speak to providing an  
> updated version.
> It appeared a newer version was imminent back in November 2004.
>
> What do you think, Carter?
>
>
>>
>> From: Steve McInerney <spm <at> healthinsite.gov.au>
>> Date: 2006/03/08 Wed PM 05:23:41 EST
>> To: "Gabriel L. Somlo" <somlo <at> cmu.edu>
>> CC: argus-info <at> lists.andrew.cmu.edu
>> Subject: Re: [ARGUS] latest argus?
>>
>>
>> on 09/03/06 09:07 Gabriel L. Somlo said the following:
>>> http://www.contrib.andrew.cmu.edu/~somlo/argus-2.0.6.fixes. 
>>> 1-5.src.rpm
>>>
>>> for the FC4 source RPM file. You can either build it yourself if you
>>> use Fedora, or pull out the patches and build manually if you use
>>> something else.
>>>
>>> I'm actually trying to get this added to Fedora Extras, so any
>>> comments re. the packaging are welcome.
>>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Peter Moody | 9 Mar 2006 02:08
Picon

Re: latest argus?

ok, you're right. checking the time stamps on the fixes.1.tar.gz,
that's from may of 04.  What I was referring to was an email you sent
with a link to those files.  that was the first time I'd seen that dev
site.

so, the "current" is two years of patches maintained on a mailing
list?  With options becoming incompatible/obsolete between patches? 
Is that right?

-Peter

On 3/8/06, Peter Van Epp <vanepp <at> sfu.ca> wrote:
>         Can you tell me where the fixes release of Feb 23 is on the
> qosient site? The only one I know of /dev/argus-2.0/argus-clients-2.0.6.fixes.1.tar.gz is from May of
2004 (and thats the one I'm patching against). I'm
> working on (fairly slowly obviously :-)) a set of all the patches since fixes.1
> that I'm aware of which I will send to the list and then Carter may choose to
> put out a fixes.2 release if we are lucky.
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
> On Wed, Mar 08, 2006 at 11:36:24AM -0800, Peter Moody wrote:
> > So the latest version of argus from the site is argus-2.0.6.  This is
> > from May of 2004.  There are  <at> diety knows how many patches applied to
> > this which have, to my knowledge, only been posted to the mailing
> > list.
> >
> > There was a "release" of a 2.0.6-fixes on Feb 23 of this year, but
> > there already appears to have been two *large* patches sent in to the
(Continue reading)

Permalink | Reply | 18 comments |
headers
Peter Van Epp | 9 Mar 2006 04:21
Picon
Picon
Favicon

Re: latest argus?

On Wed, Mar 08, 2006 at 05:08:49PM -0800, Peter Moody wrote:
> ok, you're right. checking the time stamps on the fixes.1.tar.gz,
> that's from may of 04.  What I was referring to was an email you sent
> with a link to those files.  that was the first time I'd seen that dev
> site.
> 
> so, the "current" is two years of patches maintained on a mailing
> list?  With options becoming incompatible/obsolete between patches? 
> Is that right?
> 
> -Peter
> 

	Well, thats one way of looking at it I suppose :-). Another way of 
looking at it is that it is an open source project that gets support when
time is available between paying the bills. I know of a couple of commercial
"equivelents" to argus (for some value of equivelent) and Carter sells a 
commercial version of argus (which along with consulting, pays his bills I 
believe) so I for one am grateful for the open source version but there are
options.
	I'm still running argus in production (and using it to fight off 
commecial IPS/IDS vendors quite successfully :-)) after around 10 years or so. 
	Its not so much that the options are changing, its more (and I'm as 
guilty as anyone) that we haven't been updating the man pages to match the 
code. Sometimes the cli options aren't exactly the same as the config file 
ones which is why I added -nnn to the cli, to supress all translations (which 
can be done from the config file but didn't used to be from the cli). Most of 
the patches are in the clients which are mostly an example on how to write your 
own (which I tend to do in perl rather than C :-)). Only a couple are in argus 
itself and have mostly been bugs found while running on production networks of
(Continue reading)

Permalink | Reply | 17 comments |

Gmane