headers
Mike Iglesias | 3 Mar 2009 00:05
Picon
Favicon

Argus 3.0 and Fedora 9

I'm having trouble getting argus 3.0 to read from eth1 and writing it's data
out to a file on a Fedora 9 system with kernel 2.6.27.15-78.2.23.fc9.i686.  I
can see the traffic with tcpdump, so I know there's data coming in on eth1.  I
built argus with .debug and ran it with -D 10.  I see this in the output:

  ArgusWarning: argus[22618]: 02 Mar 09 14:56:52.802236
ArgusGetInterfaceStatus: interface eth1 is up
argus[22618]: 02 Mar 09 14:56:52.802272 setArgusInterfaceStatus(1)
argus[22618]: 02 Mar 09 14:56:53.001399 ArgusGetPackets: select() returned 0
argus[22618]: 02 Mar 09 14:56:53.001445 ArgusGetPackets: select() timeout 1 up
interfaces
argus[22618]: 02 Mar 09 14:56:53.001561 ArgusUpdateTime (0x9064008) global
time 1236034613.001443 update 1236034613.201443 returning 1
argus[22618]: 02 Mar 09 14:56:53.001582 ArgusPopFrontList (0x9064da0) returning
argus[22618]: 02 Mar 09 14:56:53.001599 ArgusPushFrontList (0x9064b48,
0x9064da0, 1) returning 0x9064da0
argus[22618]: 02 Mar 09 14:56:53.001625 ArgusProcessQueueTimeout(0x9064008,
0x90643e0) done
argus[22618]: 02 Mar 09 14:56:53.001645 ArgusQueueManager() turns 1
statusQueue 0    qs 0  items 0    cache 0      resort 0      reclaim 0
new 0      send
s 0        bsends 0
argus[22618]: 02 Mar 09 14:56:53.001680 ArgusOutputProcess(0x9064910) starting
argus[22618]: 02 Mar 09 14:56:53.001703 ArgusOutputStatusTime(0x9064910) done
argus[22618]: 02 Mar 09 14:56:53.201399 ArgusGetPackets: select() returned 0
argus[22618]: 02 Mar 09 14:56:53.201433 ArgusGetPackets: select() timeout 1 up
interfaces
argus[22618]: 02 Mar 09 14:56:53.401399 ArgusGetPackets: select() returned 0
argus[22618]: 02 Mar 09 14:56:53.401431 ArgusGetPackets: select() timeout 1 up
interfaces
(Continue reading)

Permalink | Reply | 5 comments |
headers
Carter Bullard | 3 Mar 2009 00:12

argus-clients-3.0.2.tar.gz with mysql support

Gentle people,
First pass at the new argus-clients distribution is on the dev server.
    ftp:/qosient.com/dev/argus-3.0/argus-clients-3.0.2.tar.gz

First pass because there will be modifications before its released,
as the user data analysis programs still need a little tweak.

This version addresses many problems, particularly those
relating to backward compatibility to argus-2.x streams.
I have not had a chance to directly test the changes on
some of the bugs on the list but I suspect that this version
should fix those backward compatibility bugs.

If you try the code, and it doesn't have your issue fixed,
please, please, please, send email, so that I can get those
issues dealt with.

I am pleased to say that the database programs, rasqlinsert()
and rasql() are mostly ready to go.   I don't have a manpage yet,
so hopefully the "-h" option will give you guidance.

I will be sending out sometime this week detail on the use of
rasqlinsert(), the format of the database url that is needed to
access database data, and the concepts of rasql() and why
its needed.

If you want to give rasqlinsert a run, like loading tables from
files, try these types of commands:

    rasqlinsert -r file -w mysql://user <at> host/db/table -m none
(Continue reading)

Permalink | Reply | 14 comments |
headers
Carter Bullard | 3 Mar 2009 00:13

Re: Argus 3.0 and Fedora 9

Hey Mike,
I use Fedora all the time.  So what is the INTERFACE line in your
argus.conf file look like?  It could be opening the wrong interface?

Carter

On Mar 2, 2009, at 6:05 PM, Mike Iglesias wrote:

> I'm having trouble getting argus 3.0 to read from eth1 and writing  
> it's data
> out to a file on a Fedora 9 system with kernel  
> 2.6.27.15-78.2.23.fc9.i686.  I
> can see the traffic with tcpdump, so I know there's data coming in  
> on eth1.  I
> built argus with .debug and ran it with -D 10.  I see this in the  
> output:
>
>  ArgusWarning: argus[22618]: 02 Mar 09 14:56:52.802236
> ArgusGetInterfaceStatus: interface eth1 is up
> argus[22618]: 02 Mar 09 14:56:52.802272 setArgusInterfaceStatus(1)
> argus[22618]: 02 Mar 09 14:56:53.001399 ArgusGetPackets: select()  
> returned 0
> argus[22618]: 02 Mar 09 14:56:53.001445 ArgusGetPackets: select()  
> timeout 1 up
> interfaces
> argus[22618]: 02 Mar 09 14:56:53.001561 ArgusUpdateTime (0x9064008)  
> global
> time 1236034613.001443 update 1236034613.201443 returning 1
> argus[22618]: 02 Mar 09 14:56:53.001582 ArgusPopFrontList  
> (0x9064da0) returning
(Continue reading)

Permalink | Reply | 4 comments |
headers
Mike Iglesias | 3 Mar 2009 00:37
Picon
Favicon

Re: Argus 3.0 and Fedora 9

Carter Bullard wrote:
> Hey Mike,
> I use Fedora all the time.  So what is the INTERFACE line in your
> argus.conf file look like?  It could be opening the wrong interface?

It's opening the right interface:

# fgrep eth1 typescript
argus[22618]: 02 Mar 09 14:56:52.796688 setArgusDevice(eth1) returning
argus[22618]: 02 Mar 09 14:56:52.800928 ArgusOpenInterface()
pcap_open_live(eth1) returned 0x9065528
argus[22618]: 02 Mar 09 14:56:52.801066 ArgusOpenInterface(0xb7fbd008, 'eth1')
returning
  ArgusWarning: argus[22618]: 02 Mar 09 14:56:52.802236
ArgusGetInterfaceStatus: interface eth1 is up

# fgrep eth1 /etc/argus.conf
ARGUS_INTERFACE=eth1

I want it to write to /log/argus/argus.out

# fgrep argus.out /etc/argus.conf
ARGUS_OUTPUT_FILE=/log/argus/argus.out

The file gets created by argus if it's not there, and it appears to be writing
Man records to the file according to ra.

This system was running Fedora 7 and argus v2.  I reinstalled it with Fedora
9, and argus v2 did not write data either.  I was planning on upgrading to
argus v3, but I wanted to wait a bit before doing that.  Since v2 didn't work,
(Continue reading)

Permalink | Reply | 0 comments |
headers
Mike Iglesias | 3 Mar 2009 01:12
Picon
Favicon

Re: Argus 3.0 and Fedora 9

Carter Bullard wrote:
> Hey Mike,
> I use Fedora all the time.  So what is the INTERFACE line in your
> argus.conf file look like?  It could be opening the wrong interface?

It looks like it's some kind of change/problem with libpcap(?).  The line to
start argus on the Fedora 7/argus v2 system looked like this:

/usr/local/argus/sbin/argus -d - \(ip and not icmp \)

This worked with on F7, but not F9.  If I change it to

/usr/local/argus/sbin/argus -d - not icmp

it works and generates output, both with argus v2 and argus v3.  Weird...

--

-- 
Mike Iglesias                          Email:       iglesias <at> uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2270
Permalink | Reply | 2 comments |
headers
Carter Bullard | 3 Mar 2009 04:47

Re: Argus 3.0 and Fedora 9

That is odd, as we just pass that string directly to the pcap
filter compiler, and if it compiles, we use it.

If you give argus a "-b" option, you should get the dump of
the pcap compiled filter.  Is there any output with the (ip and not  
icmp)
filter?

what version of libpcap are you using?

Carter

On Mar 2, 2009, at 7:12 PM, Mike Iglesias wrote:

> Carter Bullard wrote:
>> Hey Mike,
>> I use Fedora all the time.  So what is the INTERFACE line in your
>> argus.conf file look like?  It could be opening the wrong interface?
>
> It looks like it's some kind of change/problem with libpcap(?).  The  
> line to
> start argus on the Fedora 7/argus v2 system looked like this:
>
> /usr/local/argus/sbin/argus -d - \(ip and not icmp \)
>
> This worked with on F7, but not F9.  If I change it to
>
> /usr/local/argus/sbin/argus -d - not icmp
>
> it works and generates output, both with argus v2 and argus v3.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Mike Iglesias | 3 Mar 2009 08:51
Picon
Favicon

Re: Argus 3.0 and Fedora 9

Carter Bullard wrote:
> That is odd, as we just pass that string directly to the pcap
> filter compiler, and if it compiles, we use it.
> 
> If you give argus a "-b" option, you should get the dump of
> the pcap compiled filter.  Is there any output with the (ip and not icmp)
> filter?

Here's the output:

# /usr/local/argus/sbin/argus -b - \( ip and not icmp \)
(000) ldh      [12]
(001) jeq      #0x800           jt 2	jf 7
(002) ldh      [12]
(003) jeq      #0x800           jt 4	jf 6
(004) ldb      [23]
(005) jeq      #0x1             jt 7	jf 6
(006) ret      #96
(007) ret      #0

The Fedora 9 libpcap version from the RPM name is 0.9.8-2.fc9.

--

-- 
Mike Iglesias                          Email:       iglesias <at> uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2270
Permalink | Reply | 0 comments |
headers
carter | 3 Mar 2009 13:08

Re: Argus 3.0 and Fedora 9

Hey Mike,
So the test for IP is the 16 bit test for 0x0800 in the ethernet next hdr, but the 1 maybe
------Original Message------
From: Mike Iglesias
To: Carter Bullard
Cc: Argus
Subject: Re: [ARGUS] Argus 3.0 and Fedora 9
Sent: Mar 3, 2009 2:51 AM

Carter Bullard wrote:
> That is odd, as we just pass that string directly to the pcap
> filter compiler, and if it compiles, we use it.
> 
> If you give argus a "-b" option, you should get the dump of
> the pcap compiled filter.  Is there any output with the (ip and not icmp)
> filter?

Here's the output:

# /usr/local/argus/sbin/argus -b - \( ip and not icmp \)
(000) ldh      [12]
(001) jeq      #0x800           jt 2	jf 7
(002) ldh      [12]
(003) jeq      #0x800           jt 4	jf 6
(004) ldb      [23]
(005) jeq      #0x1             jt 7	jf 6
(006) ret      #96
(007) ret      #0

The Fedora 9 libpcap version from the RPM name is 0.9.8-2.fc9.
(Continue reading)

Permalink | Reply | 0 comments |
headers
carter | 3 Mar 2009 13:17

Re: Argus 3.0 and Fedora 9

Sorry my phone sent my mail before I was done ;o)
So the filter doesn't look bad at first glance, but not sure about ICMP being a 1?

What about other simple filters like "tcp" ?
Are they working?
Carter

------Original Message------
From: Carter Bullard
Sender: argus-info-bounces+carter=qosient.com <at> lists.andrew.cmu.edu
To: Mike Iglesias
Cc: Argus
ReplyTo: Carter Bullard
Subject: Re: [ARGUS] Argus 3.0 and Fedora 9
Sent: Mar 3, 2009 7:08 AM

Hey Mike,
So the test for IP is the 16 bit test for 0x0800 in the ethernet next hdr, but the 1 maybe
------Original Message------
From: Mike Iglesias
To: Carter Bullard
Cc: Argus
Subject: Re: [ARGUS] Argus 3.0 and Fedora 9
Sent: Mar 3, 2009 2:51 AM

Carter Bullard wrote:
> That is odd, as we just pass that string directly to the pcap
> filter compiler, and if it compiles, we use it.
> 
> If you give argus a "-b" option, you should get the dump of
(Continue reading)

Permalink | Reply | 501 comments |
headers
Mike Iglesias | 3 Mar 2009 18:11
Picon
Favicon

Re: Argus 3.0 and Fedora 9

carter <at> qosient.com wrote:
> Sorry my phone sent my mail before I was done ;o)
> So the filter doesn't look bad at first glance, but not sure about ICMP being a 1?
> 
> What about other simple filters like "tcp" ?
> Are they working?

No, they aren't.  I tried "tcp", "udp", and "tcp or udp", and none of them
worked with argus or tcpdump.  Also, "not icmp", "not udp", and "not tcp"
don't work right either in that they still provide the traffic you are asking
not be provided, and you get the stuff you wanted too.

--

-- 
Mike Iglesias                          Email:       iglesias <at> uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2270
Permalink | Reply | 501 comments |

Gmane