argus and filtering

I'm attempting to filter using the 3.0.2 code of the argus daemon
available here:
ftp://www.qosient.com/dev/argus-3.0/argus-3.0.2.tar.gz

And I've been trying to set the ARGUS_FILTER using the following two
lines of a config file.

ARGUS_FILTER="not net 192.168.1.0/24"
ARGUS_ACCESS_PORT=561

I then use this command line to run the ra tool.

argus -X -F /etc/argus.conf.test

But I'm still getting data to and from 192.168.1.0/24.  Can anyone else
confirm this is a bug they have?  I'm running Centos 5.3.

Thanks,
Phil

Re: argus and filtering

Hey Phillip,
The configuration variable is "RA_FILTER" not "ARGUS_FILTER".  I  
tested this
and it should work, but if this doesn't, send mail!!!!

Carter

On Oct 2, 2009, at 4:39 PM, Phillip Deneault wrote:

> I'm attempting to filter using the 3.0.2 code of the argus daemon
> available here:
> ftp://www.qosient.com/dev/argus-3.0/argus-3.0.2.tar.gz
>
> And I've been trying to set the ARGUS_FILTER using the following two
> lines of a config file.
>
> ARGUS_FILTER="not net 192.168.1.0/24"
> ARGUS_ACCESS_PORT=561
>
> I then use this command line to run the ra tool.
>
> argus -X -F /etc/argus.conf.test
>
> But I'm still getting data to and from 192.168.1.0/24.  Can anyone  
> else
> confirm this is a bug they have?  I'm running Centos 5.3.
>
> Thanks,
> Phil
>

Re: argus and filtering

Just to be clear, I'm attempting to put the filter in my argus.conf file
 to ignore certain traffic and the documentation has it as
"ARGUS_FILTER".  Nevertheless, I tried it, and neither of the options
RA_FILTER or ARGUS_FILTER work.

I ran strace on argus trying each command separately and it appears more
processing is performed with ARGUS_FILTER.

My goal here is to filter on set of IPs that I do not wish to record,
but don't want to filter at the network interface because I wish other
tools listening on that port to process that traffic instead.

Thanks,
Phil

Carter Bullard wrote:
> Hey Phillip,
> The configuration variable is "RA_FILTER" not "ARGUS_FILTER".  I tested
> this
> and it should work, but if this doesn't, send mail!!!!
> 
> Carter
> 
> 
> On Oct 2, 2009, at 4:39 PM, Phillip Deneault wrote:
> 
>> I'm attempting to filter using the 3.0.2 code of the argus daemon
>> available here:
>> ftp://www.qosient.com/dev/argus-3.0/argus-3.0.2.tar.gz
>>

Re: argus and filtering

This is what the -b option is spitting out, which looks like its
processing the line correctly (to my untrained eye).  But the traffic is
not actually filtered in the output.

# argus -b -F /etc/argus.conf.test -i eth1
(000) ldh      [12]
(001) jeq      #0x800           jt 2	jf 5
(002) ld       [26]
(003) and      #0xffffff00
(004) jeq      #0xc0a80100      jt 30	jf 5
(005) ldh      [12]
(006) jeq      #0x800           jt 7	jf 10
(007) ld       [30]
(008) and      #0xffffff00
(009) jeq      #0xc0a80100      jt 30	jf 10
(010) ldh      [12]
(011) jeq      #0x806           jt 12	jf 15
(012) ld       [28]
(013) and      #0xffffff00
(014) jeq      #0xc0a80100      jt 30	jf 15
(015) ldh      [12]
(016) jeq      #0x806           jt 17	jf 20
(017) ld       [38]
(018) and      #0xffffff00
(019) jeq      #0xc0a80100      jt 30	jf 20
(020) ldh      [12]
(021) jeq      #0x8035          jt 22	jf 25
(022) ld       [28]
(023) and      #0xffffff00
(024) jeq      #0xc0a80100      jt 30	jf 25

Re: argus and filtering

Hey Phillip,
Sorry, I was confused, I thought you were referring to client code
and rarc files.    The filter used by argus to filter packets is a  
libpcap() filter,
and should be equivalent to the filter you would normally supply on the
command line.  I believe that the libpcap equivalent filter should be:

    "not net 192.168.1"     ?????

If you  put the filter on the argus command line do you get the same  
behavior?
How does tcpdump() deal with the filter?

Carter

On Oct 5, 2009, at 10:56 AM, Phillip Deneault wrote:

> This is what the -b option is spitting out, which looks like its
> processing the line correctly (to my untrained eye).  But the  
> traffic is
> not actually filtered in the output.
>
> # argus -b -F /etc/argus.conf.test -i eth1
> (000) ldh      [12]
> (001) jeq      #0x800           jt 2	jf 5
> (002) ld       [26]
> (003) and      #0xffffff00
> (004) jeq      #0xc0a80100      jt 30	jf 5
> (005) ldh      [12]
> (006) jeq      #0x800           jt 7	jf 10

Re: argus and filtering

Ah ha!  Checking my rule against TCPdump was one obvious thing I hadn't
tried.  When I did I discovered a vlan issue.  So I have to include the
vlan tag on that interface, so my rule works correctly if I use the
following:

vlan <num> and not net 192.168.1.0

Sorry for the confusion.  I'm not using a physical configuration I use
on many of my other argus boxen.

Thanks,
Phil

Carter Bullard wrote:
> Hey Phillip,
> Sorry, I was confused, I thought you were referring to client code
> and rarc files.    The filter used by argus to filter packets is a
> libpcap() filter,
> and should be equivalent to the filter you would normally supply on the
> command line.  I believe that the libpcap equivalent filter should be:
> 
>    "not net 192.168.1"     ?????
> 
> If you  put the filter on the argus command line do you get the same
> behavior?
> How does tcpdump() deal with the filter?
> 
> Carter
> 
> 

Re: Compiling argus with geoip dynamic shared object/ Visualizations

Hey Charles,
Remind me during the 3.0.3 cycle to be sure and add the changes you  
need for
GeoIP library searching.

Human vision is a very sophisticated sensor, and the only way to use  
is as a
part of a detection/response system is to present a visualization that  
is useful,
familiar, etc.....  Maybe a weird way of putting it, but the primary  
goal is to bring
the "human in the loop", regardless of whether you're supporting  
detection, tracking,
response, mitigation, resolution, whatever.

I personally like molecular modeling systems, as they are cool looking  
and the
provide massive utility for scientific analysis/research, education  
etc...  GIS systems
are very useful for lots of things, so I'm thinking we need to use  
both of these types
of visualization methodologies to get something useful

One of the problems with visualizations is that sometimes you can't  
get past the
image.  So the realtime visualization I'm working now, looks like an  
earth globe with pin
cushions and clouds.  I'll add links (probably the standard ballistic  
lines between
pin cushions) and have some flexibility on colors, shapes (maybe not  

Re: radium stops passing traffic

Hey Jason,
Did you check any syslog messages?  That is usually the giveaway.
If not, the best we can do is attach to radium() using gdb() to see what
it thinks is going on.

Carter

On Sep 28, 2009, at 2:48 PM, Jason Carr wrote:

> Checking on the process, it is not using 100% when it gets to the  
> point of no longer working.
>
> What other information might you need?
>
> Thanks,
>
> Jason
>
> On Sep 25, 2009, at 3:31 PM, Jason Carr wrote:
>
>> Once radium is in this state, ra -S localhost:561 accept  
>> connections but no longer produces any output.  Connecting to the  
>> arguses works fine via ra -S 10.10.10.100:561 and does produce  
>> output.
>>
>> I'll check to see if the CPU load is high at the time, but I do not  
>> believe that it is.
>>
>> - Jason
>>

Re: Argus SPEC file for RPM building

Hey Chris,
I've made changes in the argus.spec file in argus-3.0.2.tar.gz to deal  
with your issue
and refreshed the candidate argus-3.0.2 tarball.  Could you give this  
a try to see if
it solves your problem?

I had to do something different from your suggested patch, so it may  
need some
little test.  If this works for you, I'll make the same type of  
changes for the clients.

Thanks!!!!

Carter

On Sep 20, 2009, at 5:49 PM, Chris Wilson wrote:

>
>
> I just tried to build Argus 3.0.0 RPMs as a normal user (not as  
> root) and discovered that it was not possible, because argus.spec  
> does not use buildroots and tries to install Argus on the host  
> system in order to create the RPM. This is generally seen as a Bad  
> and Dangerous Thing(TM).
>
> Please find attached a patch to argus.spec to enable the RPM to be  
> built as a non-root user, and without installing it on the host  
> system.
>

Re: Argus SPEC file for RPM building

Hi Carter,

On Wed, 7 Oct 2009, Carter Bullard wrote:

> I've made changes in the argus.spec file in argus-3.0.2.tar.gz to deal 
> with your issue and refreshed the candidate argus-3.0.2 tarball.  Could 
> you give this a try to see if it solves your problem?
>
> I had to do something different from your suggested patch, so it may 
> need some little test.  If this works for you, I'll make the same type 
> of changes for the clients.

Thanks for that. It does fix the problem with building the server RPM. 
I've attached an updated patch for the client RPM which may be less 
intrusive than the previous one.

Cheers, Chris.
--

-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <chris+sig <at> qwirx.com> Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\__/_/_/_//_/___/ | We are GNU : free your mind & your software |

diff -ru argus-clients-3.0.2/lib/argus-clients.spec argus-clients-3.0.2-chris/lib/argus-clients.spec
--- argus-clients-3.0.2/lib/argus-clients.spec	2009-09-14 19:29:11.000000000 +0100
+++ argus-clients-3.0.2-chris/lib/argus-clients.spec	2009-10-10 02:29:19.000000000 +0100
@@ -9,6 +9,7 @@
 Group: Applications/Internet
 Source0: ftp://ftp.qosient.com/argus/%{name}-%{ver}.%{rel}.tar.gz
 URL: http://qosient.com/argus