headers
Rodney McKee | 3 Jan 2010 22:46
Gravatar

Re: color graphs

Carter,

Glad you can reproduce the issue. It has been like it for sometime, I originally thought that was just how it was.

As I have only just read your mail it's no rush.

Hope your Christmas and New Year celebrations where awesome.


----- "Carter Bullard" <carter <at> qosient.com> wrote:
> Hey Rodney,
Sorry for the delayed response.  Hmmmmm, yes I'm getting the same behavior.
The interesting thing, is that we haven't changed ragraph() is a long time, so it
is a head scratcher.

>
I'm really hammered with end of year stuff, so give me a little while, and I'll try
to figure out what is going on.

>
Carter

>
On Dec 14, 2009, at 2:37 PM, Rodney McKee wrote:

> Carter,
>
> Certainly not different colors.
> When I generate a split src/dst graph it will come out blue on both halves or like in this example each protocol is grey in color :-)
> I've attached a couple of examples.
>
>
Permalink | Reply | 1 comment |
headers
VIEAU Cédric 172196 | 8 Jan 2010 14:29
Picon
Favicon

racube : Argus in 3D

Hello,

My colleagues and I have made a tool to visualize Argus flow data in 3D (the idea is taken from "The spinning
cube of potential doom") and we are releasing it today as an opensource tool that you might find of interest.

We call it the "monitoring cube" and it can display live Argus flows through a new "racube" client. 
It's available on http://www-moncube.cea.fr/doku.php/en:cube:cube

Documentation is not yet complete and it has only been tested under debian linux, so it might require a
little work to get it running on your installation, but I hope you will be able to give it a try. 

Any feedback will be greatly appreciated.

Regards,
Cedric
Permalink | Reply | 1 comment |
headers
Carter Bullard | 8 Jan 2010 17:04

Re: racube : Argus in 3D

Hey Cedric,
Very very  very cool!!!!  I like the page that describes the scan patterns!

I put a link to your site from argus's visualization page:
   http://qosient.com/argus/visualization.htm

And when I get back from FloCon, I'll put a blurb up in the news
section.

It should be easy to enable this to work on Windows.  The argus clients
library is really very portable, and if that is something that is important,
we could do something with that in 2010.

Carter

On Jan 8, 2010, at 8:29 AM, VIEAU Cédric 172196 wrote:

> Hello,
> 
> My colleagues and I have made a tool to visualize Argus flow data in 3D (the idea is taken from "The spinning
cube of potential doom") and we are releasing it today as an opensource tool that you might find of interest.
> 
> We call it the "monitoring cube" and it can display live Argus flows through a new "racube" client. 
> It's available on http://www-moncube.cea.fr/doku.php/en:cube:cube
> 
> Documentation is not yet complete and it has only been tested under debian linux, so it might require a
little work to get it running on your installation, but I hope you will be able to give it a try. 
> 
> Any feedback will be greatly appreciated.
> 
> Regards,
> Cedric
> 
>
Attachment (smime.p7s): application/pkcs7-signature, 3815 bytes
Permalink | Reply | 0 comments |
headers
Niall Murphy | 14 Jan 2010 11:54
Picon
Favicon

ArgusReadSocketStream error

Hello all,

First of all, apologies for mailing a support related question to the development list, but i have searched
for the following error message which appears at the end of my Argus log, and cannot find references to it
anywhere, even searching koders.com.

"ArgusReadSocketStream: malformed argus record len 0"

I'm running...

ii  argus-client                      2.0.6.fixes.1-3          IP network transaction auditing tool
ii  argus-server                      1:2.0.6.fixes.1-16       IP network transaction auditing tool

...on debian stable.

If anyone could email me to let me know the possible triggers, impact, and workaround for this it would be
greatly appreciated.

If you need any more information please let me know.

Thanks.

--

-- 
Niall
Permalink | Reply | 1 comment |
headers
Peter Van Epp | 14 Jan 2010 19:57
Picon
Picon
Favicon

Re: ArgusReadSocketStream error

On Thu, Jan 14, 2010 at 10:54:09AM +0000, Niall Murphy wrote:
> Hello all,
> 
> First of all, apologies for mailing a support related question to the development list, but i have
searched for the following error message which appears at the end of my Argus log, and cannot find
references to it anywhere, even searching koders.com.
> 
> "ArgusReadSocketStream: malformed argus record len 0"
> 
> I'm running...
> 
> ii  argus-client                      2.0.6.fixes.1-3          IP network transaction auditing tool
> ii  argus-server                      1:2.0.6.fixes.1-16       IP network transaction auditing tool
> 
> ...on debian stable.
> 
> If anyone could email me to let me know the possible triggers, impact, and workaround for this it would be
greatly appreciated.
> 
> If you need any more information please let me know.
> 
> Thanks.
> 
> -- 
> Niall

	This list serves as both the development and support list. 2.0.6 fixes1
is a very old version (but a goodie, I ran it in production for many years).
The error is likely a protocol it doesn't recognize which means the packet 
won't be processed and possibly the rest of that file won't be processed 
(although it should just continue with the next packet I don't think it always
did). Your best bet (if its possible) would be to upgrade to the just released 
3.0.2 version of argus since its unlikely that we will try and fix 2.0.6 :-).
While there are some changes to options and new and changed cllents  ra is 
still mostly the same (default options have changed though) and it will still
read and process 2.0.6 data.

Peter Van Epp
Permalink | Reply | 0 comments |
headers
Sean McCreary | 15 Jan 2010 03:37
Picon
Favicon

Two versions of argus-clients-3.0.2.tar.gz

<ftp://qosient.com/pub/argus/src/argus-clients-3.0.2.tar.gz> is not the
same as <http://qosient.com/argus/src/argus-clients-3.0.2.tar.gz>.
Which is the correct file?
Permalink | Reply | 1 comment |
headers
Carter Bullard | 15 Jan 2010 06:07

Re: Two versions of argus-clients-3.0.2.tar.gz

Hey Sean,
Hmmm, my mistake.  Until I get back to NY, use the link on the http://qosient.com/argus
page, http://qosient.com/argus/dev/argus-clients-3.0.2.tar.gz.

Carter

On Jan 14, 2010, at 9:37 PM, Sean McCreary wrote:

> <ftp://qosient.com/pub/argus/src/argus-clients-3.0.2.tar.gz> is not the
> same as <http://qosient.com/argus/src/argus-clients-3.0.2.tar.gz>.
> Which is the correct file?
>
Attachment (smime.p7s): application/pkcs7-signature, 3815 bytes
Permalink | Reply | 0 comments |
headers
Jason Carr | 18 Jan 2010 20:29
Picon

10 minute time difference

I am running radium and writing to a file into a file location, /data/var/argus.out.  Every five minutes I
copy this file into a directory and rename the file to the current date and time.  While reading this file
with ra, it appears to be 10 minutes in the past.  For example, a file that is named
2010-01-18-10:25:00.argus contains data from 10:15-10:20.  Is there a reason why this would occur?  The
timestamps on the data source are synced with ntp as is the destination.

Thanks,

Jason
Permalink | Reply | 1 comment |
headers
carter | 19 Jan 2010 15:22

Re: 10 minute time difference

Hey Jason,
Radium can "correct" the time if configured to do so, so be sure that is not set.

Other than that no elements other than Argus can set the time.  I'd connect to radium and see of the times are ok
and then connect to Argus to make sure that those times are consistent.

The "ltime" is going to be closer to the file time than the "stime" do use that to see of it gets any better, and
consider using rasplit(), as that is sensitive to the times in the actual records.

A large ARGUS_FAR_STATUS, causes Argus to hold records for long time, so that can generate confusion.

Check these out and if all is still somewhat inconsistent, send more email.

Carter 

------Original Message------
From: Jason Carr
Sender: argus-info-bounces+carter=qosient.com <at> lists.andrew.cmu.edu
To: Argus
Subject: [ARGUS] 10 minute time difference
Sent: Jan 18, 2010 2:29 PM

I am running radium and writing to a file into a file location, /data/var/argus.out.  Every five minutes I
copy this file into a directory and rename the file to the current date and time.  While reading this file
with ra, it appears to be 10 minutes in the past.  For example, a file that is named
2010-01-18-10:25:00.argus contains data from 10:15-10:20.  Is there a reason why this would occur?  The
timestamps on the data source are synced with ntp as is the destination.

Thanks,

Jason





Sent from my Verizon Wireless BlackBerry
Permalink | Reply | 0 comments |
headers
Carter Bullard | 22 Jan 2010 20:00

flocon 2010 presentations on the web

Gentle people,
I've updated the argus home page and I've put a list of what I was going
to do for version 3.0.4.  If you have any ideas, I'd love to include them!!!

I also put a blurb about FloCon 2010 and there are links to the FloCon 2010
argus presentations.   The "Introduction to Argus" is 100 slides that talk
about a lot of stuff.  I'm hoping that it could be the start of something like
an O'Reilly Nutshell book on Argus.  

The "Data Fusion" presentation, is a description of a new concept in flow
based Situational Awareness, where we use differential correlation from
multiple probes in the same time domain to solve basic attribution and location
determination problems.  

Well, the slides don't use such complex words, but the above message is
buried in some discussion on Geo and NetSpatial information and flow data.

Please take a look, and if you have any opinions, I'd love to hear them.

Hope all is most excellent,

Carter
Attachment (smime.p7s): application/pkcs7-signature, 3815 bytes
Permalink | Reply | 4 comments |

Gmane