headers
Carter Bullard | 20 Jun 2003 04:42

RE: ra in clients distribution

Hey Russell,
   You can get last window size for both the src and dst
diretion using the '-s win' option.  IP options come up
in the 'ind' (indicator) field, and have to be parsed.
If we can come up with a decent representation of the
options, we could have a separate field printed just for
them.  Currently, the argus record has all the options
that were observed as a bit map, so we can report
any/most of them as they occur.

Carter

> -----Original Message-----
> From: owner-argus-info <at> lists.andrew.cmu.edu 
> [mailto:owner-argus-info <at> lists.andrew.cmu.edu] On Behalf Of 
> Russell Fulton
> Sent: Thursday, June 19, 2003 6:20 PM
> To: argus-info <at> lists.andrew.cmu.edu
> Subject: ra in clients distribution
> 
> 
> Hi All,
> 	I've been trying to look for traffic from the new 
> trojan that sends syn
> packets with specific window size and options set.  I can do this with
> raxml but it is a pain because 
>      A. its slow (lots of formatting) and 
>      B. output is spread over multiple lines so I cant post process
>         using grep.
> However I notice that the -s switch on the ra in the client distro can
(Continue reading)

Permalink | Reply | 0 comments |
headers
Mitesh P Choksi | 20 Jun 2003 21:49

Repository of argus clients

Dear All,

I use argus for recording what flows went to and from a router to 
audit/identify what could have happened when traffic peaks occur. Analysis 
usually find out the IP address giving the problem or the type of protocol. 
Only sometimes it is number of flows/sec.

I would like to hand over this task of digging into the data and make it 
available for my brother who does not know linux.

I wanted to know if there are set of scripts/cgi/client software available 
for web based interface to dig in information from argus and graphically 
representing it.

I don't know perl so am not capable of writing the scripts on my own.

Any help will be appreciated even if it is pointers. If there are any windoze 
based utilities available that allow digging information from argus, I will 
try it out.

Regards,

Mitesh
Permalink | Reply | 2 comments |
headers
Peter Van Epp | 20 Jun 2003 23:58
Picon
Picon
Favicon

ra (or equivelent) in daemon mode?

	Before I look at possibly reinventing the wheel, was there any 
resolution to the question of how to have argus on one box writing only 
to a socket and ra (or something else since ra seems overkill) on another 
box that listens on the socket and writes the data to disk? Basically what
I'm after is argus_linux spread across two machines. One collecting / 
processing (but doing no disk I/O) and the other one writing the data to 
disk and being rotated by argus archive (and possibly running ra against 
the data in the archive). Linux is up and listening to a fdx link on a pair
of bonded 3c905Bs (and currently writing to disk on the same machine) now I
need to move the disk I/O to another machine in preparation for changing to 
Gig.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada
Permalink | Reply | 1 comment |

Gmane