headers
Carter Bullard | 1 Dec 2001 15:40

RE: [RE: problem with datafile size (argus 2.0.3)]

Hey Oleg,
   Yes, an argus record of length 3 is not good.
Each argus record has a detectable signature, and so
finding the next valid argus record is possible,
but the code to do this hasn't been written yet.

   The logic to find the correct argus record framing
would have to go into ./common/argus_parse.c.  Is this
datafile so very important that you need to recover
the data from it?  I can add the routines to auto recover
framing boundaries, but it will have to wait for a week
or two.

   If you're interested in writing the C routines
yourself, I can talk you through the logic, if that would
be helpful.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter <at> qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
(Continue reading)

Permalink | Reply | 0 comments |
headers
Carter Bullard | 1 Dec 2001 16:07

RE: ragator config question

Hey Wozz,
   No, support for ranges is not there.  Can be, not hard.
Would you like ranges with CIDR addresses as well?

   1.2.3.4:30-2.3.4.0:24

This could be very interesting, but also very confusing.
I'll look into it.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter <at> qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info <at> lists.andrew.cmu.edu 
> [mailto:owner-argus-info <at> lists.andrew.cmu.edu] On Behalf Of Wozz
> Sent: Thursday, November 29, 2001 9:21 PM
> To: argus-info <at> lists.andrew.cmu.edu
> Subject: ragator config question
> 
> 
> Is there a way to specify a range of addresses in an ragator
(Continue reading)

Permalink | Reply | 1 comment |
headers
Carter Bullard | 1 Dec 2001 16:16

RE: Question

Hello Ricardo,
   Yes this is very easy to do, and programs like ra()
are designed to support this exact scenario.

   host1  argus running, listening on port 561
   host2  argus running, listening on port 561

   ra -w ra.out -S host1 -S host2 - host host1 and host2 

will collect the records that involve only host1 and
host2 from both argus probes, in realtime and output the
records to the outputfile ra.out, so that you can compare.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter <at> qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: Ricardo J Castaneda [mailto:rcasta <at> tyr.mty.itesm.mx] 
> Sent: Wednesday, November 28, 2001 6:56 PM
> To: carter <at> qosient.com
> Subject: Question
(Continue reading)

Permalink | Reply | 0 comments |
headers
Wozz | 2 Dec 2001 09:29

Re: ragator config question

On Sat, Dec 01, 2001 at 10:07:16AM -0500, Carter Bullard wrote:
> Hey Wozz,
>    No, support for ranges is not there.  Can be, not hard.
> Would you like ranges with CIDR addresses as well?
>  
>    1.2.3.4:30-2.3.4.0:24
> 
> This could be very interesting, but also very confusing.
> I'll look into it.
> 

I'm not sure it would be neccesary to have ranges of cidr blocks, since you
could specify that with a range of beginning and ending addresses, but there
may be some use for it I've missed.
Permalink | Reply | 0 comments |
headers
Wozz | 11 Dec 2001 05:52

Re: Argus Flow Timeout Issues

On Thu, Nov 15, 2001 at 09:31:56AM -0500, Carter Bullard wrote:
> 
>           IP fragments -   5 seconds
> 
>             IGMP flows - 300 seconds
>              ARP flows - 300 seconds
>       Unknown protocol - 300 seconds
> 
>      Initial TCP flows -  15 seconds
>      Initial UDP flows -  15 seconds
>      Initial ESP flows -  15 seconds
>     Initial ICMP flows -  15 seconds
> 
>  All established flows - 300 seconds
> 
>             TCP closed -  10 seconds
> 
> 

I've been thinking about this more.  These values work great for
short lived connections (HTTP, POP, etc) but not so well for longer
lived connections (ssh, and several other applications on my
networks).  It might be useful to make these tweakable on a per-port
basis.  IE, I can set the default for established flows to be 300,
but I could define that flows going to port 22 last 3600 seconds.
I suppose this will result in higher memory usage, but if you only
define those flows that you know are going to be longer lived, it
shouldn't be too significant.  Any thoughts?
(Continue reading)

Permalink | Reply | 1 comment |
headers
Carter Bullard | 18 Dec 2001 20:04

argus-2.0.4 eminent release

Gentle people,
   I'm about to release argus-2.0.4 and am trying to decide
if I should include the new raxml().  In order to support
changes in the XML way of things, and to better support
Microsoft .Net code, we have new XML schema files and 
I've had to modify raxml() to printout a few fields with
different formats, especially the time fields.

   If this doesn't break anyone's stuff, I'll go ahead and
include the new raxml() and its schema, in 2.0.4.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter <at> qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com
Permalink | Reply | 0 comments |
headers
Carter Bullard | 18 Dec 2001 23:28

argus-2.0.4.tar.gz available

Gentle people,
   argus-2.0.4 is available in the dev section.
This is going to be the one, if we don't get any complaints.
This fixes a number of problems relating to opening unnumbered
interfaces, better timeout performance, modified ./configure,
fixed some issues with TcpWrapper based access control, fixed
DLT_RAW decoder for Linux PPP and SLIP, added LFS checking
in ./configure, update raxml(), and last but not at all least
we added Russell's perl scripts and modules for scan detection.

The only outstanding bug that this release does not address
is a problem with Cisco Netflow record reading off the wire.
Still working on that bug.

ftp://qosient.com/dev/argus-2.0/argus-2.0.4.tar.gz

Do give this a go, and if there are no problems, I'll
release it on Thursday.

I've tested it on RH 2.2-2.4 and Solaris.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter <at> qosient.com
Phone +1 212 588-9133
(Continue reading)

Permalink | Reply | 2 comments |
headers
Carter Bullard | 20 Dec 2001 15:24

RE: Argus Flow Timeout Issues

Hey Wozz,
   Sorry, I missed replying to your mail!!
ragator() is the tool for you, it was designed
to extend the timeouts on a port basis, and
just about any basis that seems reasonable.

  In my low speed environments, I have argus
generate records every second, and the I use
ragator to zip up the long records the next
day, or at the end of the week, when I archive
the data files.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter <at> qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info <at> lists.andrew.cmu.edu 
> [mailto:owner-argus-info <at> lists.andrew.cmu.edu] On Behalf Of Wozz
> Sent: Monday, December 10, 2001 11:52 PM
> To: Carter Bullard
> Cc: argus-info <at> lists.andrew.cmu.edu
(Continue reading)

Permalink | Reply | 0 comments |
headers
Peter Van Epp | 20 Dec 2001 22:26
Picon
Picon
Favicon

Usenix Login: security issue available online

	A check just now indicates the Usenix Login: Security issue of November
2001 is now available on line at:

http://www.usenix.org/publications/login/2001-11/index.html

	While the entire issue is worth reading there is also my article on 
using argus in 

http://www.usenix.org/publications/login/2001-11/pdfs/epp.pdf

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada
Permalink | Reply | 0 comments |
headers
Peter Van Epp | 20 Dec 2001 22:33
Picon
Picon
Favicon

MD5 on 2.0.4?

	It looks like the MD5 file didn't get updated (which is presumably 
why it doesn't match) and the asc file (which did get updated) isn't permitted 
read: 

-rw-r--r--   1 ftpuser  ftpusers    444624 Dec 18 17:16 argus-2.0.4.tar.gz
-rw-------   1 ftpuser  ftpusers    602305 Dec 18 17:17 argus-2.0.4.tar.gz.asc
-rw-r--r--   1 ftpuser  ftpusers        60 Dec 18 15:58 argus-2.0.4.tar.gz.md5

	At the moment I'll assume the file is fine and start testing.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada
Permalink | Reply | 0 comments |

Gmane