argus

[Mark Poepping]

If you want to filter, you can filter in the server or the
client.  If you only *ever* want info on these ports, then
filter in the server.  Start it up with filtering on:
	argus_linux -w argusmon.out port 20 or pot 21 or port 22 \
		or port 23 or port 24 or port 25 or port 512 or \
		port 513 or port 514 &
and use
	ra -r argusmon.out

If you want to collect it all but report on those ports, then
use the filter on the client:
	argus_linux -w argusmon.out &
and use
	ra -r argusmon.out port 20 or pot 21 or port 22 \
		or port 23 or port 24 or port 25 or port 512 or \
		port 513 or port 514

The Cisco rules are really for seeing the traffic that your Cisco
filters..  so if you have a probe on the stub outside of your
firewall, ra could show the flows that violate the policy (that
you can't see on the inside since the Cisco is filtering it)..
This presumes a way to tap the upstream traffic.

mark.


> -----Original Message-----
> From: Martin Pousette [mailto:Martin.Pousette at it.ki.se]
> Sent: Friday, March 12, 1999 10:15 AM
> To: Mark Poepping
> Subject: RE: argus
>
>
> ra -r argus.log works fine but i get alot of data so i need to choose what
> to log, I am use ipchains to filter and log for the moment but would like
> to try Argus so if i wont to setup a rules file for logging it that easy ?
> I saw somthing in the docs about Cisco rules is that how i do it or what ?
> got any examples files to mail me ? I would like to log port 20-25 512-14.
>
> /Martin
>
> keep up the good work!
>
> At 09:00 1999-03-12 -0500, you wrote:
> >
> >[ ... ]
>
>   Martin Pousette     Karolinska Institutet            Tel: 08-728 6865
>   Datasäkerhet        171 77 Stockholm                 Mob: 070-629 6623
>   IT-Avdelningen      Besök Doktorsringen 6C, Solna    Fax: 08-34 00 32
>