another ra oddity...

Carter Bullard cbullard at
Fri Oct 8 07:51:27 EDT 1999

Hey Russell,
   Thanks for all the mail, and its good to see that
you're getting something out of Argus, because you certainly
have put a lot in ;o)

   One note, the US has announced relaxation of their
encryption export and import policies, so the "made in the
USA" may be not be a barrier after Nov 1.

Hope all is well,


> -----Original Message-----
> From: Russell Fulton [mailto:r.fulton at]
> Sent: Thursday, October 07, 1999 4:51 PM
> To: Bullard, Carter [NYPAR:DS46-I:EXCH]
> Subject: Re: RE: RE: another ra oddity...
> Hi,
> 	Again, thanks for your comments.  Figuring out the best ways of 
> using tools like argus are certainly non trivial, sigh...
> I am pleased that I chose a file naming scheme that sort 
> lexically into 
> time order so I am doing a lot of 
> "join(' -r ', sort grep(/\.gz$/, readdir(DIR))" 
> I am, in general, not trying to verify firewall function. I refuse to 
> dignify what we have with the name firewall -- doing so gives 
> people a 
> false sense of security.  We currently use Drawbridge (from TAMU) and 
> block incoming protocols with known problems ( X, r*, netbios, 
> portmapper etc) for most of our users.  Its main function is to 
> inforce our charging policies and stop machines that we don't have 
> charging info for from reaching the Internet.   We also have the 
> standard anti spoofing and anti smurf filters on our routers. 
> We are looking at getting FW1 but it is a lot of money -- 
> between 2 and 
> 4 times my annual salary -- including HW and AV software. (which 
> probably says more about my salary than the cost of FW1). My gut 
> feeling is that it would be much better spent on education for users 
> and training for computer support people.  We need that 
> anyway whether 
> or not we have a fancy firewall.
> I am using argus for two main purposes.  Firstly to detect scans and 
> other network mapping activity and also more subtle attacks against 
> publicly visible servers; and secondly to analyse traffic after an 
> incident.  In some cases I have gone through 3 months logs looking at 
> traffic to/from a compromised machine.
> One thing I am convinced of is that we should cut down the 100+ web 
> servers (every department just *has* to have their own separate web 
> server) and make sure that web servers only offer http(s) 
> services (and 
> possibly ftp) off campus.  Such machines should not generate any 
> traffic of their own -- i.e. no users.  That would make detecting 
> attacks against such machines much easier.
> I would also love to block telnet and ftp but until there is a secure 
> replacement for the latter it is a lost cause.  SANs is coordinating 
> some work in this area but since it is being done in the US 
> it will not 
> help us.
> Cheers, Russell.

More information about the argus mailing list