Problem with argus

Carter Bullard cbullard at nortelnetworks.com
Fri Jan 14 09:38:00 EST 2000 

Hey Carmen,
   The -C option only applies to the ra() command,
so the Argus output file should have all the records
that involve the ICMP traffic from 192.168.1.40.

First look to see if Argus is working properly by
searching for ICMP Argus records from your host.

   ra -nr 'argus.file' icmp and host 192.168.1.40

should produce all the argus records that report the
icmp traffic to and from 192.168.1.40.  If there are
records in the 'argus.file' then the policy filter
has something to work with.

   The ra() filter below is equivalent to the
Cisco filter that you have in your policy file.

   ra -nr 'argus.file' icmp and dst host 192.168.1.40

If this command generates output then there are records
for the Cisco filter to find.  If there are no records
and there should be, then the bug is in Argus().  If
there are records and the Cisco filter doesn't find
them then the bug is in Ra()

   If you have an 'argus.file' that has records that
your Cisco filter doesn't find, then send mail and
we'll look further.

Carter




> -----Original Message-----
> From: Maria del Carmen Contreras Espinosa [mailto:mcconesp at cic.upo.es]
> Sent: Friday, January 14, 2000 8:29 AM
> To: Bullard, Carter [NYPAR:DS33:EXCH]
> Subject: Re: Problem with argus
> 
> 
> !Hello!
> 
> 
> I'm using Argus-1.8 in Linux Redhat 6.0 , I saw every 
> traffic, and is very
> useful for us, we can see if
> somebody do anything without permit, this days sombebody do 
> periodical icmp
> conexion to our servers.
> 
> but today I want put CISCO rules and I have a problem
> 
> If I put for example
> 
> access-list 102 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 
> 255.255.255.255
> appear every traffic icmp
> but If I want to see one ip with
> access-list 102 deny icmp 0.0.0.0 255.255.255.255 
> 192.168.1.40  0.0.0.0
> don´t appear.
> and when I see every traffic I can see that somebody intented 
> do us a icmp
> conexion
> 
> If you don't understand me, please say me
> 
> 
> Can you help me?
> 
> Thank you
> 
> 
> ----
> Carmen Contreras
> Centro de Informatica y Comunicaciones
> Universidad Pablo de Olavide
> Sevilla- España
> -----
> 
> ---******---
> Carter Bullard wrote:
> 
> > Carmen,
> >    I'm sending you the lastest version of
> > argus-1.8.  This is a test version, and so please
> > don't post it for redistribution.  If you have any
> > problems, please send us mail.
> >
> > Carter
> >
> >
> >
> >   
> --------------------------------------------------------------
> ----------
> >                        Name: argus-1.8.tar.gz
> >    argus-1.8.tar.gz    Type: Unix Tape Archive (application/x-tar)
> >                    Encoding: base64
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20000114/12884b5b/attachment.html>

More information about the argus mailing list