argus changes

Carter Bullard carter at qosient.com
Wed Jul 12 08:24:02 EDT 2000 

Hey David,
   How's it going!  It seems to me that there are multiple
things here.  One is going to be more complicated that
you might have expected.

For item a. record file per expression.

The first issue is really two things.  The first appears
to be multiple filters on the same command line.  I think
that this is cool, but because of limitations with lex()
and yacc() based compilers, that we have a separate process
per '-w' argument.  Some people would have a problem with
that, but I think that we can deal with the problems.

Changing the syntax of the -w option to include a filter
is not a problem, BUT, there is a snag that we'll need
to discuss.  Right now, with your suggestion, we get a
filter on the '-w filename' expression, and we can have
a global filter for the command itself.  Do we want to
support it this way?

Now, in support of this, how about if we put the filter
expression that created the file, into the file itself
in a new management record, so we can figure out what
happened?

For item b.  ability to save diagnostic output.

With a. you get b. as you can simply put in a
'-w man.output man' expression and get just the management
records written out.  Would this do the trick?

For item c.  Yes documentation is very high on the list
for Argus-2.0!!!!!!

What do you think?

Carter


-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of David Brumley
Sent: Tuesday, July 11, 2000 2:45 PM
To: argus at lists.andrew.cmu.edu
Subject: argus changes


I would like to see added to argus:
a. The abililty to define a record file per expression, i.e.
  ( -w port111traffic port 111) ( -w incident00-0798 host gea) .....
this may be too big of a change :)

b. The ability to save diagnostic output (bytes/hour, droped bytes,
etc) as a file (yea, I know this can be done, but it means rotating two
logs instead of just restarting the argus process :)

c. A little more documentation.

Cheers,
david


#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley at Stanford.EDU
Phone: +1-650-723-2445    WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121    PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
  Securing NT.  Insert Linux boot disk to continue......
	    "I have opinions, my employer does not."

More information about the argus mailing list