Argus 2.0 User Payload Data
Carter Bullard
carter at qosient.com
Fri Jul 14 12:12:38 EDT 2000
Hey Peter!
So if we do a supplemental record, what kind of
stuff would be interesting to support? As I mentioned
earlier, I would like to do some covert channel detection
and so processed user data reporting is important to me.
This would allow you to discovery that the protocol
being used on port 25 is really SMTP, without putting
the validation logic in Argus itself.
The configuration of such a beast will be interesting,
and so I'm interested in working on that.
But what else? Partial/full packet capture. Anomalous
event reporting, with packet contents would satisfy Russell's
TCP bad flag issue I believe.
Carter
-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Peter Van Epp
Sent: Friday, July 14, 2000 10:49 AM
To: argus
Subject: Re: Argus 2.0 User Payload Data
<snip>>
> Is there an opinion? I'm leaning toward strategy
> two, as I see it handling privacy concerns better
> than strategy one. The basic Argus record is
> designed to minimize privacy intrusion, and the
> supplemental records that could possibly intrude
> could be filtered out, encrypted, tossed etc...
>
> Suggestions comments opinions are definitely welcome!
>
>
> Carter
>
I'd lean towards option 2 as well. It provides the most flexability
for being able to do things like capture the entire packet when a flag
oddity (as a for instance) shows up or fragments that have different /
overlapping offsets appear in the input stream without necessarily always
keeping the entire packet. The down side is that it requires more horsepower
to keep up with the data stream, but power is getting cheaper by the day.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list