Argus-2.0 Clients
Carter Bullard
carter at qosient.com
Sun Jul 23 11:00:18 EDT 2000
Hey Peter,
Running Argus against "standardized" attacks is right
on the money for validation as well as baseline deviation
prediction. I thought CIDF was going to generate packet
capture files of popular attacks, did this go away?
OK on to specifics:
Argus is already doing fragment offset calculations
and so adding some logic to report this type of problem
shouldn't be an issue, as long as we can have a set
number of things to look for.
I'm not sure I follow the VJ compression analogy.
Can you elaborate on that idea?
I am very interested in looking into using Argus
records to drive your traffic generators, as this was
one of the things on the "wouldn't it be cool"
list for pre Argus-1.5.
Carter
-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Peter Van Epp
Sent: Saturday, July 22, 2000 12:50 AM
To: argus
Subject: Re: RE: Argus-2.0 Clients
[snip]
with new data that wouldn't have etc. That would be one useful thing, keep
track of fragment offsets and flag ones where there is offset overlap
(especially negative) with a previous fragment. We probably want those
complete packets out of the capture buffer. On interesting trick would be
to steal VJ header compression from PPP. I.e if the packet matches
prediction,
just count it because it isn't interesting. If it doesn't push it in to the
exception buffer to be forwarded (given a buffer of seen packets I'd be in
favor of outputing its entire stream of packets for analysis).
As I said earlier I can now apparantly generate traffic at a full
100 (at least half duplex) from disk. I seem to lose packets in the kernel
at much less than full speed on capture. I want to poke at that and see if
I can get the speed up somehow (OpenBSD, the Linux experimental zero copy
kernel, something!). I don't like any of the sniffer products I've seen so
I'm looking for something to capture at a full hundred to feed to our old
sniffer at a low enough speed it can keep up :-). Of course then everone
here
went on vacation and left me all the problems :-)
One of my many projects is to collect copies of every crack I can find
and feed them to a test bed machine and capture them with tcpdump for replay
to commercial IDS systems (and probably snort, shadow and bro) to see how
well
commerical packages work (and how fast). Both the NFR and Dragon folks are
chomping at the bit to give me eval copies. That (and active directory) are
why I got my test machines. It however is still at the "think" stage due to
more urgent fires.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list