Argus 2.0 wishes
Peter Van Epp
vanepp at sfu.ca
Fri Mar 10 11:33:16 EST 2000
With the provision that for the last month or so progress has been 0
on either the perl stuff (which Mark has already asked for docs for) or the
project of filing the serial numbers off the Shadow startup and log roll perl
scripts with a view to making them start arbitrary programs (such as argus and
snort) as well as Shadow. I'll step up to documentation (and hopefully more
perl) for the output filters and scripts and documentation for starting /
restarting (in the unlikely case of argus crashes or more likely reboots of
the machine) and automated log rolling of an argus installation as I get time.
The usual case (everything works on a UPSed system that rarely gets booted)
works now its the restart after a crash that still needs some work (actually
some enhancement for odd but possible failure conditions).
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
>
> Wow, thanks Russell!!!
>
> You are right, its the last thing I think about,
> but unfortunately, is probably the most important
> in making something successful. Chas is also
> very documentation focused, but he has had
> negative time available with his new venture, so
> any help here would be very much appreciated!!!!!
>
> Carter
>
> > -----Original Message-----
> > From: Russell Fulton [mailto:r.fulton at auckland.ac.nz]
> > Sent: Thursday, March 09, 2000 3:50 PM
> > To: argus at lists.andrew.cmu.edu
> > Subject: Re: Argus 2.0 wishes
> >
> >
> >
> > On Thu, 9 Mar 2000 09:29:13 -0800 (PST) Peter Van Epp <vanepp at sfu.ca>
> > wrote:
> >
> > > An additional 2.0 wish (and a 1.8 question!):
> > >
> > > I'd like to see counts added to the icmp type. Currently we
> > don't get an
> > > indication (or I don't know how to query it if we do) for
> > ICMP flows:
> >
> > Yes please! I had forgotten about that.
> >
> >
> > > Then there is a 1.8 question:
> > >
> > > Thu 03/09 05:52:25 frag ip 203.108.46.136 ->
> > 142.58.230.123 54016 pk 1 ex 0 ob 156 max 156 TIM
> > >
> > > What do the various fields in this frag mean? It
> > doesn't seem to be
> > > in the ra man page (and the source while obviously a source
> > of the information
> > > is a likely to be a little time consuming). I expect these
> > are the packets
> > > that Neil is referring to when he says the perl script
> > doesn't pick up
> > > fragments (which indeed it won't because there are no
> > obvious counts here and
> > > this may not even be in the parsing script yet).
> >
> > I too have puzzled over the fields with Stevens on my lap --
> > I sort of
> > got it figured out but was not confident that I had it right.
> > A short
> > note from Carter to set us right would be great ;-)
> >
> > This is one of many little improvement that have not made it into the
> > man pages and I think it would be a good idea to make a list of them
> > and then divide it up amongst those of us who are willing
> > (count me in)
> > and get the man pages up to date.
> >
> > Carter has done a great job with the 1.8 code but, I suspect,
> > like the
> > rest of us (well me anyway -- I shouldn't speak for others
> > ;-) he never
> > quite makes it to the documentation despite the best of intentions.
> >
> > Hmmm... a short turorial would be useful for beginners too.
> >
> > I would be happy to spend some time on this as my contribution to the
> > project.
> >
> > CHeers, Russell.
> >
> >
>
> ------_=_NextPart_001_01BF8AAC.858D56C6
> Content-Type: text/html;
> charset="ISO-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3DISO-8859-1">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> 5.5.2651.65">
> <TITLE>RE: Argus 2.0 wishes</TITLE>
> </HEAD>
> <BODY>
>
> <P><FONT SIZE=3D2>Wow, thanks Russell!!!</FONT>
> </P>
>
> <P><FONT SIZE=3D2>You are right, its the last thing I think =
> about,</FONT>
> <BR><FONT SIZE=3D2>but unfortunately, is probably the most =
> important</FONT>
> <BR><FONT SIZE=3D2>in making something successful. Chas is =
> also</FONT>
> <BR><FONT SIZE=3D2>very documentation focused, but he has had</FONT>
> <BR><FONT SIZE=3D2>negative time available with his new venture, =
> so</FONT>
> <BR><FONT SIZE=3D2>any help here would be very much =
> appreciated!!!!!</FONT>
> </P>
>
> <P><FONT SIZE=3D2>Carter</FONT>
> </P>
>
> <P><FONT SIZE=3D2>> -----Original Message-----</FONT>
> <BR><FONT SIZE=3D2>> From: Russell Fulton [<A =
> HREF=3D"mailto:r.fulton at auckland.ac.nz">mailto:r.fulton at auckland.ac.nz</=
> A>]</FONT>
> <BR><FONT SIZE=3D2>> Sent: Thursday, March 09, 2000 3:50 PM</FONT>
> <BR><FONT SIZE=3D2>> To: argus at lists.andrew.cmu.edu</FONT>
> <BR><FONT SIZE=3D2>> Subject: Re: Argus 2.0 wishes</FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> <BR><FONT SIZE=3D2>> On Thu, 9 Mar 2000 09:29:13 -0800 (PST) Peter =
> Van Epp <vanepp at sfu.ca> </FONT>
> <BR><FONT SIZE=3D2>> wrote:</FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> <BR><FONT SIZE=3D2>> > An additional 2.0 wish =
> (and a 1.8 question!):</FONT>
> <BR><FONT SIZE=3D2>> > </FONT>
> <BR><FONT SIZE=3D2>> > I'd like to see counts added to the icmp =
> type. Currently we </FONT>
> <BR><FONT SIZE=3D2>> don't get an </FONT>
> <BR><FONT SIZE=3D2>> > indication (or I don't know how to query =
> it if we do) for </FONT>
> <BR><FONT SIZE=3D2>> ICMP flows:</FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> <BR><FONT SIZE=3D2>> Yes please! I had forgotten about =
> that.</FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> <BR><FONT SIZE=3D2>> > Then there is a 1.8 =
> question:</FONT>
> <BR><FONT SIZE=3D2>> > </FONT>
> <BR><FONT SIZE=3D2>> > Thu 03/09 05:52:25 frag ip =
> 203.108.46.136 -> =
> </FONT>
> <BR><FONT SIZE=3D2>> 142.58.230.123 54016 pk 1 =
> ex 0 ob 156 max 156 =
> TIM</FONT>
> <BR><FONT SIZE=3D2>> > </FONT>
> <BR><FONT SIZE=3D2>> > What do the various =
> fields in this frag mean? It </FONT>
> <BR><FONT SIZE=3D2>> doesn't seem to be </FONT>
> <BR><FONT SIZE=3D2>> > in the ra man page (and the source while =
> obviously a source </FONT>
> <BR><FONT SIZE=3D2>> of the information</FONT>
> <BR><FONT SIZE=3D2>> > is a likely to be a little time =
> consuming). I expect these </FONT>
> <BR><FONT SIZE=3D2>> are the packets </FONT>
> <BR><FONT SIZE=3D2>> > that Neil is referring to when he says the =
> perl script </FONT>
> <BR><FONT SIZE=3D2>> doesn't pick up </FONT>
> <BR><FONT SIZE=3D2>> > fragments (which indeed it won't because =
> there are no </FONT>
> <BR><FONT SIZE=3D2>> obvious counts here and</FONT>
> <BR><FONT SIZE=3D2>> > this may not even be in the parsing script =
> yet).</FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> <BR><FONT SIZE=3D2>> I too have puzzled over the fields with Stevens =
> on my lap -- </FONT>
> <BR><FONT SIZE=3D2>> I sort of </FONT>
> <BR><FONT SIZE=3D2>> got it figured out but was not confident that I =
> had it right. </FONT>
> <BR><FONT SIZE=3D2>> A short </FONT>
> <BR><FONT SIZE=3D2>> note from Carter to set us right would be great =
> ;-)</FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> <BR><FONT SIZE=3D2>> This is one of many little improvement that =
> have not made it into the </FONT>
> <BR><FONT SIZE=3D2>> man pages and I think it would be a good idea =
> to make a list of them </FONT>
> <BR><FONT SIZE=3D2>> and then divide it up amongst those of us who =
> are willing </FONT>
> <BR><FONT SIZE=3D2>> (count me in) </FONT>
> <BR><FONT SIZE=3D2>> and get the man pages up to date.</FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> <BR><FONT SIZE=3D2>> Carter has done a great job with the 1.8 code =
> but, I suspect, </FONT>
> <BR><FONT SIZE=3D2>> like the </FONT>
> <BR><FONT SIZE=3D2>> rest of us (well me anyway -- I shouldn't speak =
> for others </FONT>
> <BR><FONT SIZE=3D2>> ;-) he never </FONT>
> <BR><FONT SIZE=3D2>> quite makes it to the documentation despite the =
> best of intentions. </FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> <BR><FONT SIZE=3D2>> Hmmm... a short turorial would be useful for =
> beginners too.</FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> <BR><FONT SIZE=3D2>> I would be happy to spend some time on this as =
> my contribution to the </FONT>
> <BR><FONT SIZE=3D2>> project.</FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> <BR><FONT SIZE=3D2>> CHeers, Russell.</FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> <BR><FONT SIZE=3D2>> </FONT>
> </P>
>
> </BODY>
> </HTML>
> ------_=_NextPart_001_01BF8AAC.858D56C6--
>
More information about the argus
mailing list