Argus 2.0 wishes

[David Brumley]

On that note, it would also be nice to have ra return a long int as the
address.   I'm working on code to do that as we speak.

Carter,
Do you mind having an autofaq and perhaps a public "contrib" directory?
I'll host it :)

cheers,
david


On Wed, 15 Mar 2000, Russell Fulton wrote:

> More wishes ;-)
> 
> I would like to see a argus confirguration file in which on can specify 
> things like timestamp formats (I have patched ra to print dates in a 
> non ambiguous format).  It would also be useful to allow one to set 
> default flags for clients and even, possibly, default output (in a 
> string like strftime). This would be really useful where one is feeding 
> ra output to a perl script e.g. you specify just the data you want and 
> have the fields separated by tabs -- "%T\t%F\t%P\t%S\%s\..."
> 
> %T -- timestamp 
> %F -- flags
> %P -- Protocol
> %S -- source IP
> %s -- source port
> 
> etc.
> 
> in perl:
> 
> while (<RA>) {
>    my ($time, $f, $p, $src, $srcp ... ) = split("\t", $_);
> 
> }
> 
> At the moment I use unpack to split up the record but occasionally 
> fields overflow and then unpack returns garbage for some fields. split 
> should be faster than unpack too.
> 
> I'd be happy to contribute code to parse the config file -- I have done 
> something similar for the netramet project.  (No it isn't in the 
> current release).
> 
> Cheers, Russell.
> 
> 
> 
> 
> 
> 

-- 
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley at Stanford.EDU
Phone: +1-650-723-2445    WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121    PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
  Securing NT.  Insert Linux boot disk to continue......
	    "I have opinions, my employer does not."