Two program and other odds and ends
Russell Fulton
r.fulton at auckland.ac.nz
Mon Sep 11 17:30:07 EDT 2000
On Mon, 11 Sep 2000 08:23:14 -0400 Carter Bullard <carter at qosient.com>
wrote:
> Well,
> That will make it much easier and solve a
> few fundamental problems on the way. Does anyone
> have any problems with a flex/bison dependency?
>
Nope, we normally put all the gnu developement tools on to any systems
that we do developement on.
As for the snort/argus problem:
I 'discovered' the problem yesterday when I did a search for an IP that
turned up in my slow scan detector (which runs on a linux box). It was
probing POP and IMAP ports at the rate of about 5 a day. I ran ra on
the new (fast) FreeBSd box to get all POP and IMAP sessions that did
not get established for the last few days and could not find my prober.
I then ran ra to extract just the records for that IP address and only
found 3 of the 5 packets. Both machines are running 1.8.1.
Hmmm... back to 2.0.0c on freeBSD 4.1. I have just run new ra on a
file that I had collected overnight and I am now puzzled. Using the -z
option yesterday I thought I got sSEfF for a standard tcp session but
this morning I am getting sSEFC (like my old one). I remember you
saying that you were distinguishing between FIN and FIN/ACK. Tell me
I', not cracking up ;-)
Aonother oddity: when I pipe the output from ra (2.0.0) through less
or more I don't get complete pages. Instead the cursor stops at some
arbitrary point on the screen until I hit the space bar. I never see
the ':' prompt. If I redirect output to a file and view with more or
less things behave as expected.
I am getting somewhat suspicious about that machine!
Russell
More information about the argus
mailing list