argus and snort ?

Chas DiFatta chas at freeworks.com
Mon Sep 11 21:03:36 EDT 2000 

We really haven't played with the "trigger-on-this-bad-thing"
from a network security perspective, but we find it very useful
for network application debugging.

	I.e. capture the beginning of an http GET to a specific
	server so we can read the whole request.  We can then
	correlate the time of a problem with argus and snort
	and then diagnose.

If argus captured (via a trigger) all or some of the data portion
of the tcp session, it would be EXTREMELY useful.  Or (wishing cap
on now) the first x packets from a connectionless session (udp).

I want to make it clear that in application debugging, seeing what's
going over the wire is very important and most of the time, you
don't need to see that much.  Example, why is this mail server
always giving an error?

	reject=550 <someone at x.org>... Relaying denied

>From an network management perspective, it adds another dimension
to the information that Argus provides.

Thoughts?

	...cd
 
> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Carter Bullard
> Sent: Monday, September 11, 2000 4:41 PM
> To: 'Russell Fulton'; 'argus'
> Subject: RE: argus and snort ?
> 
> 
> 
> So what is snort doing for you guys that is helping?
> Is there some nugget of goodness that we can add to
> argus that will give the same info?
> 
> Carter
> 
> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Russell Fulton
> Sent: Monday, September 11, 2000 5:45 PM
> To: argus
> Subject: Re: argus and snort ?
> 
> 
> Perhaps I should have said that I am monitoring an 10Mbps ethernet 
> running at around 3Mbps in one 'direction' (inbound) and 1 Mbps in the 
> other. (yes I do know that ethernet does not have any sense of 
> direction ;-)  The box is an IBM Ativa with a 500Mhz processor and 
> 128MB ram.
> 
> Top shows Snort using about 8% of CPU and the two copies of argus are 
> down below 1%.
> 
> We will soon go to 100Mbps on the DMZ and our data rates are likely to 
> go up steeply when the Southern Cross fiber finally gets commissioned 
> later this year.  We have been promised that prices will fall sharply 
> -- I'm not holding my breath though...
> 
> Cheers.
> 
>

More information about the argus mailing list