perl scripts for argus-2.0
Russell Fulton
r.fulton at auckland.ac.nz
Wed Jan 17 21:37:44 EST 2001
Carter is suggesting that we package Argus::... as a
standard perl CPAN module. This definitly has its attractions.
I have never delved into MakeMaker before, but I guess there is a first
time for everthing. I will go RTFM. Hmmmm... as I thought it is big
and complicated, but most of the complexity is to handle the C/Perl
interface stuff which does not concern us (yet ?).
I will ponder what the best way to do this is (thanks for the start
Carter). Unfortunately for the forseeable future (at least the next six
weeks) I'll be grabbing an hour here and there to work on this stuff.
Starting early Feb I may be out for 4 weeks (jury service and there is
a long trial scheduled :-( )
Anyway I've just dropped the perl manual into my bag to take home, the
wonders of paper.
One question: what should we make the default install prefix? I'd vote
for ~. How does that translate in NT?
BTW if we do want to submit it to CPAN then we will have to rename the
module to Net::Argus... No big deal, I think I will do it anyway.
An aside:
In the release notes I mentioned that I had just made some major mods
to watcher that increased it sensitivity. I am now detecting scans
down to below one packet an hour (mainly from netbios worms), the down
side is that I need more sophisticated heuristics to automatically
discard the false positives. This version is storing info on 10000
source addresses and purging them on a least most recently seen basis
-- uses about 12MB memory on top of whatever ra uses.
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
More information about the argus
mailing list