perl scripts for argus-2.0

Carter Bullard carter at qosient.com
Wed Jan 17 22:23:56 EST 2001 

Hey Russell,
   If there is anything I can do to support the Perl
just give a holler.  I'm going to do some perl myself
to start the Web side of argus and so I'll be doing
some work.

    What can I do to help on the false positive side?
Do you feel like you have enough info from Argus?

Hope all is well!

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426


> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Russell Fulton
> Sent: Wednesday, January 17, 2001 9:38 PM
> To: 'Argus (E-mail)'
> Subject: perl scripts for argus-2.0
> 
> 
> Carter is suggesting that we package Argus::... as a 
> standard perl CPAN module.  This definitly has its attractions.
> 
> I have never delved into MakeMaker before, but I guess there 
> is a first 
> time for everthing.  I will go RTFM.  Hmmmm... as I thought it is big 
> and complicated, but most of the complexity is to handle the C/Perl 
> interface stuff which does not concern us (yet ?).
> 
> I will ponder what the best way to do this is (thanks for the start 
> Carter). Unfortunately for the forseeable future (at least 
> the next six 
> weeks) I'll be grabbing an hour here and there to work on 
> this stuff.  
> Starting early Feb I may be out for 4 weeks (jury service and 
> there is 
> a long trial scheduled :-( )
> 
> Anyway I've just dropped the perl manual into my bag to take 
> home, the 
> wonders of paper.
> 
> One question: what should we make the default install prefix? 
>  I'd vote 
> for ~.  How does that translate in NT?
> 
> BTW if we do want to submit it to CPAN then we will have to 
> rename the 
> module to Net::Argus...  No big deal, I think I will do it anyway.
> 
> An aside:
> 
> In the release notes I mentioned that I had just made some major mods 
> to watcher that increased it sensitivity.  I am now detecting scans 
> down to below one packet an hour (mainly from netbios worms), 
> the down 
> side is that I need more sophisticated heuristics to automatically 
> discard the false positives. This version is storing info on 10000 
> source addresses and purging them on a least most recently seen basis 
> -- uses about 12MB memory on top of whatever ra uses.
> 
> 
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010117/8b9e9f70/attachment.html>

More information about the argus mailing list