ra filter has changed behaviour ??
Carter Bullard
carter at qosient.com
Tue Mar 6 20:07:21 EST 2001
Hey Russell,
I did make a change in the compiler, so we should look
there first. It could be that the optimizer is having
problems with the line (tcp and (not est)), as I made a
change to the "est" logic to make "tcp" a part of the
"est" filter.
No problem reverting back.
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York 10022
carter at qosient.com
Phone +1 212 588-9133
Fax +1 212 588-9134
http://qosient.com
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of Russell
> Fulton
> Sent: Tuesday, March 06, 2001 6:50 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: ra filter has changed behaviour ??
>
>
> Since I installed beta 9 I have been getting lots of non IP traffic
> through the following filter which I use for my slow scan detector.
>
> 'icmp or frag or udp or \(tcp and \(not est\) and \(not
> \(port 80 or port 113 or port 25 or port 53\)\)\)';
>
> We clearly still have some lat terminal servers somewhere on
> campus as
> well as all sorts of other garbage floating around.
>
> I'll patch the job to print its filter tonight just to make
> quite sure
> that the problem isn't here.
>
> Cheers, Russell.
>
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland, New Zealand
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010306/2c85946c/attachment.html>
More information about the argus
mailing list