2nd beta release of my argus perl scripts...

Carter Bullard carter at qosient.com
Wed Mar 14 08:44:35 EST 2001


Hey Russell,
   This is great stuff!!!!  I'm going to do some 
preliminary testing tomorrow, and a bunch of testing
next week.

   Are there any real problems that you've identified
that you would like us to think about, in terms of
say minimizing false positives, etc ......, detecting
portmapper scanning requests, that kind of thing?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of Russell
> Fulton
> Sent: Sunday, March 11, 2001 10:05 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: 2nd beta release of my argus perl scripts...
> 
> 
> Here is another release of my argus perl scripts.
> 
> I have done some work on the Argus::Archive.pm module and
> the archive layout is now configurale via Argus.pm.  Here are the 
> comments from Argus.pm:
> 
> $Archive_root = "$Home/data";
> 
> # Template for directory stucture where archived data is stored.
> # By default Argus::Archive assumes a directory stucture of the form
> # "$Archive_root/$Archive_dir_template/ where $Archive_dir_template
> # is and strftime format string.
> # 
> 
> $Archive_dir_template = "%Y/%m/%d";   # eg  2001/03/05
> #$Archive_dir_template = "%Y.%m.%d";   # eg  2001.03.05
> 
> # an RE that will match all argus log files (you may have other file
> # stored in the directory -- I do)  Argus::Archive assumes 
> (by default)
> # that sorting the filenames lexically will yeild the files in time
> # order
> $Archive_file_template = "^argus-*";
> 
> # If your archive tree does not conform to the above assumptions you 
> # will need to modify the Argus/Archive.pm file to do 'the 
> right thing'
> # with your archive structure.
> 
> Watcher script has had some far reaching changes which dramatically 
> increase its sensitivity.  The changes were inspired by the scipt the 
> David posted to the theory group website and involve moving from a 
> strictly time based purginging of address information to a strategy 
> based on holding information on a set (configurable) number of source 
> addresses.
> 
> Watching 10,000 addresses and purging on a Least recently 
> seen basis I 
> am now detecting scan rates down to around 10 packets per 
> day.  This is 
> approaching what slowscan is capable of.  It is now picking 
> up windows 
> trojans scanning randomly within their own /8 address space.
> 
> There are even some man pages (more work need to be done here, 
> surprise!)
> 
> I have also spent a lot of time tweaking slowscan and watcher scripts 
> to use new features of Argus 2.0.  
>  
> Brief install instructions:
> 
> set ARGUSHOME to point to the directory where you want the 
> bin and lib 
> dirs installed.
> 
> untar the archive
> 
> cd Argus-perl-2.00
> 
> perl Makefile.PL (ARGUSHOME must be set before this step)
> 
> make install
> 
> That's it.
> 
> Cheers, Russell.
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010314/c7bdf5de/attachment.html>


More information about the argus mailing list