Ok, really, the last one.....ragator question

[Wozz]

Just want to make sure I'm clear, because I'm concerned about missing out
on some bad traffic through misunderstanding how the aggregation works.  If
I want to completely mask out a particular flow (lets say smtp traffic between
a and b) the flowfile entry would look something like this (i thought)

Flow	100	a	b	tcp	*	25	101	604800
Flow	101	b	a	tcp	*	25	101	604800

Model	101	0.0.0.0	0.0.0.0	no	no	no

What I'm ending up with in my ragator output however is:

13 Nov 01 11:37:22    tcp   b.25   ?>   a.1345 FIN
13 Nov 01 13:08:22    tcp   b.25   ?>   a.3665 FIN

Its seeing the FIN and getting confused about the direction of the
connection (or perhaps thats the intended behavior and I'm the one
thats confused).  In order to totally remove this flow from my
ragator output, I have to add the following flows

Flow	102	a	b	tcp	25	*	101	604800
Flow	103	b	a	tcp	25	*	101	604800

Now, perhaps this is the intended behavior, since argus isn't truely
stateful, but my concern here is that someone can spoof some packets
from port 25 and slip under my argus radar.  Sure, it would probably
be caught elsewhere on my other radars ;), but I'm a big fan of
defense in depth, so I'd like to avoid missing out on stuff if at
all possible.  Have I made any sense?  Is argus at all stateful?
Is there no other solution other than putting all 4 flow statements
in there to filter out a connection?  Is there a command line switch that
could change this behavior that I'm missing?  I promise, I'll stop the
emails after this one ;)