Ok, really, the last one.....ragator question
Wozz
wozz+argus at wookie.net
Wed Nov 14 18:36:22 EST 2001
Just want to make sure I'm clear, because I'm concerned about missing out
on some bad traffic through misunderstanding how the aggregation works. If
I want to completely mask out a particular flow (lets say smtp traffic between
a and b) the flowfile entry would look something like this (i thought)
Flow 100 a b tcp * 25 101 604800
Flow 101 b a tcp * 25 101 604800
Model 101 0.0.0.0 0.0.0.0 no no no
What I'm ending up with in my ragator output however is:
13 Nov 01 11:37:22 tcp b.25 ?> a.1345 FIN
13 Nov 01 13:08:22 tcp b.25 ?> a.3665 FIN
Its seeing the FIN and getting confused about the direction of the
connection (or perhaps thats the intended behavior and I'm the one
thats confused). In order to totally remove this flow from my
ragator output, I have to add the following flows
Flow 102 a b tcp 25 * 101 604800
Flow 103 b a tcp 25 * 101 604800
Now, perhaps this is the intended behavior, since argus isn't truely
stateful, but my concern here is that someone can spoof some packets
from port 25 and slip under my argus radar. Sure, it would probably
be caught elsewhere on my other radars ;), but I'm a big fan of
defense in depth, so I'd like to avoid missing out on stuff if at
all possible. Have I made any sense? Is argus at all stateful?
Is there no other solution other than putting all 4 flow statements
in there to filter out a connection? Is there a command line switch that
could change this behavior that I'm missing? I promise, I'll stop the
emails after this one ;)
More information about the argus
mailing list