'known flows' configuration file

[Yann Berthier]

   Hi list !

   I discovered Argus recently while searching tools to help to
   highlight anomalies in a network trace: signs of an intrusion,
   troyans, and so on, and I am very enthusiastic about it !

   So, back to my subject: wouldn't it be helpful to have argus able to
   display (well, ra*) only defined flows ? Something like: 

     tcp $INTERNAL_NET.any -> $SMTP_DMZ.25
     icmp any -> any ECO

   One can imagine a configuration file listing flows, and a flag to ra*
   to display or not flows matching this file : after all, it could be
   interesting as well to have the number of packets / bytes exchanged
   between the defined networks / flows - but of course the notion of
   state of the connection is meaningless here.

   I don't know if all of this make sense, just wanted to ask the list
   to know ... :) anyway, the idea is not to transform argus in a nids,
   but it could be handy to have argus displaying only non known flows,
   perhaps at least for the guy trying to enumarate the flows on its
   network to be able to partition it on a second round.

   ok, of course the bpf like filters are here for that, but it can be a
   bit tedious if you have multiple networks / flows to define.

   If this has been debated before, i apologize - a quick look in the
   archives raised nothing but ... it was a very _quick_ look :)

   Last point: is there an irc channel where people meet around argus
   ?
   
   Regards, 

   yann.


-- 
   Yann.Berthier at hsc.fr * Hervé Schauer Consultants * http://www.hsc.fr/