'known flows' configuration file

Mark Poepping poepping at cmu.edu
Thu Feb 14 10:33:59 EST 2002 

 
You don't have to use the command line to specify filters if you create
a specialized rarc(5) file with RA_FILTER defined, then use it with ra
-F
2K limit on the expression, but of course you can string them together..
Mark.

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu [mailto:owner-argus-
> info at lists.andrew.cmu.edu] On Behalf Of Yann Berthier
> Sent: Thursday, February 14, 2002 3:48 AM
> To: argus-info at lists.andrew.cmu.edu
> Subject: 'known flows' configuration file
> 
> 
>    Hi list !
> 
>    I discovered Argus recently while searching tools to help to
>    highlight anomalies in a network trace: signs of an intrusion,
>    troyans, and so on, and I am very enthusiastic about it !
> 
>    So, back to my subject: wouldn't it be helpful to have argus able
to
>    display (well, ra*) only defined flows ? Something like:
> 
>      tcp $INTERNAL_NET.any -> $SMTP_DMZ.25
>      icmp any -> any ECO
> 
>    One can imagine a configuration file listing flows, and a flag to
ra*
>    to display or not flows matching this file : after all, it could be
>    interesting as well to have the number of packets / bytes exchanged
>    between the defined networks / flows - but of course the notion of
>    state of the connection is meaningless here.
> 
>    I don't know if all of this make sense, just wanted to ask the list
>    to know ... :) anyway, the idea is not to transform argus in a
nids,
>    but it could be handy to have argus displaying only non known
flows,
>    perhaps at least for the guy trying to enumarate the flows on its
>    network to be able to partition it on a second round.
> 
>    ok, of course the bpf like filters are here for that, but it can be
a
>    bit tedious if you have multiple networks / flows to define.
> 
>    If this has been debated before, i apologize - a quick look in the
>    archives raised nothing but ... it was a very _quick_ look :)
> 
>    Last point: is there an irc channel where people meet around argus
>    ?
> 
>    Regards,
> 
>    yann.
> 
> 
> --
>    Yann.Berthier at hsc.fr * Hervé Schauer Consultants *
http://www.hsc.fr/

More information about the argus mailing list