'known flows' configuration file
newton
newton at unb.ca
Thu Feb 14 10:58:14 EST 2002
Anyone got an example of doing this? Sounds cool, and presumably, if you are
connecting this ra to an argus sensor, does the ra client tell argus that it
only wants 'the following stuff'? That is, as opposed to argus shipping all
of it to ra, and ra filtering out what it doesnt want... printing the rest?
Thanks
Chris
>===== Original Message From "Mark Poepping" <poepping at cmu.edu> =====
>You don't have to use the command line to specify filters if you create
>a specialized rarc(5) file with RA_FILTER defined, then use it with ra
>-F
>2K limit on the expression, but of course you can string them together..
>Mark.
>
>> -----Original Message-----
>> From: owner-argus-info at lists.andrew.cmu.edu [mailto:owner-argus-
>> info at lists.andrew.cmu.edu] On Behalf Of Yann Berthier
>> Sent: Thursday, February 14, 2002 3:48 AM
>> To: argus-info at lists.andrew.cmu.edu
>> Subject: 'known flows' configuration file
>>
>>
>> Hi list !
>>
>> I discovered Argus recently while searching tools to help to
>> highlight anomalies in a network trace: signs of an intrusion,
>> troyans, and so on, and I am very enthusiastic about it !
>>
>> So, back to my subject: wouldn't it be helpful to have argus able
>to
>> display (well, ra*) only defined flows ? Something like:
>>
>> tcp $INTERNAL_NET.any -> $SMTP_DMZ.25
>> icmp any -> any ECO
>>
>> One can imagine a configuration file listing flows, and a flag to
>ra*
>> to display or not flows matching this file : after all, it could be
>> interesting as well to have the number of packets / bytes exchanged
>> between the defined networks / flows - but of course the notion of
>> state of the connection is meaningless here.
>>
>> I don't know if all of this make sense, just wanted to ask the list
>> to know ... :) anyway, the idea is not to transform argus in a
>nids,
>> but it could be handy to have argus displaying only non known
>flows,
>> perhaps at least for the guy trying to enumarate the flows on its
>> network to be able to partition it on a second round.
>>
>> ok, of course the bpf like filters are here for that, but it can be
>a
>> bit tedious if you have multiple networks / flows to define.
>>
>> If this has been debated before, i apologize - a quick look in the
>> archives raised nothing but ... it was a very _quick_ look :)
>>
>> Last point: is there an irc channel where people meet around argus
>> ?
>>
>> Regards,
>>
>> yann.
>>
>>
>> --
>> Yann.Berthier at hsc.fr * Herv Schauer Consultants *
>http://www.hsc.fr/
More information about the argus
mailing list