'known flows' configuration file

Carter Bullard carter at qosient.com
Thu Feb 14 10:48:32 EST 2002


Hey Guys,
   If you implement it with filters, the filter is
sent to the argus, and the filtering is done on the
remote side.  If you implement it with a flow model
such as ragator, then no, the aggregation is done
on the local side.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of newton
> Sent: Thursday, February 14, 2002 10:58 AM
> To: Mark Poepping; Yann Berthier
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: RE: 'known flows' configuration file
> 
> 
> Anyone got an example of doing this?  Sounds cool, and 
> presumably, if you are 
> connecting this ra to an argus sensor, does the ra client 
> tell argus that it 
> only wants 'the following stuff'?  That is, as opposed to 
> argus shipping all 
> of it to ra, and ra filtering out what it doesnt want... 
> printing the rest?
> 
> Thanks
> 
> Chris
> 
> >===== Original Message From "Mark Poepping" <poepping at cmu.edu> ===== 
> >You don't have to use the command line to specify filters if 
> you create 
> >a specialized rarc(5) file with RA_FILTER defined, then use 
> it with ra 
> >-F 2K limit on the expression, but of course you can string them 
> >together.. Mark.
> >
> >> -----Original Message-----
> >> From: owner-argus-info at lists.andrew.cmu.edu [mailto:owner-argus- 
> >> info at lists.andrew.cmu.edu] On Behalf Of Yann Berthier
> >> Sent: Thursday, February 14, 2002 3:48 AM
> >> To: argus-info at lists.andrew.cmu.edu
> >> Subject: 'known flows' configuration file
> >>
> >>
> >>    Hi list !
> >>
> >>    I discovered Argus recently while searching tools to help to
> >>    highlight anomalies in a network trace: signs of an intrusion,
> >>    troyans, and so on, and I am very enthusiastic about it !
> >>
> >>    So, back to my subject: wouldn't it be helpful to have 
> argus able
> >to
> >>    display (well, ra*) only defined flows ? Something like:
> >>
> >>      tcp $INTERNAL_NET.any -> $SMTP_DMZ.25
> >>      icmp any -> any ECO
> >>
> >>    One can imagine a configuration file listing flows, and 
> a flag to
> >ra*
> >>    to display or not flows matching this file : after all, 
> it could be
> >>    interesting as well to have the number of packets / 
> bytes exchanged
> >>    between the defined networks / flows - but of course 
> the notion of
> >>    state of the connection is meaningless here.
> >>
> >>    I don't know if all of this make sense, just wanted to 
> ask the list
> >>    to know ... :) anyway, the idea is not to transform argus in a
> >nids,
> >>    but it could be handy to have argus displaying only non known
> >flows,
> >>    perhaps at least for the guy trying to enumarate the 
> flows on its
> >>    network to be able to partition it on a second round.
> >>
> >>    ok, of course the bpf like filters are here for that, 
> but it can 
> >> be
> >a
> >>    bit tedious if you have multiple networks / flows to define.
> >>
> >>    If this has been debated before, i apologize - a quick 
> look in the
> >>    archives raised nothing but ... it was a very _quick_ look :)
> >>
> >>    Last point: is there an irc channel where people meet 
> around argus
> >>    ?
> >>
> >>    Regards,
> >>
> >>    yann.
> >>
> >>
> >> --
> >>    Yann.Berthier at hsc.fr * Herv, Schauer Consultants *
> >http://www.hsc.fr/
> 
> 
> 
> 



More information about the argus mailing list