'known flows' configuration file

Peter Van Epp vanepp at sfu.ca
Thu Feb 14 10:50:29 EST 2002 

	As well as ragator, perl is (or can be) your friend here too. I find
feeding the ra output in to a perl script that classifies traffic by host
and volume useful for detecting compromises (there is an article on this 
subject in the November issue of Usenix's login: as well). Russell's watcher
script (which should be in the archive) has an appropriate ra parsing routine
to use. There should be copies of my earlier perl scripts in the list archive
as well. There are also perl scripts around for detecting both code red / nimda
(mine is still catching 1 or 2 local hosts per week here ...) and one that
finds the ssh CRC32 breakin as examples of what can be done (again both should
be in the list archive).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


> 
> 
>    Hi list !
> 
>    I discovered Argus recently while searching tools to help to
>    highlight anomalies in a network trace: signs of an intrusion,
>    troyans, and so on, and I am very enthusiastic about it !
> 
>    So, back to my subject: wouldn't it be helpful to have argus able to
>    display (well, ra*) only defined flows ? Something like: 
> 
>      tcp $INTERNAL_NET.any -> $SMTP_DMZ.25
>      icmp any -> any ECO
> 
>    One can imagine a configuration file listing flows, and a flag to ra*
>    to display or not flows matching this file : after all, it could be
>    interesting as well to have the number of packets / bytes exchanged
>    between the defined networks / flows - but of course the notion of
>    state of the connection is meaningless here.
> 
>    I don't know if all of this make sense, just wanted to ask the list
>    to know ... :) anyway, the idea is not to transform argus in a nids,
>    but it could be handy to have argus displaying only non known flows,
>    perhaps at least for the guy trying to enumarate the flows on its
>    network to be able to partition it on a second round.
> 
>    ok, of course the bpf like filters are here for that, but it can be a
>    bit tedious if you have multiple networks / flows to define.
> 
>    If this has been debated before, i apologize - a quick look in the
>    archives raised nothing but ... it was a very _quick_ look :)
> 
>    Last point: is there an irc channel where people meet around argus
>    ?
>    
>    Regards, 
> 
>    yann.
> 
> 
> -- 
>    Yann.Berthier at hsc.fr * Hervé Schauer Consultants * http://www.hsc.fr/
>

More information about the argus mailing list