'known flows' configuration file
Yann Berthier
yb at margoulins.net
Thu Feb 14 10:55:24 EST 2002
On Thu, 14 Feb 2002, Carter Bullard wrote:
> Hey Yann,
> Thanks for the mail and your support of argus!
> ragator() is capable of doing a part of what you
> are interested in, and with only some minor adjustments,
> it should be able to do all of it, or at least what
> I understand from your mail.
>
> ragator() can be configured to pass through
> traffic of interest, and to aggregate all other
> traffic into a single 'catch all' record. You can
> either filter out the catch all record on output, or
> you can leave it in the stream. Here is how I would
> implement your example:
>
> fmodel.conf:
> #
> # id SrcCIDRAddr DstCIDRAddr Proto SPort DPort ModelList
> Duration
> Flow 100 $INTERNAL_NET $SMTP_DMZ tcp * 25 200 0
> Flow 101 * * icmp echo * 200 0
> Flow 102 * * * * * 201 60
> #
> # id SrcAddrMask DstAddrMask Proto SrcPort DstPort
> Model 200 255.255.255.255 255.255.255.255 yes yes yes
> Model 201 0.0.0.0 0.0.0.0 no no no
>
>
> And then run ragator as:
> ragator -f fmodel.conf -r argusfile -w outputfile
>
> This will give you only the two flow types you are interested in.
> All the other traffic will be aggregated into a common flow that
> is generated every 60 seconds. Because ragator() is designed to
> account for everything on the input (i.e. it won't throw anything
> away), we may need to add a Model type that allows you to toss
> a record, if you don't want to see the "catch all" record on output.
>
> You could hold the records of interest a little longer than 0
> seconds, and get some output management for free. This
> should get you what you we are interested in.
Hmm, it looks like it is what I was looking for - I will try ASAP.
Thanks a lot,
yann.
--
Yann.Berthier at hsc.fr * Herve Schauer Consultants * http://www.hsc.fr/
More information about the argus
mailing list