'known flows' configuration file
Yann Berthier
yb at margoulins.net
Thu Feb 14 11:01:05 EST 2002
On Thu, 14 Feb 2002, Peter Van Epp wrote:
> As well as ragator, perl is (or can be) your friend here too. I find
Hmmm, perl is not really my friend (it's perl fault: I try to be his
friend but no way ;-) )
> feeding the ra output in to a perl script that classifies traffic by host
> and volume useful for detecting compromises (there is an article on this
> subject in the November issue of Usenix's login: as well). Russell's watcher
> script (which should be in the archive) has an appropriate ra parsing routine
> to use. There should be copies of my earlier perl scripts in the list archive
> as well. There are also perl scripts around for detecting both code red / nimda
> (mine is still catching 1 or 2 local hosts per week here ...) and one that
> finds the ssh CRC32 breakin as examples of what can be done (again both should
> be in the list archive).
Ok, I will dig into the archives now, I'm interested by the ssh
example.
Tx,
yann.
--
Yann.Berthier at hsc.fr * Herve Schauer Consultants * http://www.hsc.fr/
More information about the argus
mailing list