'known flows' configuration file

Mark Poepping poepping at cmu.edu
Thu Feb 14 11:40:23 EST 2002 

And remember that the remote filter is *only* for the argus process
shipping the data to *you*, it still does full flow capture off the
'wire' and offers the same filtering option to any other ra* connected
to it from elsewhere..

Say, is it getting close to time for the 'First International,
Transactions on Argus Transactions"?  Or should it be extended to flow
audit in general?

Thoughts?  Would people travel?  Would people present?

Mark.

> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com]
> Sent: Thursday, February 14, 2002 10:49 AM
> To: 'newton'; 'Mark Poepping'; 'Yann Berthier'
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: RE: 'known flows' configuration file
> 
> Hey Guys,
>    If you implement it with filters, the filter is
> sent to the argus, and the filtering is done on the
> remote side.  If you implement it with a flow model
> such as ragator, then no, the aggregation is done
> on the local side.
> 
> Carter
> 
> Carter Bullard
> QoSient, LLC
> 300 E. 56th Street, Suite 18K
> New York, New York  10022
> 
> carter at qosient.com
> Phone +1 212 588-9133
> Fax   +1 212 588-9134
> http://qosient.com
> 
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu
> > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of newton
> > Sent: Thursday, February 14, 2002 10:58 AM
> > To: Mark Poepping; Yann Berthier
> > Cc: argus-info at lists.andrew.cmu.edu
> > Subject: RE: 'known flows' configuration file
> >
> >
> > Anyone got an example of doing this?  Sounds cool, and
> > presumably, if you are
> > connecting this ra to an argus sensor, does the ra client
> > tell argus that it
> > only wants 'the following stuff'?  That is, as opposed to
> > argus shipping all
> > of it to ra, and ra filtering out what it doesnt want...
> > printing the rest?
> >
> > Thanks
> >
> > Chris
> >
> > >===== Original Message From "Mark Poepping" <poepping at cmu.edu>
=====
> > >You don't have to use the command line to specify filters if
> > you create
> > >a specialized rarc(5) file with RA_FILTER defined, then use
> > it with ra
> > >-F 2K limit on the expression, but of course you can string them
> > >together.. Mark.
> > >
> > >> -----Original Message-----
> > >> From: owner-argus-info at lists.andrew.cmu.edu [mailto:owner-argus-
> > >> info at lists.andrew.cmu.edu] On Behalf Of Yann Berthier
> > >> Sent: Thursday, February 14, 2002 3:48 AM
> > >> To: argus-info at lists.andrew.cmu.edu
> > >> Subject: 'known flows' configuration file
> > >>
> > >>
> > >>    Hi list !
> > >>
> > >>    I discovered Argus recently while searching tools to help to
> > >>    highlight anomalies in a network trace: signs of an intrusion,
> > >>    troyans, and so on, and I am very enthusiastic about it !
> > >>
> > >>    So, back to my subject: wouldn't it be helpful to have
> > argus able
> > >to
> > >>    display (well, ra*) only defined flows ? Something like:
> > >>
> > >>      tcp $INTERNAL_NET.any -> $SMTP_DMZ.25
> > >>      icmp any -> any ECO
> > >>
> > >>    One can imagine a configuration file listing flows, and
> > a flag to
> > >ra*
> > >>    to display or not flows matching this file : after all,
> > it could be
> > >>    interesting as well to have the number of packets /
> > bytes exchanged
> > >>    between the defined networks / flows - but of course
> > the notion of
> > >>    state of the connection is meaningless here.
> > >>
> > >>    I don't know if all of this make sense, just wanted to
> > ask the list
> > >>    to know ... :) anyway, the idea is not to transform argus in a
> > >nids,
> > >>    but it could be handy to have argus displaying only non known
> > >flows,
> > >>    perhaps at least for the guy trying to enumarate the
> > flows on its
> > >>    network to be able to partition it on a second round.
> > >>
> > >>    ok, of course the bpf like filters are here for that,
> > but it can
> > >> be
> > >a
> > >>    bit tedious if you have multiple networks / flows to define.
> > >>
> > >>    If this has been debated before, i apologize - a quick
> > look in the
> > >>    archives raised nothing but ... it was a very _quick_ look :)
> > >>
> > >>    Last point: is there an irc channel where people meet
> > around argus
> > >>    ?
> > >>
> > >>    Regards,
> > >>
> > >>    yann.
> > >>
> > >>
> > >> --
> > >>    Yann.Berthier at hsc.fr * Herv, Schauer Consultants *
> > >http://www.hsc.fr/
> >
> >
> >
> >
>

More information about the argus mailing list