change in how -n works in ra

Desmond Irvine desmond.irvine at sheridanc.on.ca
Fri Jun 14 14:07:33 EDT 2002 

Yes, the ports and protocols both go away with -nn.  If it means 
introducing a third n (-nnn) to seperate the protocol from the ports and 
allow having a text protocol specification and a numeric hostname and 
service I would vote for doing so.

So the parameters would now be:

-n    no host name resolution (from numeric to name)
       services and protocols would be translated

14 Jun 02 12:00:01 tcp 64.0.aa.bb.4256 -> 142.55.xx.yy.www RST

-nn   no hostname or service resolution
       protocols would be translated

14 Jun 02 12:00:01 tcp 64.0.aa.bb.4256 -> 142.55.xx.yy.80 RST

-nnn  no hostname, service or protocol translation

14 Jun 02 12:00:01 6 64.0.aa.bb.4256 -> 142.55.xx.yy.80 RST

Thanks, Desmond.

Carter Bullard wrote:

> Hey Desmond,
>    So if you run it with -nn do the ports and protocols both
> go away?  This is the behavior of the argus-clients distribution
> of ra.  1 n takes out the hosts, 2 n takes out the hosts and
> the dst ports,, and 3 n's take them all out.   Is this reasonable?
> 
> Carter
> 
> 
>>-----Original Message-----
>>From: owner-argus-info at lists.andrew.cmu.edu 
>>[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
>>Desmond Irvine
>>Sent: Friday, June 14, 2002 12:58 PM
>>To: argus-info at lists.andrew.cmu.edu
>>Subject: change in how -n works in ra
>>
>>
>>I'm running the latest beta (argus-2.0.6.beta.1) and I 
>>noticed that the 
>>-n parameter for ra doesn't work as advertised any longer.  
>>From the ra 
>>man page:
>>
>>"-n  Do not translate host and service numbers to names.
>>-nn  will suppress translation of protocol numbers, as well. "
>>
>>When I run ra with -n now this is what I see:
>>
>># ra -n -r argus
>>14 Jun 02 08:13:01    man version=2.0     probeid=3848370891 
>>     STA
>>14 Jun 02 11:59:01    tcp     80.0.aa.bb.21056  ->     
>>142.55.xx.yy.1214 
>>  EST
>>14 Jun 02 12:00:01    tcp     64.0.aa.bb.4256   ->      
>>142.55.xx.yy.www 
>>   RST
>>14 Jun 02 11:59:01    udp    66.163.aa.bb.1214  <-> 
>>142.55.xx.yy.1214  CON
>>14 Jun 02 11:59:00    tcp  142.55.xx.yy.1054   ->    
>>213.248.aa.bb.www   FIN
>>14 Jun 02 11:59:00   icmp   142.55.xx.yy       <->    206.248.aa.bb 
>>   ECO
>>14 Jun 02 11:59:00    tcp  142.55.xx.yy.1061   ->   
>>209.185.aa.bb.www   FIN
>>
>>Only the hostnames are not translated the service numbers are - blah! 
>>Using -nn nothing (hostnames, services or protocols) is translated as 
>>expected.  The last version of argus still supported -n as 
>>described in 
>>the man page.
>>
>>Desmond.
>>
>>-- 
>>Desmond Irvine              Security Analyst, Information Technology
>>Sheridan College            Phone: 905-845-9430 x2035
>>1430 Trafalgar Road         Fax: 905-815-4011
>>Oakville, ON  L6H 2L1       EMail: desmond.irvine at sheridanc.on.ca
>>
>>
>>
>>
> 
> 
> 


-- 
Desmond Irvine              Security Analyst, Information Technology
Sheridan College            Phone: 905-845-9430 x2035
1430 Trafalgar Road         Fax: 905-815-4011
Oakville, ON  L6H 2L1       EMail: desmond.irvine at sheridanc.on.ca

More information about the argus mailing list