Flowfile newbie: followup

Carter Bullard carter at qosient.com
Tue Nov 5 16:10:38 EST 2002 

Hey John,
Your aggregation file is somewhat unique, in that your
tracking source CIDR addresses against TCP port numbers.
Not the most popular aggregation scheme ;o)

Why not try this
   ramon -r <argusfile> -M svc - tcp

While it won't give you your source, it will
give the port breakdown.  If this is similar to
what your looking for, its pretty easy to construct
variations with ragator().  Send more mail if this
is getting closer.

Regarding your aggregation conf file, this may help as
well:

Model 200  tcp  255.255.255.0  0.0.0.0  yes no yes
                                        ^^^
The "yes" preserves the protocol.  Even though your
filtering for just tcp, the port is only meaningful
in conjunction with the protocol, so its important.

Carter


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> John Hermes
> Sent: Tuesday, November 05, 2002 3:31 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Re: Flowfile newbie: followup
> 
> 
> Hi Peter,
> 
> I got a generic count per protocol out of:
> 
> ra -r <argusfile> -w - - tcp and port <prot#> | racount -r -
> 
> Yuk. Running this once for every protocol is going to take 
> a while. Not very elegant either. I like your Perl idea 
> better. I would very much like to accept your generous 
> offer to share your scripts. Thanks!
> 
> John Hermes
> jhermes at infoglobe.com
> 
> > 	If you are a perl hacker, this is easy to do in perl. I have a
> > script that splits out ra output into perl variables that I 
> can send you if
> > you like. A really should be getting around to playing with 
> the new clients,
> > but so far time has been lacking (and the perl is there :-)).
> > 
> > Peter Van Epp / Operations and Technical Support
> > Simon Fraser University, Burnaby, B.C. Canada
> > 
> > > 
> > > Hi Everyone,
> > > 
> > > Following up previous email:
> > > 
> > > I think the line below
> > > Flow 100  tcp  192.168.1.0  *  *  *  200  86400  0
> > > 
> > > should be
> > > Flow 100  tcp  192.168.1.0/24  *  *  *  200  86400  0
> > > 
> > > at least now it seems to aggregate better!
> > > 
> > > Thanks,
> > > 
> > > John Hermes
> > > jhermes at infoglobe.com
> > > 
> > > 
> > 
> 
> 
>

More information about the argus mailing list