detached ra collection?

Peter Van Epp vanepp at sfu.ca
Tue Nov 12 17:42:33 EST 2002


	The safe way to do this is to put 2 interfaces in the Argus box, the
one on the outside of the firewall has either (or both) of no IP address and
/or is behind a network tap so it isn't visible or contactable from the outside
world. The other interface connects to somewhere very secure behind your 
firewall for management of the box and getting the data off. 
	If you allow the argus data to get through your firewall you have 
opened up a potential hole, although if thats what you want to do or have no 
choice but to do I expect you are looking for is server mode (the -P flag)
of argus_bpf (or whatever your machine uses). Setting a -P port number (and 
doing appropriate wrapping with TCPwrappers or a screening router to keep
others from connecting to your argus!) will allow ra on the inside of your
firewall to read the data from argus outside and write it to a file.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> 
> I run ra outside my firewall and, for security reasons, would like to 
> automoagically archive the the collected data on a machine inside. It 
> seems like "ra -S firewall -w secure-archive" would be just the thing, 
> if I could run ra, *detached* from its parent process, launched from an 
> init script (which would also send it a sigterm to flush its buffers at 
> system shutdown).
> 
> Poring over the documentation and a little experimentation hasn't 
> yielded a simple minded way to do this.
> 
> Surely someone else has faced this problem, so before I hack a perl 
> wrapper to fork() and setsid() an ra, I thought I'd ask if this 
> particular whell has already been invented.
> 
> -- 
> ======== Joe Christy ============================== joe at eshu.net =======
> ---- Voice:831/423-7151 --- Mobile:650/483-9123 --- FAX:831/469-0804 ---
> __ If I can save you any time, give it to me, I'll keep it with mine. __
>  www.eshu.net/CA.html  BF:38:C1:17:5F:F4:00:19:53:01:7B:4C:88:72:93:85 
> 
> 
> 



More information about the argus mailing list