detached ra collection?

Tue Nov 12 17:52:51 EST 2002

There are two other things to consider.  You have in 
the argus.conf file the ability to bind the listen
to a specific interface, so if you implement interface
based access control, be sure and set this variable.

And you can turn on SASL based strong authentication and on the
wire encryption as well, to make it a bit much more secure if
you need it.

Carter

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Peter Van Epp
> Sent: Tuesday, November 12, 2002 5:43 PM
> To: argus
> Subject: Re: detached ra collection?
> 
> 
> 	The safe way to do this is to put 2 interfaces in the 
> Argus box, the
> one on the outside of the firewall has either (or both) of no 
> IP address and
> /or is behind a network tap so it isn't visible or 
> contactable from the outside
> world. The other interface connects to somewhere very secure 
> behind your 
> firewall for management of the box and getting the data off. 
> 	If you allow the argus data to get through your 
> firewall you have 
> opened up a potential hole, although if thats what you want 
> to do or have no 
> choice but to do I expect you are looking for is server mode 
> (the -P flag)
> of argus_bpf (or whatever your machine uses). Setting a -P 
> port number (and 
> doing appropriate wrapping with TCPwrappers or a screening 
> router to keep
> others from connecting to your argus!) will allow ra on the 
> inside of your
> firewall to read the data from argus outside and write it to a file.
> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
> 
> > 
> > I run ra outside my firewall and, for security reasons, 
> would like to 
> > automoagically archive the the collected data on a machine 
> inside. It 
> > seems like "ra -S firewall -w secure-archive" would be just 
> the thing, 
> > if I could run ra, *detached* from its parent process, 
> launched from an 
> > init script (which would also send it a sigterm to flush 
> its buffers at 
> > system shutdown).
> > 
> > Poring over the documentation and a little experimentation hasn't 
> > yielded a simple minded way to do this.
> > 
> > Surely someone else has faced this problem, so before I hack a perl 
> > wrapper to fork() and setsid() an ra, I thought I'd ask if this 
> > particular whell has already been invented.
> > 
> > -- 
> > ======== Joe Christy ============================== 
> joe at eshu.net =======
> > ---- Voice:831/423-7151 --- Mobile:650/483-9123 --- 
> FAX:831/469-0804 ---
> > __ If I can save you any time, give it to me, I'll keep it 
> with mine. __
> >  www.eshu.net/CA.html  
> BF:38:C1:17:5F:F4:00:19:53:01:7B:4C:88:72:93:85 
> > 
> > 
> > 
> 
> 