beta.13 (and beta.12) insect
Carter Bullard
carter at qosient.com
Mon Aug 25 13:18:43 EDT 2003
The input filter to argus is just a libpcap filter, so
if you can write the filter in tcpdump, it will work
for argus, or at least it should.
Carter
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Eric
> Sent: Monday, August 25, 2003 11:18 AM
> To: Neil Long
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: beta.13 (and beta.12) insect
>
>
> On Mon, 2003-08-25 at 17:12:34 +0100, Neil Long proclaimed...
>
> > Just a thought - are you having major icmp floods with
> these MS-RPC worms?
> >
> > Until we filtered them my argus collector was dropping vast
> amounts of
> > packets as reported
> > by tcpdump and friends
> >
>
> Yep, we are. We had to change our argus.conf filter to not include
> icmp.
>
> Is there a way to filter out something like the following in the
> argus.conf (this is what I'm using to detect the infected hosts
> using tcpdump)
>
> 'icmp[icmptype]==icmp-echo && icmp[8:4]==0xAAAAAAAA &&
> icmp[12:4]==0xAAAAAAAA'
>
More information about the argus
mailing list