beta.13 (and beta.12) insect
Eric
eric-list-argus at catastrophe.net
Mon Aug 25 13:27:48 EDT 2003
On Mon, 2003-08-25 at 13:18:43 -0400, Carter Bullard proclaimed...
> The input filter to argus is just a libpcap filter, so
> if you can write the filter in tcpdump, it will work
> for argus, or at least it should.
Hey Carter et al.
With this..
# grep ARGUS_FILTER /etc/argus.conf
ARGUS_FILTER_OPTIMIZER=yes
ARGUS_FILTER="not ( tcp port 80 or 'icmp[icmptype]==icmp-echo && icmp[8:4]==0xAAAAAAAA && icmp[12:4]==0xAAAAAAAA' )"
I get this..
# argus[88490]: started
argus[88490]: ArgusInputFilter "not ( tcp port 80 or 'icmp[icmptype]==icmp-echo && icmp[8:4]==0xAAAAAAAA &&
icmp[12:4]==0xAAAAAAAA' )" illegal token: '
This is why I thought argus had some strange parser on pcap
expressions.
More information about the argus
mailing list