beta.13 (and beta.12) insect
Carter Bullard
carter at qosient.com
Mon Aug 25 14:10:08 EDT 2003
Quotes ever get past the shell, unless you escape them so
tcpdump would barf on this expression as well. put it in parenthesis.
"not (tcp port 80 or (icmp[icmptype]==icmp-echo > && icmp[8:4]==0xAAAAAAAA
&& icmp[12:4]==0xAAAAAAAA))"
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Eric
> Sent: Monday, August 25, 2003 12:28 PM
> To: Carter Bullard
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: beta.13 (and beta.12) insect
>
>
> On Mon, 2003-08-25 at 13:18:43 -0400, Carter Bullard proclaimed...
>
> > The input filter to argus is just a libpcap filter, so
> > if you can write the filter in tcpdump, it will work
> > for argus, or at least it should.
>
> Hey Carter et al.
>
> With this..
>
> # grep ARGUS_FILTER /etc/argus.conf
> ARGUS_FILTER_OPTIMIZER=yes
> ARGUS_FILTER="not ( tcp port 80 or 'icmp[icmptype]==icmp-echo
> && icmp[8:4]==0xAAAAAAAA && icmp[12:4]==0xAAAAAAAA' )"
>
> I get this..
>
> # argus[88490]: started
> argus[88490]: ArgusInputFilter "not ( tcp port 80 or
> 'icmp[icmptype]==icmp-echo && icmp[8:4]==0xAAAAAAAA &&
> icmp[12:4]==0xAAAAAAAA' )" illegal token: '
>
> This is why I thought argus had some strange parser on pcap
> expressions.
>
More information about the argus
mailing list