ra in clients distribution
Carter Bullard
carter at qosient.com
Thu Jun 19 22:42:50 EDT 2003
Hey Russell,
You can get last window size for both the src and dst
diretion using the '-s win' option. IP options come up
in the 'ind' (indicator) field, and have to be parsed.
If we can come up with a decent representation of the
options, we could have a separate field printed just for
them. Currently, the argus record has all the options
that were observed as a bit map, so we can report
any/most of them as they occur.
Carter
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> Russell Fulton
> Sent: Thursday, June 19, 2003 6:20 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: ra in clients distribution
>
>
> Hi All,
> I've been trying to look for traffic from the new
> trojan that sends syn
> packets with specific window size and options set. I can do this with
> raxml but it is a pain because
> A. its slow (lots of formatting) and
> B. output is spread over multiple lines so I cant post process
> using grep.
> However I notice that the -s switch on the ra in the client distro can
> be used to display window and option information in normal
> display. The
> problem is that I could not make it work. Is it supposed to at the
> moment? I admit I did not spend much time on it...
>
> --
> Russell Fulton, Network Security Officer, The University of Auckland,
> New Zealand.
>
>
More information about the argus
mailing list