[ARGUS] Syn traffic tracking
Carter Bullard
carter at qosient.com
Thu Dec 16 11:20:44 EST 2004
Hey John,
So if you want to process just those attempts that have
Syn's and nothing else, use a filter like:
ra -r file - tcp and syn and not (synack or data)
If you want those records that specifically have a reset response use:
ra -r file - tcp and syn and reset and not (synack or data)
remember you may have to escape the '(' depending on the shell
you are using.
Once you have the records, you can use ragator() to aggregate
the records based on source address, ignoring all other fields,
using the ragator.conf file below.
So to count the number of hosts that have sent just Tcp SYN's
to a given host:
ra -r file -w - - dst host x.y.z.w and tcp and sync and not \
(synack or data) | ragator -f ragator.conf -w - | racount
Give it a try, and if it doesn't do what you think, just holler to
the list.
Carter
---- begin ragator.conf ------
#
#
# id SrcCIDRAddr DstCIDRAddr Proto SPort DPort Model Dur Idle
Flow 100 ip * * * * * 200 60 0
# TCP and UDP Flow Model Definitions
# label id SrcAddrMask DstAddrMask Proto SPort DPort
Model 200 ip 255.255.255.255 0.0.0.0 yes no no
-----end ragator.conf -------
Carter
> From: John Nagro <john.nagro at gmail.com>
> Reply-To: John Nagro <john.nagro at gmail.com>
> Date: Thu, 16 Dec 2004 10:50:22 -0500
> To: <argus-info at lists.andrew.cmu.edu>
> Subject: [ARGUS] Syn traffic tracking
>
> Howdy,
>
> Whats a decent way to show hosts and the amount of syn traffic they
> have produced? i am trying to see if a particular machine on my
> network had a lot of syn traffic during a particular time, and if so,
> was it from a few hosts? a lot of hosts? one host?
>
> Thanks!
>
> -John
>
> --
> John Nagro
> john.nagro at gmail.com
>
More information about the argus
mailing list